准备

主要就是课程资料和lab练习，额外练习资源在后面参考资料中

考试

尽可能多练习熟悉各种坑，我是只做完了课程中的内容，课后作业都没做完，三个challenge也是只大概看了下，一个都没做

考试内容

具体太细节的不能说，只写大概内容

三个题目

给有基础 crash poc，DEP绕过 30分
custome shellcode 30分
逆向，DEP + ASLR 绕过 40分

满分100分，60分及格，没有步骤分，所以必须要完全做出来两个题目

DEP bypass题目

题目会有很明确的限制，比如要求你必须使用某个函数进行

并且过滤完badchars后可用gadgets也很少

然后shellcode部分也会坑，badchars比较多，如果继续使用rop编码解码处理badchars的话，剩余空间不够，只能使用自定义shellcode，修改一些会产生badchars的指令，生成可用shellcode

custome shellcode

这部分就是纯汇编代码实现题目要求，考试很明确的要求了需要调用什么函数达成什么效果，测试效果就是python keystone-engine + windbg

最关键的就是要注意position independent code 和 NULL-Free, 生成的shellcode如果有null byte，用python运行是没问题的，然而，在真正的漏洞利用中使用这个 shellcode 会有问题，因为 NULL 字节通常是一个坏字符

所以需要满足这些基本要求，生成的操作码不能有null字节，这个自己windbg一点点确认，然后修改对应汇编指令为没有null byte，但效果相同的其他指令即可

逆向题目

根据考试说明是需要逆向找到绕过ASLR的方式，然后还有内存漏洞控制eip，以及后续的DEP绕过部分，但考试的逆向只允许使用IDA免费版本，不允许使用IDA Pro，Ghidra之类的其他工具

这个题目就大概看了下，直接放弃了

通用

武器化是基本要求，靶机操作系统环境版本可能和调试机不一样，所以gadget只能使用程序本身的，不能使用系统dll中的

最重要的就是OffSec一直要求的 TryHarder .我是因为完全没有任何额外练习，考试中各种浪费时间，不止一次想跟监考说放弃考试，但继续坚持，都会在几个小时内找到突破口

参考资料

学习 & 练习资源

nop-tech/OSED: Containing my notes, practice binaries + solutions, blog posts, etc. for the Offensive Security Exploit Developer (OSED/EXP-301)
https://github.com/nop-tech/OSED/
PAWNYABLE!
https://pawnyable.cafe/
Learning Linux kernel exploitation - Part 1 - Laying the groundwork
https://0x434b.dev/dabbling-with-linux-kernel-exploitation-ctf-challenges-to-learn-the-ropes/amp/
深入理解进程线程 - 跳跳糖
https://tttang.com/archive/1483/
m33s33ks/WUMED-OSED: Notes template for Offensive Security’s EXP-301 course and OSED exam (笔记模板)
https://github.com/m33s33ks/WUMED-OSED

scripts

ricardojoserf/OSED-prep: Exploits written while preparing for the OSED exam
https://github.com/ricardojoserf/OSED-prep
ommadawn46/win-x86-shellcoder: A tool to help find bad chars in shellcode and develop shellcode without bad chars, created to assist myself in OSED course.
https://github.com/ommadawn46/win-x86-shellcoder
epi052/osed-scripts: bespoke tooling for offensive security’s Windows Usermode Exploit Dev course (OSED)
https://github.com/epi052/osed-scripts
osed-tools/filter-ropfile.py at main · 0xbad53c/osed-tools
https://github.com/0xbad53c/osed-tools

DEP bypass

Bypassing DEP with WriteProcessMemory (x86) • Vulndev
https://vulndev.io/2022/06/12/bypassing-dep-with-writeprocessmemory/
Bypassing DEP with VirtualProtect (x86) • Vulndev
https://vulndev.io/2022/06/14/bypassing-dep-with-virtualalloc-x86/
Exploit Development: Hands Up! Give Us the Stack! This Is a ROPpery! | Home
https://connormcgarr.github.io/ROP/
Exploit Development: Playing ROP’em COP’em Robots with WriteProcessMemory() | Home
https://connormcgarr.github.io/ROP2/
Creating Win32 ROP Chains - The Human Machine Interface
https://h0mbre.github.io/Creating_Win32_ROP_Chains/
Vulnserver TRUN Bypass DEP With ROP | Technical Memorandum
https://n0maj1o24.github.io/2022/02/22/Vulnserver-TRUN-Bypass-DEP-With-ROP/
Vulnserver TRUN Bypass DEP With ROP Again | Technical Memorandum
https://n0maj1o24.github.io/2022/02/24/Vulnserver-TRUN-Bypass-DEP-With-ROP-Again/
Vulnserver TRUN Bypass DEP With ROP On Win10 | Technical Memorandum
https://n0maj1o24.github.io/2022/05/01/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10/
Vulnserver TRUN Bypass DEP With ROP On Win10 II | Technical Memorandum
https://n0maj1o24.github.io/2022/05/30/Vulnserver-TRUN-Bypass-DEP-With-ROP-On-Win10-II/

shellcode

Windows下Shellcode编写详解 - 先知社区
https://xz.aliyun.com/t/2108
shellcode编写之动态定位API - 先知社区
https://xz.aliyun.com/t/10490
Baby’s First Win32 Shellcode - The Human Machine Interface
https://h0mbre.github.io/Babys-First-Shellcode/
Baby’s First Win32 Shellcode Part 2 - The Human Machine Interface
https://h0mbre.github.io/Babys-First-Shellcode-Part2/
Win32 Reverse Shell Shellcode - The Human Machine Interface
https://h0mbre.github.io/Win32_Reverse_Shellcode/
Create A Simple Windows Shellcode | Technical Memorandum
https://n0maj1o24.github.io/2022/03/11/Create-A-Simple-Windows-Shellcode/
奇安信攻防社区-Window向之x86 ShellCode入门
https://forum.butian.net/share/1244
Writing Small (reverse) Shell Code - Sekuro
https://sekuro.io/blog/writing-small-reverse-shellcode/

syscall

A Syscall Journey in the Windows Kernel - Alice Climent-Pommeret
https://alice.climent-pommeret.red/posts/a-syscall-journey-in-the-windows-kernel/
syscall的前世今生 - 跳跳糖
https://tttang.com/archive/1464/

fmtstr

在Windows下利用格式字符串 - 先知社区
https://xz.aliyun.com/t/2410
Exploiting Format Strings in Windows | 🔐Blog of Osanda
https://osandamalith.com/2018/02/01/exploiting-format-strings-in-windows/

SLAE Assignment

这个是针对SecurityTube Linux Assembly Expert的学习资料，学习汇编代码编写shellcode的方法比较有用：

SLAE Assignment 1 – TCP Bind Shell - The Human Machine Interface
https://h0mbre.github.io/SLAE_TCP_Bind_Shell/
SLAE Assignment 2 – TCP Reverse Shell - The Human Machine Interface
https://h0mbre.github.io/SLAE_TCP_Rev_Shell/
SLAE Assignment 3 – Egg Hunter - The Human Machine Interface
https://h0mbre.github.io/SLAE_Egg_Hunter/
SLAE Assignment 4 – Encoder - The Human Machine Interface
https://h0mbre.github.io/SLAE_Encoder/
SLAE Assignment 5 – MSF Analysis - The Human Machine Interface
https://h0mbre.github.io/SLAE_MSF_Analysis/
SLAE Assignment 6 – Polymorphic Shellcode - The Human Machine Interface
https://h0mbre.github.io/SLAE_Polymorphic_Shellcode/
SLAE Assignment 7 – Custom Crypter - The Human Machine Interface
https://h0mbre.github.io/SLAE_Crypter/
SLAE x86 Review - The Human Machine Interface
https://h0mbre.github.io/SLAE_x86_Review/

CTP/OSCE Prep

和上面的SLAE Assignment 系列同一个作者：

CTP/OSCE Prep – Boofuzzing Vulnserver for EIP Overwrite - The Human Machine Interface
https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/
CTP/OSCE Prep – ‘GMON’ SEH Based Overflow in Vulnserver - The Human Machine Interface
https://h0mbre.github.io/SEH_Based_Exploit/
CTP/OSCE Prep – ‘GMON’ Egghunter Exploit in Vulnserver - The Human Machine Interface
https://h0mbre.github.io/Egghunter_GMON_Vulnserver/
CTP/OSCE Prep – ‘GMON’ Egghunter With Character Restrictions - The Human Machine Interface
https://h0mbre.github.io/Badchars_Egghunter_SEH_Exploit/
CTP/OSCE Prep – ‘LTER’ SEH Snafu! and EIP Overwrite Success - The Human Machine Interface
https://h0mbre.github.io/LTER_SEH_Exploit/
CTP/OSCE Prep – A Noob’s Approach to Alphanumeric Shellcode (LTER SEH Overwrite) - The Human Machine Interface
https://h0mbre.github.io/LTER_SEH_Success/
CTP/OSCE Prep – ‘LTER’ SEH Overwrite v2.0! - The Human Machine Interface
https://h0mbre.github.io/LTER_SEH_Overwrite_2/
CTP/OSCE Prep – ‘HTER’ EIP Overwrite with a Twist - The Human Machine Interface
https://h0mbre.github.io/HTER_EIP_Twist/
CTP/OSCE Prep – Offset Helper for CTP - The Human Machine Interface
https://h0mbre.github.io/Offset/
CTP/OSCE Prep – Easy File Sharing Web Server 7.2 SEH Overwrite - The Human Machine Interface
https://h0mbre.github.io/Easy_File_Sharing_Web_Server/
CTP/OSCE Prep – Xitami Webserver 2.5 SEH Overflow With Egghunter - The Human Machine Interface
https://h0mbre.github.io/Xitami_Webserver_SEH/
CTP/OSCE Prep – Wrapping Up Our Prep - The Human Machine Interface
https://h0mbre.github.io/CTP_Summary/

OSCE Exam Practice

epi的一个系列教程，标题是老的OSCE，但对现在的OSED仍然很有用：

OSCE Exam Practice - Part I (Lab Setup)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-13-osce-exam-practice-part-one/
OSCE Exam Practice - Part II (TRUN via EIP Overwrite)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-14-osce-exam-practice-part-two/
OSCE Exam Practice - Part III (GMON via SEH Overwrite w/ Egg Hunter)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-18-osce-exam-practice-part-three/
OSCE Exam Practice - Part IV (GMON via SEH Overwrite w/ Stack Pivot)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-19-osce-exam-practice-part-four/
OSCE Exam Practice - Part V (KSTET via 3-stage Shellcode)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-19-osce-exam-practice-part-five/ ( 两个socket，一个执行egghunter，另一个发送shellcode)
OSCE Exam Practice - Part VI (HTER via EIP Overwrite w/ Restricted Character Set)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-21-osce-exam-practice-part-six/ （只有ascii 0-f/F 字符的payload）
OSCE Exam Practice - Part VII (GTER via EIP Overwrite w/ Socket Reuse Payload)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-22-osce-exam-practice-part-seven/ (socket reuse)
OSCE Exam Practice - Part VIII (LTER via EIP Overwrite w/ Restricted Character Set)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-24-osce-exam-practice-part-eight/ （受限字符集，只使用ascii的payload）
OSCE Exam Practice - Part IX (LTER via SEH Overwrite w/ Restricted Character Set)
https://epi052.gitlab.io/notes-to-self/blog/2020-05-25-osce-exam-practice-part-nine/ （受限字符集，只使用ascii的payload，复杂的编码处理）

Zero Day Zen Garden: Windows Exploit Development

Zero Day Zen Garden: Windows Exploit Development - Part 0 [Dev Setup & Advice] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2017/08/11/zdzg-windows-exploit-0.html
Zero Day Zen Garden: Windows Exploit Development - Part 1 [Stack Buffer Overflow Intro] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2017/08/19/zdzg-windows-exploit-1.html
Zero Day Zen Garden: Windows Exploit Development - Part 2 [JMP to Locate Shellcode] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2017/08/26/zdzg-windows-exploit-2.html
Zero Day Zen Garden: Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2017/09/02/zdzg-windows-exploit-3.html
Zero Day Zen Garden: Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2017/11/06/zdzg-windows-exploit-4.html
Zero Day Zen Garden: Windows Exploit Development - Part 5 [Return Oriented Programming Chains] | Shogun Lab 将軍ラボ
https://www.shogunlab.com/blog/2018/02/11/zdzg-windows-exploit-5.html

FuzzySecurity | ExploitDev

后面还有heap和kernel内容，对于OSED来说看到第7篇就够了

FuzzySecurity | ExploitDev: Part 1: Introduction to Exploit Development
http://www.fuzzysecurity.com/tutorials/expDev/1.html
FuzzySecurity | ExploitDev: Part 2: Saved Return Pointer Overflows
http://www.fuzzysecurity.com/tutorials/expDev/2.html
FuzzySecurity | ExploitDev: Part 3: Structured Exception Handler (SEH)
http://www.fuzzysecurity.com/tutorials/expDev/3.html
FuzzySecurity | ExploitDev: Part 4: Egg Hunters
http://www.fuzzysecurity.com/tutorials/expDev/4.html
FuzzySecurity | ExploitDev: Part 5: Unicode 0x00410041
http://www.fuzzysecurity.com/tutorials/expDev/5.html (unicode类型的input buffer)
FuzzySecurity | ExploitDev: Part 6: Writing W32 shellcode
http://www.fuzzysecurity.com/tutorials/expDev/6.html
FuzzySecurity | ExploitDev: Part 7: Return Oriented Programming
http://www.fuzzysecurity.com/tutorials/expDev/7.html

后面剩余部分：

FuzzySecurity | Tutorials
http://www.fuzzysecurity.com/tutorials.html

Windows Exploit Development by Securitysift

Windows Exploit Development - Part 1: The Basics - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-1-basics/
Windows Exploit Development - Part 2: Intro to Stack Based Overflows - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-2-intro-stack-overflow/
Windows Exploit Development - Part 3: Changing Offsets and Rebased Modules - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-3-changing-offsets-and-rebased-modules/
Windows Exploit Development - Part 4: Locating Shellcode With Jumps - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-4-locating-shellcode-jumps/
Windows Exploit Development – Part 5: Locating Shellcode With Egghunting - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/ (当内存中有多个匹配egg，其中只有一段shellcode是完整的，但损坏的shellcode先被匹配到，如何解决)
Windows Exploit Development – Part 6: SEH Exploits - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/
Windows Exploit Development - Part 7: Unicode Buffer Overflows - Security SiftSecurity Sift
https://www.securitysift.com/windows-exploit-development-part-7-unicode-buffer-overflows/

Corelan的系列，每篇都很长

Articles | Corelan Cybersecurity ResearchCorelan Cybersecurity Research
https://www.corelan.be/index.php/articles/

中文资料

SploitFun Linux x86 Exploit 开发系列教程 · SploitFun Linux x86 Exploit 开发系列教程
https://wizardforcel.gitbooks.io/sploitfun-linux-x86-exp-tut/content/

Exploit开发系列教程

Exploit开发系列教程-Windbg - 跳跳糖
https://tttang.com/archive/834/#toc_edit
Exploit开发系列教程-Mona 2& SEH - 跳跳糖
https://tttang.com/archive/990/
Exploit开发系列教程-Heap - 跳跳糖
https://tttang.com/archive/918/
Exploit开发系列教程-Windows基础&shellcode - 跳跳糖
https://tttang.com/archive/901/
Exploit开发系列教程-Exploitme1 (“ret eip” overwrite) &More space on stack - 跳跳糖
https://tttang.com/archive/680/
Exploit开发系列教程-Exploitme2 (Stack cookies & SEH) - 跳跳糖
https://tttang.com/archive/756/

跟小黑学漏洞利用开发

跟小黑学漏洞利用开发之SEH溢出-安全客 - 安全资讯平台
https://www.anquanke.com/post/id/192904
跟小黑学漏洞利用开发之egghunter-安全客 - 安全资讯平台
https://www.anquanke.com/post/id/193065
跟小黑学漏洞利用开发之unicode-安全客 - 安全资讯平台
https://www.anquanke.com/post/id/193802
跟小黑学漏洞利用开发之16进制字符转换-安全客 - 安全资讯平台
https://www.anquanke.com/post/id/194070
跟小黑学漏洞利用开发之SEH+Egghunter-安全客 - 安全资讯平台
https://www.anquanke.com/post/id/194303

Windows Exploitation by n0maj1o24

这个分类下自行查看

分类: Windows Exploitation | Technical Memorandum
https://n0maj1o24.github.io/categories/Windows-Exploitation/

Reviews

OSED - Navigating The Shadows
https://red.0xbad53c.com/training-reviews/offensive-security/osed
My Offensive Security Exploit Developer Review | nop-blog
https://nop-blog.tech/blog/osed/
Course Review - Offensive Security’s Windows User Mode Exploit Development (EXP-301/OSED)
https://epi052.gitlab.io/notes-to-self/blog/2021-06-16-windows-usermode-exploit-development-review/
ROP and Roll: EXP-301 Offensive Security Exploit Developer (OSED) Review and Exam | Spaceraccoon’s Blog
https://spaceraccoon.dev/rop-and-roll-exp-301-offensive-security-exploit-development-osed-review-and/
Offensive Security OSED Review · Hop Infosec
https://0xhop.github.io/binex/2022/07/30/OSED-Review/
Offensive Security EXP-301/OSED Review | yakuhito’s blog
https://blog.kuhi.to/offsec-exp301-osed-review
Road to OSED
https://tehwinsam.com/osed/
How I Failed Twice… and Finally Passed the Offensive Security OSED 72-hour Exam (EXP-301) - CUJO AI
https://cujo.com/how-i-failed-twice-and-finally-passed-the-offensive-security-osed-72-hour-exam-exp-301/
Congrats on the OSED Certificate! | Fluid Attacks
https://fluidattacks.com/blog/osed-certification/

视频

OSED Review - Offensive Security Exploit Developer - YouTube
https://www.youtube.com/watch?v=NAe6f1_XG6Q&ab_channel=JohnHammond

中文

EXP-301 | OSED 證照滿分之旅 - b3rm1nG - Medium
https://medium.com/@b3rm1nG/exp-301-osed-%E8%AD%89%E7%85%A7%E6%BB%BF%E5%88%86%E4%B9%8B%E6%97%85-f55c95146abc
OSCE3之路 - OSED | EXP301 - 4xpl0r3r’s blog
https://cn.4xpl0r3r.com/%E8%AF%81%E4%B9%A6/OSCE3%E4%B9%8B%E8%B7%AF-OSED-EXP301/
OSCE3 Certification: From Zero to One | Technical Memorandum
https://n0maj1o24.github.io/2022/10/03/OSCE3-Certification-From-Zero-to-One/

OSED受験記

2022-10-07