Course Review - Offensive Security's Windows User Mode Exploit Development (EXP-301/OSED)

Jun 16, 2021 | 8 minutes read

Tags: osed, wumed, offsec

Howdy! I’ve never written an OffSec course review, as there was always an abundance of them written already for whatever course I was taking at the time (with the possible exception of AWAE/OSWE). Due to the interest shown in my DMs and replies, I figured I’d put together a brief overview / review of the course along with what questions I’ve gotten the most from folks.

For some quick background, this is my fourth OffSec certification. I’m now the proud holder of OSCP, OSCE (legacy), OSWE, and OSED.


This is easily the best OffSec course I’ve taken. I thoroughly enjoyed the content and was very impressed by how well it was planned out and executed. I think it does an amazing job of building folks’ knowledge from the ground up. It has a lot of depth to it and I think can still provide value to those who already hold OSCE.

The Course

According to OffSec’s course overview page:

Windows User Mode Exploit Development (EXP-301) is an intermediate-level course which teaches students the fundamentals of modern exploit development. It starts with basic buffer overflow attacks and builds into learning the skills needed to crack the critical security mitigations protecting enterprises

The Syllabus

Below are the overarching areas of study

  • WinDbg tutorial
  • Stack buffer overflows
  • Exploiting SEH overflows
  • Intro to IDA Pro
  • Overcoming space restrictions: Egghunters
  • Shellcode from scratch
  • Reverse-engineering bugs
  • Stack overflows and DEP/ASLR bypass
  • Format string specifier attacks

The full syllabus can be found here

The Exam

The exam is 48 hours of hands-on and 24 hours to summarize those hands-on hours in a report. This (or similar) is standard for OffSec, and oodles has been written about exam prep and how to manage your time. I don’t plan to go over that here, there are tons of great resources on the subject (I recall John Hammond has some nice videos about it).

The only piece of advice I have (that I don’t see floating around too often/at all), is to schedule your exam as soon as you get your course materials. It’s not a good look to have two months or more in between your lab time ending and your exam starting because you chose to wait until your last week of labs to schedule your exam.

I want to highlight @bmdyy’s response to the advice above, as he makes a great point about taking advantage of the two free exam rescheduling actions you have available:

That is solid advice for sure. You will feel a bit uncertain scheduling so early but that will change by the time the exam comes around, and if not, you can always move the exam date twice, for free.

One thing of interest about this exam that differed from all the other OffSec exams I’ve taken: this time there was no requirement to write the report ‘as though you were performing a penetration test’. It was a genuine relief to not have to roleplay pentester again for this particular report.

Common Questions

What do I need to know before I start (are there any prerequisites)?

The official answer is that if you’ve done OSCP, you’re ready.

My personal opinion is that the course does such a good job of reviewing the stuff you would have learned in OSCP (the entire course is stellar, honestly), that you can jump in without it.

If you WANT to study something before beginning, the most impactful subject you could front-load to help yourself during the course is x86 assembly.

Yea, but what about C?

The only C I remember having to deal with was reading function prototypes and struct definitions. You’ll use those to write your shellcode or to understand why a function call is vulnerable to attack.

I don’t think you need to ‘be good’ at C.

Is the material up to date?

Yes. The only potential ding here is that the course is built around 32bit exploitation. I believe they chose 32bit as a baseline, knowing that if you learned 32bit and chose to do something in 64bit, the mental jump required to make it from 32 to 64 is very minimal.

I don’t think the course being taught in 32bit detracts in any way from its value. Nor do I think it should be a reason that someone, who otherwise is interested in the course, should not take it.

Other than that, the course covers up to and including DEP/ASLR bypasses on up-to-date Windows 10 boxes using IDA and WinDbg.

There’s a necessary lag between building a lab VM and what’s the absolute most current Windows 10 version out, but if you upgrade to the absolute latest release, all of the techniques/exploits/etc would still function.

Was IDA Pro necessary, or would IDA Free be sufficient?

The course uses IDA Free, but refers to it as IDA Pro (not sure why really). An actual professional IDA is off-limits for the exam. The relevant section from the exam guide is below.

You cannot use commercial software such as Metasploit Pro, Cobalt Strike, Core Impact, or Burp Suite Pro. In addition, reverse engineering must be performed with IDA Freeware and WinDBG as taught in the course. Alternative disassemblers such as Ghidra are not allowed, nor is the commercial version of IDA Pro.

Were the labs shared amongst students like in OSCP?

No. There is a win10 vm that’s yours for practicing the majority of the course, as well as three challenge VMs. The three challenge VMs are also on a per-student basis, so no shared environment at all.

If I already took OSCE, should I go for OSED?

The answer here will depend on what you want to get out of it. Here are some of the ways they differ:

  • OSED focuses solely on exploit dev, where OSCE had three focus areas (web, pentesting, exploit dev)
  • OSED is the most polished, well-thought-out course from OffSec that I’ve taken (obviously a personal opinion, but I’m leaving it)
  • OSED teaches vulnerability discovery through reverse engineering, where OSCE used fuzzing
  • OSED goes into bypassing mitigations that OSCE didn’t cover
  • OSED teaches additional exploitation techniques not covered in OSCE
  • OSED goes way deeper on writing custom shellcode
  • OSED goes way deeper on an old favorite, the egghunter!
  • OSED goes way deeper on a lot of subjects, for example, the depth they go to while explaining seh overwrites is bonkers. I was already very familiar with SEH exploitation, and still learned a ton more.
  • OSED does not cover backdooring executables / evading AV

I’m probably missing something (if I think of anything else significant, I’ll update the list). Overall, I got value from the course and enjoyed it a lot, even having already done OSCE.

Will I be able to exploit new/modern software?

The software used in the course is comprised of real-world applications (many of which are enterprise-level), for which you’ll create real exploits. In that regard, the answer is yes, however it will depend on your target.

Below is a list of applications taken from the course syllabus:

  • Sync Breeze
  • Savant Web Server
  • IBM Tivoli Storage Manager
  • IBM Tivoli FastBackServer

There is at least one more enterprise application in use during the extra miles (and it’s absolutely brutal to RE/exploit). However, since it’s not mentioned in the syllabus, I’m going to refrain from listing it here.

Is there any heap exploitation?

No, my understanding is heap stuff is reserved for OSEE.

Is the exam hard?

Yup, sure is.

Of the four OffSec exams I’ve taken, I’d rate it as the second most difficult, behind OSWE. Obviously, this is incredibly subjective and will differ from person to person, but I found the exam to be pretty darn difficult.

What did you do to prepare beyond the course material?

Nothing. I didn’t even finish all of the extra miles due to life stuff (got all exercises/challenge machines though). However, I strongly considered revisiting VulnServer, turning on DEP, and reversing / exploiting through those commands again. Additionally, if I found a leak to bypass ASLR, I would have thrown that into the mix as well. @purpl3f0x had a similar thought apparently and has a great write-up about reversing VulnServer.

The course has everything you need to be successful in the exam and has a lot of extra miles/challenges to keep you busy. If you make it through all of that and still want more, bmdyy was kind enough to share two challenges he wrote to facilitate learning beyond the course. Below is his message about those challenges.

If anyone is finished with the challenges and wants some extra practice before the exam, I made two command-line servers (exe) to practice re, aslr, dep, and seh stuff on. Src is included as well as an example exploit, but shouldn’t be referenced if you want to solve it obviously

If you still find yourself wanting more, Morten had this to say:

The large extra mile from the RE module and the app from challenge 3 both contain at least 10 vulns, so it’s for sure possible to practice more on them. The app suite in challenge 1 also contains vulns in some of the other apps. You can google them for a starting point if necessary

Additional Resources

  1. Course Overview
  2. Course Syllabus
  3. bmdyy - quote_db practice app
  4. bmdyy - signatus practice app
  5. Vulnserver Redux 1: Reverse Engineering TRUN

comments powered by Disqus