OSED Study

Introduction

So, once upon a time, I took the Offensive Security Exploit Developer (OSED). I unfortunately failed the exam at that time. Discouraged, I shelved it at the time.

Why I’m returning to this: OSED represents advanced exploit development skills that complement my OSCP foundation. This structured study plan keeps me accountable and demonstrates methodical approach to complex technical challenges.

Well, I was playing with KaliGPT and decided to ask it for help. I decided to ask for a curriculum and checklist and see what it would develop for me. I didn’t know where to save it to keep me honest so my portolio projects section will have to do.

Links

Offsec OSED Link
https://github.com/biscottidiskette/osed

Process

Resources

• Practical Reverse Engineering by Bruce Dang
• Windows Internals, Part 1 by Mark Russinovich
• The IDA Pro Book by Chris Eagle
• The Shellcoder's Handbook by Jack Koziol
• OpenSecurityTraining – Intro to x86
• Corelan Exploit Writing
• FuzzySecurity – Exploit Dev Tutorials
• ROP Emporium
• Learn-C
• Microsoft Learn – WinDbg Preview Guide
• WinDbg Commands Reference
• LiveOverflow – Stack Overflow & Exploitation

Overall Path

1. Phase 0: Foundation Cleanup (1–2 weeks)

Topics:

• x86 Assembly (focus on 32-bit)
• Calling conventions and stack layout
• PE file format basics
• Virtual memory and Windows API

Tools:

• WinDbg Preview
• IDA Free or IDA Pro

Tasks:

• Trace function prologs/epilogs in WinDbg
• Use IDA to identify entry points, strings, function calls
• Explore VirtualAlloc, LoadLibrary, etc., in memory

Resources:

• Practical Reverse Engineering – Bruce Dang (Ch. 1–3)
• Windows Internals, Part 1 – Mark Russinovich (Ch. 1–4)
• OpenSecurityTraining – Intro to x86
• The IDA Pro Book – Chris Eagle (Ch. 1–3)
• Microsoft Learn – WinDbg Preview Guide

2. Phase 1: Basic Exploitation + SEH (2–3 weeks)

Topics:

• Stack-based overflows (manual EIP control)
• SEH overwrite technique
• Bad character handling
• Egghunters

Tools:

• WinDbg: Breakpoints, memory inspection, !exploitable
• IDA: String analysis, function mapping
• Python: Pattern generation & automation scripts

Tasks:

• Fuzz Vulnserver, SLMail, etc.
• Manually find offsets using cyclic patterns
• Trigger and redirect execution via SEH overwrite

Resources:

• Corelan Exploit Writing Part 1–3 (Manual SEH)
• The Shellcoder's Handbook – Jack Koziol (Buffer overflow chapters)
• LiveOverflow – Stack Overflow & Exploitation
• FuzzySecurity – Exploit Dev Tutorials

3. Phase 2: DEP Bypass + ROP (3–4 weeks)

Topics:

• DEP and NX concepts
• ROP chain construction and validation
• VirtualAlloc and pivoting
• Gadget discovery and chaining

Tools:

• WinDbg: Set breakpoints, analyze stack pivots
• IDA: Manual gadget identification and verification
• Python: ROP chain builder and encoder

Tasks:

• Build ROP chains from IDA-only gadgets
• Validate stack behavior and shellcode allocation in WinDbg
• Deploy shellcode via controlled memory regions

Resources:

• Practical Reverse Engineering – Bruce Dang (ROP chapters)
• ROP Emporium
• Corelan – ROP Exploitation Series
• WinDbg Commands Reference

4. Phase 3: ASLR Awareness & Partial Bypass (2–3 weeks)

Topics:

• What ASLR does (module randomization)
• How ASLR behaves with system vs. non-system modules
• Static vs. dynamic linking (ASLR implications)
• Partial ASLR bypass via non-ASLR modules (e.g., loaded DLLs)
• Return-to-non-ASLR (ret2lib) techniques

Tools:

• WinDbg: Use !address, lm to inspect ASLR-enabled modules
• IDA: Analyze binary headers and imports for ASLR compliance
• procmon or PE-bear to inspect DLL loading behavior

Tasks:

• Identify ASLR-enabled vs non-ASLR modules
• Build ROP chains using non-ASLR modules
• Patch binaries to toggle ASLR for practice
• Automate ASLR state analysis in WinDbg

Resources:

• Practical Reverse Engineering – Ch. 7 (ASLR internals)
• Corelan – ASLR Explained
• Windows Internals Part 1 – Section on image loading and memory layout

5. Phase 4: Complex Payloads & Constraints (3–4 weeks)

Topics:

• XOR and alphanumeric encoding
• Unicode shellcode techniques
• Staged payloads
• Heap spraying introduction

Tools:

• IDA: Manual shellcode inspection & decoding
• WinDbg: Memory dump comparison and shellcode tracing
• Python: Custom shellcode encoders

Tasks:

• Write XOR encoder with decoder stub
• Create alphanumeric payloads using known instructions
• Deliver staged shellcode through SEH with character constraints

Resources:

• The Shellcoder's Handbook – (Shellcode development chapters)
• Corelan – Shellcode & Encoding

6. Phase 5: Full Exploit Chains & Simulation (4–6 weeks)

Topics:

• Crash → SEH → DEP bypass → Shellcode injection → Shell
• Unicode/ASCII-only ROP shellcode chains
• Manual analysis and patching in IDA

Tools:

• IDA: Static reversing, API identification, gadget discovery
• WinDbg: Dynamic debugging, crash triage, shellcode tracing
• Python: Full exploit automation

Tasks:

• Full exploit chain (including egghunter or encoder)
• Manual shellcode injection into allocated memory
• Develop automation script to validate exploit success

Resources:

• The IDA Pro Book – Chris Eagle (full analysis section)
• FuzzySecurity – OSED Exploit Tutorials

Check List

1. Pre-Phase: Assembly

Goal: Get an understanding of Assebmly
• Online Class
❏  TCM Security Released a course on Assembly


2. Phase 0: Foundation & Setup

Goal: Establish core knowledge of x86, Windows internals, and core tools.
• System & Tools Setup
✅  Install Kali or Windows lab VMs (Windows XP, Win7 x86)
✅  Install WinDbg Preview from Microsoft Store
✅  Install IDA Free or Pro

• Assembly and OS Basics
❏  Complete OpenSecurityTraining’s x86 Assembly Part 1 (OST link)
❏  Read PRE Chapter 1 (Computer Architecture, Stack, Registers)
❏  Solve 3 exercises from Protostar Stack (stack0–stack2)

• PE Format & Memory
❏  Read Mark Pelf's PE Format Illustrated
❏  Inspect PE headers with PE-bear on calc.exe
❏  Trace IAT in IDA, locate VirtualAlloc, ExitProcess


3. Phase 1: Basic Exploitation Plus SEH

Exploit stack-based and SEH-based buffer overflows.
• Vanilla BOF
❏  Reproduce vanilla buffer overflow (EIP control)
❏  Calculate exact offset with pattern generation
❏  Identify bad characters
❏  Analyze crashes and stack state in WinDbg

• SEH
❏  Trigger and overwrite SEH structures
❏  Use egghunters and SEH-based delivery with shellcode


4. Phase 2: Egghunter

Goal: Gain a better understanding of egghunting.
• Online Materials
✅  Corelan Tutorial: Writing Egghunters
✅  FuzzySecurity Stack Smashing 0x08
✅  SkullSecurity Egghunter Explanation


5. Phase 3: DEP Bypass + ROP Chains

Goal: Bypass DEP using ROP and execute shellcode in allocated memory.
• DEP Mechanics
❏  Enable DEP in test app, verify crash with WinDbg: !address, !exploitable
❏  Read: PRE Chapter 2 – Windows Memory Management
❏  Watch: Corelan ROP Series Part 1

• ROP Chains
❏  Build a ROP chain to call VirtualAlloc with correct arguments
❏  Use ROPgadget or IDA to locate gadgets in non-ASLR DLL
❏  Validate control of stack after pivot
❏  Trigger execution of shellcode in newly allocated memory
❏  SLAE 32 (SecurityTube Linux Assembly Expert)
❏  Skape’s Shellcode Paper (Advanced)


6. Phase 4: ASLR Identification & Bypass

Goal: Learn how ASLR affects exploitation and bypass it using loaded modules.
• ASLR Detection
❏  Use lm in WinDbg to list loaded modules and addresses
❏  Use PE-bear to confirm ASLR flag (/DYNAMICBASE)

• Partial ASLR Bypass
❏  Identify static modules (e.g., libeay32.dll) loaded with fixed addresses
❏  Construct ROP chain using non-ASLR binary
❏  Read: Corelan ASLR Tutorial


7. Phase 5: Format String Vulnerability

Goal: Understand Format String vulnerabilies for ASLR
• General Information
❏  Hacking: The Art of Exploitation, 2nd Edition by Jon Erckson (Chapter on Format Strings)
❏  Format String Vulnerabilities – by Aleph One
❏  Modern Binary Exploitation (RPISEC)

• Targeted Tutorials for ASLR Bypass
❏  IOActive – Format String to ASLR Bypass
❏  FuzzySecurity – Stack Smashing 0x07
❏  Heap Exploitation – Info Leak via Format Bug

• Specific Techniques
❏  Partial Pointer Leaks via Uninitialized Strings
❏  ROP Emporium – ‘write4’ or ‘badchars’ challenges


8. Phase 6: Payload Encoding & Constraints

Goal: Build payloads that bypass filtering: badchars, nulls, unicode, etc.
• Badchar Handling
❏  Write badchar detection script using memory dump from WinDbg
❏  Confirm which characters break shellcode execution

• Encoding & Unicode
❏  Use msfvenom -e x86/shikata_ga_nai and test
❏  Write XOR encoder/decoder in Python
❏  Reproduce Corelan ASCII/Unicode SEH exploit:

• Reference: Corelan Part 9: Unicode Exploitation

9. Phase 7: Full Exploit Chains & Practice

Goal: Build from fuzzer to shell manually using everything learned.
• Fuzzing and Crash Triaging
❏  Write custom boofuzz fuzzer for target app
❏  Catch crash in WinDbg, analyze faulting instruction and memory state

• End-to-End Exploit
❏  Pick 2 vulnerable binaries (e.g., Vulnserver + FreeFloat FTP)
❏  Build exploit with:

• Fuzzer
• Crash detection
• Offset calculation
• ROP/SEH logic
• Shellcode
• Successful reverse shell

PE Format Study Plan

1. Microsoft’s Official PE Specification

• Definitions of headers, sections, flags, and load-time behavior
• Learn Microsoft - PE Format

2. PE Format Illustrated – Mark Pelf (2-part article)

• Illustrated PE Format

3. Deep Dive YouTube Videos

• Getting Started
• Deep Inside

4. Blogs & Tutorials

• Tech Zealots
• Inside PE Structure

5. GitHub “PE101-v1” PDF

• PE101-v1

Study

Just getting started. Not much to report yet.

Extra

https://github.com/nop-tech/OSED https://github.com/Gabb4r/osed https://github.com/r0r0x-xx/OSED-Pre

References:

Pass