Home

Below are the items the OSEE course calls out as part of it's syllabus from the signup page. If this information is considered sensitive for any reason please reach out and I'll quickly adjust this. I'm working to gather material on these items before the course in 2021. Items below are not complete and only the items I feel I need more time with.

2.2.4 Debugger automation: Pykd and findrop.py https://www.thezdi.com/blog/2018/7/19/mindshare-an-introduction-to-pykd 2.3 Flash Player Heap Internals Key Points https://www.offensive-security.com/awe/AWEPAPERS/Exploit_Adobe_Flash_Under_the_Latest_Mitigation_Read.pdf https://www.rapid7.com/db/modules/exploit/multi/browser/adobe_flash_hacking_team_uaf

2.5 Heap Overflow Case Study: CVE-2015-3104 Proof of Concept

2.9.3 Obtaining NPSWF32 base address

2.12.1 GetModuleHandle ROP Chain

2.12.3 GetProcAddress ROP Chain

2.12.5 WriteProcessMemory ROP Chain

2.16 Testing WDEG Protections on CVE-2015-3104

3.3 Type Confusion Case Study: CVE-2017-8601 POC

3.4 Type Confusion Case Study: Read and Write Primitive

3.9 ACG Bypass Case Study: CVE-2017-8637

3.9.2 Locating the JIT Process Handle 3.9.3 Duplicating the JIT Process handle

3.11 AppContainer Sandbox and Code Integrity Guard

3.12 Sandbox Escape Case Study: CVE-2016-0165 https://github.com/leeqwind/HolicPOC/tree/master/windows/win32k/CVE-2016-0165

https://www.exploit-db.com/exploits/41721

• Module 0x01 DEP/ASLR Bypass and Sandbox Escape via Flash Heap Overflow Vulnerable Software and Version: Adobe Flash Player 16.0.0.235 / 17.0.0.188 Software Link Vulnerability Type: Integer Overflow

  • Sandbox Escape
    • CVE-2015-3081 Flash Broker-Based - Sandbox Escape via Timing Attack Against File Moving
    • CVE-2015-3082 Flash Broker-Based - Sandbox Escape via Forward Slash Instead of Backslash

• Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion

  • 64-bit Windows

  • Main 64-bit Enhancements

  • JavaScript on 64-bit

  • Microsoft Edge and WinDbg

  • Type Confusion Case Study: CVE-2017-8601 POC

    • Vulnerable Software and Version: Microsoft Edge in Windows 10 1703
    • Vulnerability Type: Incorrect JIT Optimization

  • Control Flow Guard Theory https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard

    • CFG Implementation
    • CFG History and Limitations
    • Exercises
      • Bypassing Control Flow Guard in Windows 10
      • Bypassing Control Flow Guard in Windows 10 II
    • CFG Bypass Techniques
      • https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf

  • Arbitary Code Guard Theory

    • ACG Bypass Case Study: CVE-2017-8637
      • OS Software and Version: Microsoft Edge in Microsoft Windows 10 1703
      • Software Link: Same as the one above
      • Vulnerability Type: ACG Bypass

  • Sandbox Escape Case Study: CVE-2016-0165

    • Vulnerable Software and Version: Windows 10 1511 / Windows 7 SP1
    • OS Link (Windows 10 1511) OS Link (Windows 7 SP1)
    • Vulnerability Type: LPE (Sandbox Escape case)

https://rootkits.xyz/blog/2017/08/kernel-stack-overflow/#comment-2146