Take advantage of spring savings with up to 50% off ILT training.

MyGK
Support
USA USA - English
Checkout

Cart () Loading...

    • Quantity:
    • Delivery:
    • Dates:
    • Location:

    $

Subtotal

$

Checkout

or Continue Shopping

Contact Sales
Course  
Contact Sales
Support
Checkout

Cart () Loading...

    • Quantity:
    • Delivery:
    • Dates:
    • Location:

    $

Subtotal

$

Checkout

or Continue Shopping

Request Group Training

EXP-301 – Windows User Mode Exploit Development

OffSec EXP-301 – Windows User Mode Exploit Development

OffSec’s Windows User-Mode Exploit Development (EXP-301) 5-days course provides a comprehensive understanding of modern exploit development techniques. Learners gain hands-on experience crafting custom exploits and bypassing security defenses in an environment designed to elevate their skills in ethical hacking and vulnerability discovery.

Successful completion of the training course and passing the associated exam earns the OffSec Exploit Developer (OSED) certification. This certification validates expertise in advanced exploit development techniques, including reverse engineering, writing shellcode, and bypassing modern mitigations, making certified professionals invaluable for identifying and addressing vulnerabilities in software applications.

GK# 840107 Vendor# EXP-301
Vendor Credits:
No matching courses available.
Start learning as soon as today! Click Add To Cart to continue shopping or Buy Now to check out immediately.
Access Period:
Scheduling a custom training event for your team is fast and easy! Click here to get started.

Who Should Attend?

The EXP-301 course is ideal for individuals with a solid foundation in penetration testing and programming who are seeking to master exploit development techniques, ultimately earning the OSED certification.

What You'll Learn

Upon completing EXP-301 and passing the OSED exam, you’ll have mastered exploit development skills, including:

  • In-depth vulnerability analysis and exploitation in Windows user-mode applications
  • Custom exploit development for stack, heap, and integer overflows, as well as format string and use-after-free vulnerabilities
  • Bypassing modern Windows security mitigations like DEP, ASLR, and CFG
  • Writing reliable shellcode from scratch
  • Reverse engineering to uncover vulnerabilities

Course Outline

Windows User Mode Exploit Development: General Course Information

  • About the EXP301 Course
  • Provided Materials
  • Overall Strategies for Approaching the Course
  • About the EXP301 VPN Labs
  • About the OSED Exam

WinDbg and x86 Architecture

  • Introduction to x86 Architecture
  • Introduction to Windows Debugger
  • Accessing and Manipulating Memory from WinDbg
  • Controlling the Program Execution in WinDbg
  • Additional WinDbg Features

Exploiting Stack Overflows

  • Stack Overflows Introduction
  • Installing the Sync Breeze Application
  • Crashing the Sync Breeze Application
  • Win32 Buffer Overflow Exploitation

Exploiting SEH Overflows

  • Installing the Sync Breeze Application
  • Crashing Sync Breeze
  • Analyzing the Crash in WinDbg
  • Introduction to Structured Exception Handling
  • Structured Exception Handler Overflows

Introduction to IDA Pro

  • IDA Pro 101
  • Working with IDA Pro

Overcoming Space Restrictions: Egghunters

  • Crashing the Savant Web Server
  • Analyzing the Crash in WinDbg
  • Detecting Bad Characters
  • Gaining Code Execution
  • Finding Alternative Places to Store Large Buffers
  • Finding our Buffer - The Egghunter Approach
  • Improving the Egghunter Portability Using SEH

Creating Custom Shellcode

  • Calling Conventions on x86
  • The System Call Problem
  • Finding kernel32.dll
  • Resolving Symbols
  • NULLFree Position-Independent Shellcode PIC
  • Reverse Shell

Reverse Engineering for Bugs

  • Installation and Enumeration
  • Interacting with Tivoli Storage Manager
  • Reverse Engineering the Protocol
  • Digging Deeper to Find More Bugs

Stack Overflows and DEP Bypass

  • Data Execution Prevention
  • Return Oriented Programming
  • Gadget Selection
  • Bypassing DEP

Stack Overflows and ASLR Bypass

  • ASLR Introduction
  • Finding Hidden Gems
  • Expanding our Exploit ASLR Bypass)
  • Bypassing DEP with WriteProcessMemory

Format String Specifier Attack Part I

  • Format String Attacks
  • Attacking IBM Tivoli FastBackServer
  • Reading the Event Log
  • Bypassing ASLR with Format Strings

Format String Specifier Attack Part II

  • Write Primitive with Format Strings
  • Overwriting EIP with Format Strings
  • Locating Storage Space
  • Getting Code Execution

Labs Outline

The Labs

  • Challenge 1
  • Challenge 2
  • Challenge 3

Prerequisites

While there are no formal prerequisites, a strong understanding of C programming, assembly language, operating system internals (Windows), and debugging tools (such as WinDbg and Immunity Debugger) is highly recommended.

Related Certifications

The OffSec Experienced Penetration Tester (OSEP) certification distinguishes professionals with advanced penetration testing skills, making them highly sought-after experts in securing organizations from sophisticated threats. The OffSec Experienced Penetration Tester (OSEP) exam is a challenging, proctored 48-hour assessment designed to evaluate your advanced penetration testing skills in a real-world environment. You’ll demonstrate your ability to identify, exploit, and report on vulnerabilities, culminating in the development of custom exploits.

OffSec Experienced Penetration Testers (OSEPs) have the skills and expertise necessary to conduct penetration tests against hardened systems. They’ve proven their ability to identify more impactful intrusion opportunties and execute advanced, organized attacks in a controlled and focused manner.