AWE/OSEE Preparation

Blog

• https://addaxsoft.com/blog/offensive-security-advanced-windows-exploitation-awe-osee-review/
• http://infosecflash.com/2018/11/04/my-awe-experience/
• https://trickster0.wordpress.com/2018/10/27/awe-course-review-by-offensive-security/
• https://www.jscybersec.io/blogpage/Offensive-Security-Exploitation-Expert-OSEE

Public Reference Materials by Module

Module 0x01 DEP/ASLR Bypass and Sandbox Escape via Flash Heap Overflow

pykd

• https://githomelab.ru/pykd/

Fldbg, a Pykd script to debug FlashPlayer

• https://www.offensive-security.com/vulndev/fldbg-a-pykd-script-to-debug-flashplayer/

Windbg Tutorial

• https://www.youtube.com/watch?v=8zBpqc3HkSE

Windbg Cheat Sheet

• http://windbg.info/doc/1-common-cmds.html

Discover Flash Player Zero-day Attacks In The Wild From Big Data by Peter Pi

• http://hitcon.org/2015/CMT/download/day1-a-r0.pdf

Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s Cube

• https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

Module 0x02 CFG/ACG Bypass and Sandbox Escape via Microsoft Edge Type Confusion

Morten Schenk - Back to Basics or Bypassing Control Flow Guard with Structured Exception Handler

• https://improsec.com/tech-blog/back-to-basics-or-bypassing-control-flow-guard-with-structured-exception-handler

Disarming and Bypassing EMET 5.1

• https://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/

Module 0x03 64-bit Kernel Driver Exploitation

Morten Schenk - Taking Windows 10 Kernel Exploitation to the next level

• https://www.youtube.com/watch?v=Gu_5kkErQ6Y
• https://www.youtube.com/watch?v=IxEKcB5Bvbg
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update.pdf
• https://www.blackhat.com/docs/us-17/wednesday/us-17-Schenk-Taking-Windows-10-Kernel-Exploitation-To-The-Next-Level%E2%80%93Leveraging-Write-What-Where-Vulnerabilities-In-Creators-Update-wp.pdf

Morten Schenk - Windows Kernel Shellcode on Windows 10

• https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-1
• https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-2
• https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-3
• https://improsec.com/tech-blog/windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code

Extra Mile - Exploit

Avast! 4.7 - 'aavmker4.sys' Local Privilege Escalation

• AWE v2.0 Module 0x5
  
• https://www.exploit-db.com/exploits/12406/
  

Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)

• https://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/
• https://www.exploit-db.com/exploits/18176/

Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Local Privilege Escalation (MS14-058)

• https://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-a-windows-kernel-mode-vulnerability-cve-2014-4113/
• https://dl.packetstormsecurity.net/papers/attack/CVE-2014-4113.pdf
• https://www.exploit-db.com/exploits/37064/

HackSys Extreme Vulnerable Driver (HEVD)

• https://github.com/hacksysteam/HackSysExtremeVulnerableDriver