This repository is dedicated to my self-study journey towards the Offensive Security Exploit Expert (OSEE) certification. I am planning to attend the course in 2025 or 2026, and this is part of my preparation. I believe in the power of open learning and therefore, I am sharing the materials that I am using for my studies.
This repository serves as a structured guide for preparing for the Offensive Security Exploitation Expert (OSEE) 401 exam. It is meticulously crafted based on the EXP401 Syllabus and focuses on the major topics essential for mastering advanced Windows exploitation techniques.
The OSEE certification is recognized in the cybersecurity industry for its rigor and emphasis on practical, hands-on skills. This guide aligns with the official syllabus and is designed to provide learners with detailed resources, clear explanations, and practical exercises for each major module.
- Solid understanding of Windows operating systems at both the administrative and kernel level. Familiarity with Windows internals, system architecture, and subsystems.
- Advanced programming skills in languages such as C, Python, and Assembly, especially as they relate to system-level programming and exploit development in Windows environments.
- Substantial experience in penetration testing and security research, particularly in identifying and exploiting Windows-based vulnerabilities.
- Proficiency with a wide range of security tools specific to Windows, including debuggers (such as WinDbg), disassemblers/decompilers (like IDA Pro, Ghidra), and virtualization software (VMware, Hyper-V).
- Strong background in reverse engineering Windows applications and binaries, with the ability to analyze and understand complex code structures.
- Prior experience in developing and exploiting advanced vulnerabilities such as buffer overflows, heap overflows, use-after-free vulnerabilities, and other complex Vulns. in Windows environments.
- CVE-2017-4901: Bug in Drag and Drop RPCI
- CVE-2019-0567: Type confusion vulnerability in Microsoft Edge
- 2 Custom Shellcode Creation
- 3 VMware Workstation Guest-To-Host Escape
- 4 Microsoft Edge Type Confusion
- Future Modules
(Note: Content for each section, along with additional sections, will be updated regularly.)
This guide intentionally focuses on the main topics from the syllabus. Some specific topics have been omitted to ensure the guide remains concise and directed towards the primary learning objectives. For comprehensive coverage, learners are encouraged to refer to the official syllabus alongside this guide.
Follow my journey and share your experiences on Twitter: 0x1BE.
More modules and sections will be added to this guide as I continue through the course. This includes an in-depth exploration of advanced topics, each accompanied by practical examples and resources for thorough study.
This repository is intended solely for educational purposes in preparation for the OSEE 401 exam. All materials and exercises are structured to align with the EXP401 Syllabus. This guide is not affiliated with or endorsed by Offensive Security.
Let's embark on this challenging yet rewarding journey together. Happy hacking!
- 2 Custom Shellcode Creation
- 3 VMware Workstation Guest-To-Host Escape
- 4 Microsoft Edge Type Confusion
- 5 Driver Callback Overwrite
- 6 Unsanitized User-mode Callback
Custom shellcode creation is a critical skill for exploit developers. This module covers various aspects of shellcode development, including understanding 64-bit architectures and the intricacies of Win32 APIs.
The shift to 64-bit architecture brings several changes in how systems handle memory and execute code. This section delves into these changes and their impact on exploit development.
- 2.1.1 64-bit Memory Enhancements
- Description: An exploration of the enhancements in memory management in 64-bit systems and their implications on security.
- Resources: 64-bit Memory Management
- 2.1.2 Calling Conventions
- Description: Understanding the calling conventions in 64-bit systems and how they differ from 32-bit systems.
- Resources: 64-bit Calling Conventions
- 2.1.3 Win32 APIs
- Description: Leveraging Win32 APIs for exploitation in a 64-bit environment.
- Resources: Win32 APIs in 64-bit Exploitation
A deep dive into the best practices and methodologies for writing effective and reliable exploit code.
- 2.2.1 Position-Independent-Code
- Description: Strategies for writing position-independent code, a crucial aspect for successful exploitation.
- Resources: Position-Independent Code Techniques
- 2.2.2 Visual Studio
- Description: Utilizing Visual Studio for developing and debugging exploit code.
- Resources: Exploit Development with Visual Studio
- Description: Techniques for building a versatile and effective shellcode framework.
- Resources: Building Shellcode Frameworks
- Description: Crafting reverse shellcode for establishing remote connections post-exploitation.
- Resources: Reverse Shellcode Development
This module covers the techniques and vulnerabilities associated with escaping from a VMware Workstation guest environment to the host, a critical aspect of virtual machine security.
- Description: An overview of different classes of vulnerabilities commonly found in virtualized environments like VMware.
- Resources: VMware Vulnerability Classes
- 3.2.1 DEP Theory
- Description: Understanding the role and mechanism of Data Execution Prevention in Windows security.
- Resources: Data Execution Prevention Explained
- 3.2.2 Ret2Lib Attacks and Their Evolution
- Description: The evolution and mechanics of Return-to-Library attacks in the context of modern security defenses.
- Resources: Ret2Lib Attack Techniques
- 3.2.3 Return Oriented Programming
- Description: Advanced exploitation techniques using Return Oriented Programming to bypass security mechanisms.
- Resources: ROP Techniques
- Description: Techniques for bypassing ASLR, a common memory protection mechanism.
- Resources: Bypassing ASLR
- Description: Deep dive into VMware Workstation's internal mechanisms.
- Resources: Exploring VMware Internals, VMware Architecture Course
- Description: Case study of a use-after-free vulnerability in VMware.
- Resources: UaF Vulnerability Analysis, Exploiting VMware Drag & Drop
- Description: Understanding the intricacies of Windows heap memory management.
- Resources: Heap Memory Management in Windows, Windows Heap Exploitation Techniques
- Description: Delving into the Low Fragmentation Heap mechanism in Windows.
- Resources: Understanding LFH, Exploiting LFH Vulnerabilities
- Description: Detailed case study on exploiting use-after-free vulnerabilities.
- Resources: UaF Exploitation Guide, Use-After-Free Exploits in Practice
- Description: Techniques for controlling memory reallocation in UaF vulnerabilities.
- Resources: Memory Reallocation in UaF, Reallocation Control Techniques
- Description: Strategies for crafting and exploiting fake virtual tables in UaF scenarios.
- Resources: Fake Virtual Table Exploitation, Creating Fake Virtual Tables for UaF
- Description: Using Return-Oriented Programming in the context of UaF vulnerabilities.
- Resources: ROP in UaF Exploits, ROP Techniques for UaF
- Description: Techniques to bypass Address Space Layout Randomization in UaF exploits.
- Resources: Bypassing ASLR in UaF, ASLR Bypass Techniques
- Description: Utilizing stack pivoting techniques in UaF exploitation.
- Resources: Stack Pivoting in Exploitation, UaF and Stack Pivoting
- Description: Strategies to defeat Data Execution Prevention in UaF scenarios.
- Resources: Defeating DEP in UaF, DEP Bypass Techniques
- Description: Techniques for restoring execution flow after exploitation.
- Resources: Execution Flow Restoration, Post-Exploitation Flow Techniques
- Description: Strategies and methods for executing shellcode post-exploitation.
- Resources: Executing Shellcode, Shellcode Execution Techniques
- Description: Understanding and bypassing Windows Defender Exploit Guard.
- Resources: Exploit Guard Analysis, Bypassing Windows Defender Exploit Guard
- Description: Methods for testing the effectiveness of Windows Defender Exploit Guard.
- Resources: Testing WDEG, Penetration Testing WDEG
- Description: Techniques for mitigating Return-Oriented Programming attacks.
- Resources: ROP Mitigation Strategies, Mitigating ROP Attacks
This module focuses on exploring and exploiting type confusion vulnerabilities specifically in the Microsoft Edge browser, emphasizing the internal mechanisms of Edge, advanced exploitation techniques, and practical case studies.
- Description: An in-depth look at the architecture and internal components of the Microsoft Edge browser.
- Resources: Inside Microsoft Edge
- Description: Analyzing real-world type confusion vulnerabilities in Edge and understanding their exploitation.
- Resources: Edge Type Confusion Exploits
- Description: Techniques and strategies for exploiting type confusion vulnerabilities in web browsers.
- Resources: Exploiting Type Confusion
- Description: Methods to control the instruction pointer (RIP) in exploitation scenarios, a crucial step in gaining execution control.
- Resources: Controlling the RIP in Exploits
- Description: Strategies for bypassing Control Flow Guard (CFG) in Windows, a security feature to prevent memory corruption vulnerabilities.
- Resources: Bypassing CFG
- Description: Techniques for executing data-only attacks, where the attacker manipulates the data without changing the code.
- Resources: Data Only Attacks in Depth
- Description: Understanding and bypassing Arbitrary Code Guard, a security feature in modern Windows environments.
- Resources: ACG Exploitation Techniques
- Description: Techniques for making out-of-context function calls in exploitation scenarios.
- Resources: Advanced Out-of-Context Call Techniques
- Description: Exploiting vulnerabilities in remote procedure call mechanisms.
- Resources: Remote Procedure Call Exploits
- Description: Techniques to escape browser sandboxes, with a focus on Microsoft Edge.
- Resources: Escaping Browser Sandboxes
More modules and sections will be added to this guide as I continue through the course. This includes detailed exploration of topics such as driver callback overwrite, unsanitized user-mode callbacks, and more, each accompanied by practical examples and resources for in-depth study.