├── 01) WinDbg & x86
└── README.md
├── 02) Vanilla BOF
└── README.md
├── 03) SEH
└── README.md
├── 04) IDA
└── README.md
├── 05) Egghunters
└── README.md
├── 06) Custom Shellcode
└── README.md
├── 07) DEP
└── README.md
├── 08) ASLR
└── README.md
├── 09) Format String Specifier Attacks
└── README.md
├── 10) Tools
└── README.md
├── EXP301-syllabus.pdf
├── README.md
└── pykd.dll
/01) WinDbg & x86/README.md:
--------------------------------------------------------------------------------
1 | # The x86 Architecture, WinDbg, and Assembly
2 |
3 |
4 | ## x86
5 |
6 | - [A Crash Course in x86 Assembly for Reverse Engineers](https://sensepost.com/blogstatic/2014/01/SensePost_crash_course_in_x86_assembly-.pdf) by sensepost
7 | - [Architecture 1001: x86-64 Assembly](https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/about) by OpenSecurityTraining2
8 |
9 | ## WinDbg
10 |
11 | - [WinDbg Cheat Sheet](https://web.archive.org/web/20220710171907/https://sites.google.com/site/taesaza0/etc/windbgcheatsheet) by Taesaza0
12 | - [WinDbg Cheat Sheet](https://dblohm7.ca/pmo/windbgcheatsheet.html) by dblohm7
13 | - [WinDbg Cheat Sheet](https://blog.lamarranet.com/wp-content/uploads/2021/09/WinDbg-Cheat-Sheet.pdf) by lamarranet
14 | -
15 |
--------------------------------------------------------------------------------
/02) Vanilla BOF/README.md:
--------------------------------------------------------------------------------
1 | # Vanilla Stack Based Buffer Overflows
2 |
3 | ## Recommended
4 | - [Exploit writing tutorial part 1: Stack Based Overflows](https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/) by Corelan
5 | - [Exploit writing tutorial part 2: Stack Based Overflows - jumping to shellcode](https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/) by Corelan
6 | - [Exploit Development - VulnServer Simple Buffer Overflow](https://guidedhacking.com/threads/exploit-development-vulnserver-simple-buffer-overflow.19989/) by nop
7 | - [Binary Exploit Development Tutorial - Simple Buffer Overflow (video)](https://youtu.be/hdlHPv48gNY) by nop
8 |
9 |
10 | ## More Blog posts, Papers, and Theory
11 |
12 | - [How a CPU works and Introduction to Assembler - bin 0x04](https://youtu.be/6jSKldt7Eqs) by LiveOverflow
13 | - [First Stack Buffer Overflow to modify Variable - bin 0x0C](https://youtu.be/T03idxny9jE) by LiveOverflow
14 | - [Buffer Overflows can Redirect Program Execution - bin 0x0D](https://youtu.be/8QzOC8HfOqU) by LiveOverflow
15 | - [First Exploit! Buffer Overflow with Shellcode - bin 0x0E](https://youtu.be/HSlhY4Uy8SA) by LiveOverflow
16 | - [Part 2: Saved Return Pointer Overflows](http://www.fuzzysecurity.com/tutorials/expDev/2.html) by Fuzzysecurity
17 |
18 |
19 |
20 |
21 |
22 | ## Practice Binaries
23 |
24 | - [Buffer Overflow Prep](https://tryhackme.com/room/bufferoverflowprep) by Tib3rius via TryHackMe
25 | - [Brainpan 1](https://tryhackme.com/room/brainpan) by TryHackMe
26 | - [Gatekeeper](https://tryhackme.com/room/gatekeeper) by TheMayor via TryHackMe
27 | - [Brainstorm](https://tryhackme.com/room/brainstorm) by TryHackMe (paid)
28 | - [Protostar](https://exploit.education/) by Exploit.education (Linux)
29 | - [vulnserver TRUN](https://github.com/stephenbradshaw/vulnserver) by Stephen Bradshaw
30 | - [MiniShare 1.4.1](https://www.exploit-db.com/apps/0ffe5385147edd1f9e7b460c6d7cb0a6-minishare-1.4.1.zip)
31 | - [PCMan FTP server 2.0.7](https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z)
32 | - [Freefloat FTP Server 1.0](https://www.exploit-db.com/apps/687ef6f72dcbbf5b2506e80a375377fa-freefloatftpserver.zip)
33 | - [VUPlayer 2.49](https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe)
--------------------------------------------------------------------------------
/03) SEH/README.md:
--------------------------------------------------------------------------------
1 | # Structured Exception Handler Based Buffer Overflows
2 |
3 | ## Recommended
4 | - [Exploit writing tutorial part 3: SEH Based Exploits](https://www.corelan.be/index.php/2009/07/25/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-3-seh/) by Corelan
5 | - [Exploit writing tutorial part 3b: SEH Based Exploits - just another example](https://www.corelan.be/index.php/2009/07/28/seh-based-exploit-writing-tutorial-continued-just-another-example-part-3b/) by Corelan
6 | - [Binary Exploit Development 2 - SEH Based Overflow](https://guidedhacking.com/threads/binary-exploit-development-2-seh-based-overflow.20035/) by nop
7 | - [Binary Exploit Development 2 - SEH Based Overflow (video)](https://youtu.be/LzK9dM_K-FI) by nop
8 |
9 | ## Blog posts, Papers, and Theory
10 |
11 | - [Windows Exploit Development - Part 6: SEH Exploits](http://www.securitysift.com/windows-exploit-development-part-6-seh-exploits/) by Securitysift
12 | - [Part 3: Structured Exception Handler (SEH)](http://www.fuzzysecurity.com/tutorials/expDev/3.html) by Fuzzysecurity
13 | - [Windows Exploit Development - Part 4 [Overwriting SEH with Buffer Overflows]](https://www.shogunlab.com/blog/2017/11/06/zdzg-windows-exploit-4.html) by Shogun Lab
14 | - [Developing remote SEH overwrite exploit for Integard Pro 2.2.0.9026](https://exploit.blackhat.dev/developing-remote-seh-overwrite-exploit-for-integard-pro/) by Yaksas CSC
15 |
16 |
17 | ***
18 |
19 | ## Practice Binaries
20 |
21 | - [Millenium MP3 Studio 2.0](https://www.exploit-db.com/apps/3c35dc3d6067fcc50f118500eb116c0b-millennium1.exe)
22 | - [Free MP3 CD Ripper 2.6](https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup-2.6.exe)
23 | - [Easy AVI DivX Converter 1.2.24](https://www.exploit-db.com/apps/5ad3e3560df85ecf6622fe3c58fb0c35-easy_avi_converter.exe)
24 | - [My Video Converter 1.5.24](https://www.exploit-db.com/apps/0c966e74828582db6029aee6dc59bbd5-my_video_converter.exe)
25 | - [VeryPDF Image2PDF Converter](https://www.exploit-db.com/apps/3ef2cd6c64e6d94c90c907311fb49710-img2pdf.exe)
26 | - [ASX to MP3 Converter 3.1.2.1](https://www.exploit-db.com/apps/b31a84e79d9941d89336b6708ef52a20-ASXtoMP3Converter_3121.exe)
27 | - [Vulnserver](https://github.com/stephenbradshaw/vulnserver) (GMON)
28 | - [EFS Easy Chat Server 3.1](https://www.exploit-db.com/apps/c682138ebbea9af7948a3f142bbd054b-ecssetup.exe)
29 | - [Disk Sorter Enterprise 9.5.12](https://www.exploit-db.com/apps/5ffae2c1a4b2165e0dd2a8e37765ef0e-disksorterent_setup_v9.5.12.exe)
30 | - [Easy File Sharing Web Server 7.2](https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe)
31 | - [freeFTPd 1.0.10](https://www.exploit-db.com/apps/f7915612721b0e8dad57bdfcb29ac9bb-freeFTPd.exe)
32 | - [FathFTP 1.8](https://www.exploit-db.com/apps/2bc586294ef5b2e4c9972152ff3bd696-fttsetup1.8.exe)
33 | - [File Sharing Wizard 1.5.0](https://www.exploit-db.com/apps/da3a3626f99a85f9ab59ab77f083ff80-fs-wizard-setup.exe)
34 | - [Easy Address Book Web server 1.6](https://www.exploit-db.com/apps/69f77623bb32589fb5343f598b61bbd9-eabws.exe)
--------------------------------------------------------------------------------
/04) IDA/README.md:
--------------------------------------------------------------------------------
1 | # IDA and Reverse Engineering
2 |
3 | ## Blog posts, Papers, and Theory
4 |
5 | - [The basics of IDA pro](https://resources.infosecinstitute.com/topic/basics-of-ida-pro-2/) by infosecinstitute
6 | - [Reverse Engineering For Beginners](https://www.youtube.com/playlist?list=PLMB3ddm5Yvh3gf_iev78YP5EPzkA3nPdL) by CoolCamera via YouTube
7 |
--------------------------------------------------------------------------------
/05) Egghunters/README.md:
--------------------------------------------------------------------------------
1 | # Egghunters
2 |
3 | ## Recommended
4 |
5 | - [Exploit writing tutorial part 8: Win32 Egg Hunting](https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/) by Corelan
6 | - [WoW64 Egghunter](https://www.corelan.be/index.php/2011/11/18/wow64-egghunter/) by Corelan
7 | - [Safely Searching Process Virtual Address Space](http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf) by Skape
8 |
9 |
10 | ## More Blog posts, Papers, and Theory
11 |
12 | - [Windows Exploit Development - Part 5: Locating Shellcode With Egghunting](http://www.securitysift.com/windows-exploit-development-part-5-locating-shellcode-egghunting/) by Securitysift
13 | - [Part 4: Egg Hunters](http://www.fuzzysecurity.com/tutorials/expDev/4.html) by Fuzzysecurity
14 | - [Windows Exploit Development - Part 3 [Egghunter to Locate Shellcode]](https://www.shogunlab.com/blog/2017/09/02/zdzg-windows-exploit-3.html) by Shogun Lab
15 |
16 | ***
17 |
18 | ## Practice Binaries
19 |
20 | - [docPrint Pro 8.0](https://www.exploit-db.com/apps/560e231d212fdaef8e52471f94a5f014-docprint_pro_setup.exe)
21 | - [Foxit Reder 4.1.1](https://www.exploit-db.com/apps/c45f09020652e1111f83c8c8bce35427-FoxitReader411_enu_Setup.exe)
22 | - [Audacity 1.2](https://www.exploit-db.com/apps/d59f24b86431eeb25281bce7817783f1-audacity-win-1.2.6.exe)
23 | - [MiniShare 1.5.5](https://www.exploit-db.com/apps/90a8c5b447f3867d1d22cb599ed17b59-minishare-1.5.5.zip)
24 | - [Free MP3 CD Ripper 2.8](https://www.itusoft.com/download/FMCRSetup.exe)
25 | - [Base64 Decoder 1.1.2](https://www.exploit-db.com/apps/743169f20b96c32da77e5ff7129e54db-b64dec-1-1-2.zip)
26 | - Frigate Professional 3.36.0.9
27 | - [CoolPlayer+ Portable 2.19.6](https://www.exploit-db.com/apps/e9d68d1ad9873339d6ef0fd5a2e1f0bd-CoolPlayerPlusPortable_2.19.6.paf.exe)
28 | - [KiTTY Portable 0.65.0.2p](https://www.exploit-db.com/apps/ab56d0b1672747878d5325afa9c46c74-KiTTYPortable_0.65.0.2_English.paf.exe)
29 | - [IP-Tools 2.5](https://www.exploit-db.com/apps/4a83348f18a18ba34f9747648b550307-ip-tools.exe)
30 | - [Vulnserver](https://github.com/stephenbradshaw/vulnserver) (GTER, GMON & KSTET)
31 | - [Easy File Sharing Web Server 7.2](https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe)
32 | - [Xitami Web Server 2.5](https://www.exploit-db.com/apps/c0c25ccb447057f180b1aad3110242d9-bw3225b4.exe)
33 | - [TFTP Server 1.4](https://www.exploit-db.com/apps/f07b073307052ccfb02fe1af243bb229-tftpserverspV1.4.tar.gz)
34 | - [MinaliC WebServer 2.0.0](https://www.exploit-db.com/apps/2b0e04c048c9b84b12f742ae38136de6-minalic.zip)
35 | - [Sysax 5.53](https://www.exploit-db.com/apps/bac43012f5bd4d3092c1153b52ed3301-sysaxserv_setup5.53.msi)
36 | - [Sysax Multi Server 5.52](https://www.exploit-db.com/apps/7b5ab39544fb296c05c6ea19ca5a3bad-sysaxserv_setup5.52.msi)
37 | - [Savant Wev Server 3.1](https://www.exploit-db.com/apps/08e770b173aa41be27db2304ac0df846-Savant31.exe)
38 | -
39 |
--------------------------------------------------------------------------------
/06) Custom Shellcode/README.md:
--------------------------------------------------------------------------------
1 | # Writing Custom Shellcode
2 |
3 |
4 |
5 | ## Blog posts, Papers, and Theory
6 |
7 | - [Exploit writing tutorial part 9: Introduction to win32 shellcoding](https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/) by Corelan
8 | - [Understanding Windows Shellcode](http://www.hick.org/code/skape/papers/win32-shellcode.pdf) by skape
9 | - [Writing Small Shellcode](https://research.nccgroup.com/wp-content/uploads/2020/07/writing_small_shellcode.pdf) by Dafydd Stuttard
10 | - [x86 and amd64 instruction reference](https://www.felixcloutier.com/x86/)
11 | - [Finding Kernel32 Base and Function Addresses in Shellcode](https://www.ired.team/offensive-security/code-injection-process-injection/finding-kernel32-base-and-function-addresses-in-shellcode) by ired.team
12 | - [Writing Custom Shellcode Encoders and Decoders](https://www.ired.team/offensive-security/code-injection-process-injection/writing-custom-shellcode-encoders-and-decoders) by ired.team
13 | - [Part 6: Writing W32 shellcode](https://www.fuzzysecurity.com/tutorials/expDev/6.html) by FuzzySecurity
14 | - Windows x86 Manual Shellcode by Marcos Valle:
15 | - [Part 1](https://marcosvalle.github.io/re/exploit/2018/10/20/windows-manual-shellcode-part1.html)
16 | - [Part 2](https://marcosvalle.github.io/re/exploit/2018/10/21/windows-manual-shellcode-part2.html)
17 | - [Part 3](https://marcosvalle.github.io/re/exploit/2018/10/21/windows-manual-shellcode-part3.html)
18 | - [MessageBox shellcode](https://marcosvalle.github.io/re/exploit/2019/01/19/messagebox-shellcode.html)
19 |
20 |
21 |
22 | ### Overcoming space limitations
23 |
24 | - [Binary Exploit Development 3 - Writing A Stager](https://guidedhacking.com/threads/binary-exploit-development-3-writing-an-exploit-stager.20067/) by nop
25 | - [Exploit Development 3 - Writing an Exploit Stager (video)](https://youtu.be/bH_T8GJuYbY) by nop
26 | - [Binary Exploit Development 3b - Reconstructing A Socket](https://guidedhacking.com/threads/binary-exploit-development-3b-reconstructing-a-socket.20081/) by nop
27 | - [WS32_recv() Reuse](https://connormcgarr.github.io/WS32_recv()-Reuse/) by Connor McGarr
28 | - [Vulnserver - GTER Command using Socket Reconstruction](https://zflemingg1.gitbook.io/undergrad-tutorials/walkthroughs-osce/vulnserver-gter-command) by Zachary Fleming
29 | - [Vulnserver Walkthrough Part 4 using WS2_32!recv() Reuse](https://philkeeble.com/exploitation/windows/Vulnserver-Walkthrough-Part-4/) by Phil Keeble
--------------------------------------------------------------------------------
/07) DEP/README.md:
--------------------------------------------------------------------------------
1 | # Data Execution Prevention
2 |
3 | ## Recommended
4 |
5 | - [Binary Exploit Development Part 4: Bypassing DEP With VirtualAlloc](https://guidedhacking.com/threads/binary-exploit-development-4-how-to-bypass-dep-stack-protection.20109/) by nop
6 | - [Binary Exploit Development 4 - DEP Bypass with VirtualAlloc (video)](https://youtu.be/phVz8CqEng8) by nop
7 | - [Binary Exploit Development 5 - DEP Bypass With WriteProcessMemory](https://guidedhacking.com/threads/exploit-development-5-dep-bypass-with-writeprocessmemory.20164/) by nop
8 | - [Exploit Development 5 - DEP Bypass with WriteProcessMemory (video)](https://youtu.be/8kYTDK9oKV8) by nop
9 | - [Binary Exploit Development 6 - Writing A ROP Decoder](https://guidedhacking.com/threads/binary-exploit-development-6-writing-a-rop-decoder.20184/) by nop
10 | - [Exploit Development Part 6 - Writing A ROP Decoder (video)](https://www.youtube.com/watch?v=muhqy8tm2nc) by nop
11 | - [Exploit writing tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/) by Corelan
12 | - [Exploit writing tutorial part 10: Changing DEP with ROP - the Rubik's Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/) by Corelan
13 |
14 | ## Blog posts, Papers, and Theory
15 |
16 |
17 | - [Hack Notes: ROP retn+offset and impact on stack setup](https://www.corelan.be/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/) by Corelan
18 | - [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/) by Corelan
19 | - [Part 7: Return Oriented Programming](http://www.fuzzysecurity.com/tutorials/expDev/7.html) by FuzzySecurity
20 | - [Windows Exploit Development - Part 6 [Return Oriented Programming Chains]](https://www.shogunlab.com/blog/2018/02/11/zdzg-windows-exploit-5.html) by Shogun Lab
21 | - [Defeating DEP the Immunity Debugger way](https://www.immunityinc.com/downloads/DEPLIB.pdf) by Pablo Solé
22 | - [A Gentle Intro to ROP and Bypassing DEP](https://cwinfosec.org/Intro-ROP-DEP-Bypass/) by cwinfosec
23 | - [Analysis of a CVE-2013-3906 Exploit](https://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/) by Crowdstrike
24 |
25 |
26 | ## Practice Binaries
27 |
28 | - [ASX to MP3 Converter 3.1.2.1](https://www.exploit-db.com/apps/b31a84e79d9941d89336b6708ef52a20-ASXtoMP3Converter_3121.exe)
29 | - [VUPlayer 2.49](https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe)
30 | - [DVD X Player 5.5 Pro](https://www.exploit-db.com/apps/cdfda7217304f4deb7d2e8feb5696394-DVDXPlayerSetup.exe)
31 | - [Easy File Sharing Web Server 7.2](https://www.exploit-db.com/apps/60f3ff1f3cd34dec80fba130ea481f31-efssetup.exe)
32 |
--------------------------------------------------------------------------------
/08) ASLR/README.md:
--------------------------------------------------------------------------------
1 | # Address Space Layout Randomization
2 |
3 | ## Blog posts, Papers, and Theory
4 |
5 | - [Exploit writing tutorial part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/) by Corelan
6 | - [Universal DEP/ASLR bypass with msvcr71.dll and mona.py](https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/) by Corelan
7 | - [Bypassing ASLR/DEP](https://www.exploit-db.com/docs/english/17914-bypassing-aslrdep.pdf) by Vinay Katoch
8 |
9 |
10 | ## Practice Binaries
11 |
12 | - [CoolPlayer+ Portable 2.19.6](https://www.exploit-db.com/apps/e9d68d1ad9873339d6ef0fd5a2e1f0bd-CoolPlayerPlusPortable_2.19.6.paf.exe)
13 | - [CoolPlayer+ Portable 2.19.2](https://www.exploit-db.com/apps/f23274df165e69006a1fca2e06aeae29-CoolPlayerPlusPortable_2.19.2.paf.exe)
14 | - [BlazeDVD 6.1](https://www.exploit-db.com/apps/1c3c56049cc1d722825c5d7635b51029-BlazeDVD_50_Professional_TRIAL.exe)
15 | - [BlazeDVD 5.1](https://www.exploit-db.com/apps/1c3c56049cc1d722825c5d7635b51029-BlazeDVD_50_Professional_TRIAL.exe)
16 | - [Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30](https://www.exploit-db.com/apps/1bbf03ec57b1ad30970362518e073215-Mini-streamRM-MP3Converter.exe)
17 | - [Adrenalin Player 2.2.5.3](https://www.exploit-db.com/apps/917453c45d9172b17dec1adc3be6d293-adrenalin2.2.5.3.exe)
18 | - [Simple Web Server 2.2-rc2](https://www.exploit-db.com/apps/142ba80cfca8f99ac36c92535728844c-sws-2.2-rc2-i686.exe)
19 |
--------------------------------------------------------------------------------
/09) Format String Specifier Attacks/README.md:
--------------------------------------------------------------------------------
1 | # Format String Specifier Attacks
2 |
3 | ## Blog posts, Papers, and Theory
4 |
5 | - [A simple Format String exploit example - bin 0x11](https://youtu.be/0WvrSfcdq1I) by LiveOverflow
6 | - [Exploiting Format Strings in Windows](https://osandamalith.com/2018/02/01/exploiting-format-strings-in-windows/) by Osanda Malith
7 |
8 |
9 |
10 | ## Practice Binaries
11 |
12 | - [Easy Address Bok Web Server 1.2](https://easy-address-book-web-server.software.informer.com/1.2/)
13 | - Magic Winmail Server 2.3
14 | - [ComSndFTP Server 1.3.7 Beta](https://www.exploit-db.com/apps/5a56968e1d12fd40305f765e4a904b22-ComSndFTP.rar)
15 | - [XM Easy Personal FTP Server 5.30](https://www.exploit-db.com/apps/ece9f6bb0ca98b0615ad119d5fcb3065-XM_Easy_Personal_FTP_Server_5.3.0.exe)
16 | - [BolinTech DreamFTP Server 1.02](https://www.exploit-db.com/apps/351db41cde451e984042def74c9e6e6e-Dream_FTP_Server_1.02.exe)
17 | -
--------------------------------------------------------------------------------
/10) Tools/README.md:
--------------------------------------------------------------------------------
1 | # Useful Tools
2 |
3 | ### code_caver
4 |
5 | GitHub repository: [here](https://github.com/nop-tech/code_caver)
6 |
7 | code_caver is a Python based WinDbg script automating the search for code caves in binaries in libraries.
8 | This script relies on Pykd and because of that has some limitations - eventually it will be ported to a native WinDbg extension.
9 |
10 | ### OSED scripts
11 |
12 | GitHub repository: [here](https://github.com/epi052/osed-scripts)
13 |
14 | epi052 published some useful scripts on their "osed-scripts" repository, such as:
15 | - shellcoder.py
16 | - egghunter.py
17 | - and more
18 |
19 | ### rp++
20 |
21 | GitHub repository: [here](https://github.com/0vercl0k/rp)
22 |
23 | rp++ is a fast ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries and should be your go-to for finding gadgets to then create ROP-chains.
24 |
25 |
26 | ### arwin.c
27 |
28 | Website: [here](https://vividmachines.com/shellcode/shellcode.html)
29 | Direct download (source): [here](https://vividmachines.com/shellcode/arwin.c)
30 |
31 | arwin is a utility to find the absolute adresses of windows funcitons within a specified DLL.
32 |
33 |
--------------------------------------------------------------------------------
/EXP301-syllabus.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nop-tech/OSED/7680fec9f861cc5ada08d1e257a2ccfd55ec1fc3/EXP301-syllabus.pdf
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # OSED
2 | Containing my notes, practice binaries + solutions, blog posts, etc. for the Offensive Security Exploit Developer (OSED/EXP-301)
3 |
4 | 1) [WinDbg & x86](https://github.com/nop-tech/OSED/tree/main/01\)%20WinDbg%20%26%20x86)
5 | 2) [Vanilla Buffer Overflows](https://github.com/nop-tech/OSED/tree/main/02\)%20Vanilla%20BOF)
6 | 3) [SEH](https://github.com/nop-tech/OSED/tree/main/03\)%20SEH)
7 | 4) [IDA](https://github.com/nop-tech/OSED/tree/main/04\)%20IDA)
8 | 5) [Egghunters](https://github.com/nop-tech/OSED/tree/main/05\)%20Egghunters)
9 | 6) [Custom Shellcode](https://github.com/nop-tech/OSED/tree/main/06\)%20Custom%20Shellcode)
10 | 7) [DEP](https://github.com/nop-tech/OSED/tree/main/07\)%20DEP)
11 | 8) [ASLR](https://github.com/nop-tech/OSED/tree/main/08\)%20ASLR)
12 | 9) [Format String Specifier Attacks](https://github.com/nop-tech/OSED/tree/main/09\)%20Format%20String%20Specifier%20Attacks)
13 | 10) [Tools](https://github.com/nop-tech/OSED/tree/main/10\)%20Tools)
14 |
15 | ***
16 |
17 | Resources under the "recommended" section of each chapter are the ones I would personally recommend to study with - all the other resources are also great but should be seen as either "fundamentals only" or an "addition".
18 | Meaning, if you got the time, please check them out as well, they will definitely help you understand everything more in-depth and more clearly.
19 |
20 | Keep in mind that **this** repository is only for the EXP-301 course / OSED certification provided by Offensive-Security and thus does not cover topics like e.g. x64, Heap, Write What Where, etc.
21 |
22 |
23 | You think something is missing in this repo? Feel free to reach out to me either via GitHub pull requests or via the Offensive-Security discord server.
24 |
25 |
26 |
27 | My Exploit Development GitHub repository going beyond and above the EXP-301 topics: _coming soon_.
--------------------------------------------------------------------------------
/pykd.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nop-tech/OSED/7680fec9f861cc5ada08d1e257a2ccfd55ec1fc3/pykd.dll
--------------------------------------------------------------------------------