OffSec

Windows User Mode Exploit Development Training

EXP-301
OSED Logo

EXP-301: Windows User Mode Exploit Development (OSED)

Invest in a secure future with offensive security training from the developers of Kali Linux. OffSec certifications are the most well-recognized and respected in the industry. Our courses focus on real-world skills and applicability, preparing you for real-life challenges and offensive security expertise!

Training at a glance

Level

Intermediate

Duration

5 Days

Experience

2 years: Debuggers/ Python

Average Salary

$127,000

Labs

Yes

Level

Intermediate

Duration

5 Days

Experience

2 years: Debuggers/ Python

Average Salary

$127,000

Labs

Yes

Training Details

EXP-301 is an intermediate course that teaches the skills necessary to bypass DEP and ASLR security mitigations, create advanced custom ROP chains, reverse-engineer a network protocol and even create read and write primitives by exploiting format string specifiers.

Windows User Mode Exploit Development (EXP-301) is a course that teaches learners the basics of modern exploit development. Despite being a fundamental course, it is at the 300 level because it relies on substantial knowledge of assembly and low level programming. It begins with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises. Learners who complete the course and pass the exam earn the OffSec Exploit Developer (OSED) certification. The OSED is one of three certifications making up the OSCE3 certification along with the OSEP for advanced penetration testing and OSWE for web application security. Course Objectives:

  • Learn the fundamentals of reverse engineering
  • Create custom exploits
  • Develop the skills to bypass security mitigations
  • Write handmade Windows shellcode
  • Adapt older techniques to more modern versions of Windows

Lesson 1: Windows User Mode Exploit Development: General Course Information

  • About the EXP301 Course
  • Provided Materials
  • Overall Strategies for Approaching the Course
  • About the EXP301 VPN Labs
  • About the OSED Exam
  • Wrapping Up

 

Lesson 2: WinDbg and x86 Architecture

  • Introduction to x86 Architecture
  • Introduction to Windows Debugger
  • Accessing and Manipulating Memory from WinDbg
    Controlling the Program Execution in WinDbg
  • Additional WinDbg Features
  • Wrapping Up

 

Lesson 3: Exploiting Stack Overflows

  • Stack Overflows Introduction
  • Installing the Sync Breeze Application
  • Crashing the Sync Breeze Application
  • Win32 Buffer Overflow Exploitation
  • Wrapping Up


Lesson 4: Exploiting SEH Overflows

  • Installing the Sync Breeze Application
  • Crashing Sync Breeze
  • Analyzing the Crash in WinDbg
  • Introduction to Structured Exception Handling
  • Structured Exception Handler
    Overflows
  • Wrapping Up

 

Lesson 5: Introduction to IDA Pro

  • IDA Pro 101
  •  Working with IDA Pro
  •  Wrapping Up

 

Lesson 6: Overcoming Space Restrictions: Egghunters

  • Crashing the Savant Web Server
  • Analyzing the Crash in WinDbg
  • Detecting Bad Characters
  • Gaining Code Execution
  • Finding Alternative Places to Store
    Large Buffers
  • Finding our Buffer - The Egghunter
    Approach
  • Improving the Egghunter Portability Using SEH 
  • Wrapping Up


Lesson 7: Creating Custom Shellcode

  • Calling Conventions on x86
  • The System Call Problem
  • Finding kernel32.dll
  • Resolving Symbols
  • NULLFree Position-Independent Shellcode PIC
  • Reverse Shell
  • Wrapping Up


Lesson 8: Reverse Engineering for Bugs

  • Installation and Enumeration
  • Interacting with Tivoli Storage
    Manager
  • Reverse Engineering the Protocol
  • Digging Deeper to Find More Bugs
  • Wrapping Up


Lesson 9: Stack Overflows and DEP Bypass

  • Data Execution Prevention
  • Return Oriented Programming
  • Gadget Selection
  • Bypassing DEP
  • Wrapping Up

 

Lesson 10: Stack Overflows and ASLR Bypass

  • ASLR Introduction
  • Finding Hidden Gems
  • Expanding our Exploit ASLR Bypass)
  • Bypassing DEP with WriteProcessMemory
  • Wrapping Up


Lesson 11: Format String Specifier Attack Part I

  • Format String Attacks
  • Attacking IBM Tivoli FastBackServer
  • Reading the Event Log
  • Bypassing ASLR with Format Strings


Lesson 12: Format String Specifier Attack Part II

  • Write Primitive with Format Strings
  • Overwriting EIP with Format Strings
  • Locating Storage Space
  • Getting Code Execution
  • Wrapping Up


Lesson 13: Trying Harder: The Labs

  • Challenge 1
  • Challenge 2
  • Challenge 3
  • Wrapping Up
  • Windows User Mode Exploit Development is an intermediate course designed for those who want to learn about exploit development skills
  • Job roles like penetration testers, exploit developers, security researchers, Malware analysts, and software developers working on security products, could benefit from the course

 

Job Roles

  • Penetration Testers
  • Exploit Developers
  • Security Researchers
  • Malware Analysts
  • Software Developers Working On Security Products

All students should have the following prerequisite skills before starting the course:

  • Familiarity with debuggers (ImmunityDBG, OllyDBG)
  • Familiarity with basic exploitation concepts on 32-bit
  • Familiarity with writing Python 3 code
  • The following optional skills are recommended:
    • Ability to read and understand C code at a basic level
    • Ability to read and understand 32-bit Assembly code at a basic level

*The prerequisite skills can be obtained by taking our Penetration Testing with Kali Linux course.

  • Course Materials
  • Active Student Forums
  • Access to Home Lab Setup

Learn One Package – $2,499
  • One course
  • 365 days of lab access
  • Two exam attempts
  • Plus exclusive content

OR Learn Unlimited Package – $5,499
  • All courses
  • 365 days of lab access
  • Unlimited exam attempts
  • Plus exclusive content

Upcoming Classes

PROUD OFFSEC PARTNERSHIPS

We are proud to be an OffSec Learning, Government, and Channel Partner. We pride ourselves on providing award winning boot camps and direct mentoring in our classrooms, Online Live or at your location. The only immersive Authorized Instructor-Led OffSec training available – join us today!

We Offer More Than Just OffSec Training

Our successful training results keep our corporate and military clients returning. That’s because we provide everything you need to succeed. This is true for all of our courses.

Strategic Planning & Project Management

From Lean Six Sigma to Project Management Institute Project Management Professional, Agile and SCRUM, we offer the best-in-class strategic planning and project management training available. Work closely with our seasoned multi-decade project managers.

IT & Cybersecurity

ATA is the leading OffSec and Hack the Box US training provider, and a CompTIA and EC-Council award-winning training partner. We offer the best offensive and defensive cyber training to keep your team ahead of the technology skills curve.

Leadership & Management

Let us teach your team the high-level traits and micro-level tools & strategies of effective 21st-century leadership. Empower your team to play to each others’ strengths, inspire others and build a culture that values communication, authenticity, and community.

From Lean Six Sigma to Project Management Institute Project Management Professional, Agile and SCRUM, we offer the best-in-class strategic planning and project management training available. Work closely with our seasoned multi-decade project managers.
ATA is the leading OffSec and Hack the Box US training provider, and a CompTIA and EC-Council award-winning training partner. We offer the best offensive and defensive cyber training to keep your team ahead of the technology skills curve.
Let us teach your team the high-level traits and micro-level tools & strategies of effective 21st-century leadership. Empower your team to play to each others’ strengths, inspire others and build a culture that values communication, authenticity, and community.