offensive-exploit-dev-course

# SKILL: Exploit Development

## Metadata
- **Skill Name**: exploit-dev-curriculum
- **Folder**: offensive-exploit-dev-course
- **Source**: https://github.com/SnailSploit/offensive-checklist/blob/main/course.md

## Description
Full exploit development course roadmap and syllabus: weekly topics, recommended reading, lab setup, and learning path from vulnerability classes through advanced exploitation. Use to structure exploit dev training or onboard new researchers.

## Trigger Phrases
Use this skill when the conversation involves any of:
`exploit development course, exploit dev curriculum, learning path, syllabus, exploit dev training, vulnerability research training, course overview`

## Instructions for Claude

When this skill is active:
1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---

## Full Methodology

# Exploit Development

## Week 1: Foundations and Fuzzing Basics

### Day 1: Introduction to Fuzzing

- **Goal**: Understand the fundamentals of fuzzing and get hands-on experience with `AFL++`.
- **Activities**:
  - _Reading_: "Fuzzing for Software Security Testing and Quality Assurance" by `Ari Takanen`(From 1.3.2 to 1.3.8 and 2.4.1 to 2.7.5.7).
  - _Online Resource_:
    - [Fuzzing Book by `Andreas Zeller`](https://www.fuzzingbook.org/) - Read "Introduction" and "Fuzzing Basics."
    - [`AFL++` Documentation](https://aflplus.plus/docs/) - Follow the quick start guide.
    - [Interactive Module to Learn Fuzzing](https://github.com/alex-maleno/Fuzzing-Module.git)
  - _Exercise_:
    - Set up a Linux virtual machine (VM) with the necessary tools installed, including compilers and debuggers
    - Run `AFL++` on a C program

```bash
# Setting up AFL++
sudo apt install build-essential gcc-13-plugin-dev cpio python3-dev libcapstone-dev pkg-config libglib2.0-dev libpixman-1-dev automake autoconf python3-pip ninja-build cmake
wget https://apt.llvm.org/llvm.sh
chmod +x llvm.sh
sudo ./llvm.sh 19 all
curl --proto '=https' --tlsv1.2 -sSf "https://sh.rustup.rs" | sh
mkdir soft
cd soft
git clone --branch dev --depth 1 https://github.com/AFLplusplus/AFLplusplus
cd AFLplusplus
make distrib
sudo make install
# Phase 1
cd ~/ && mkdir tuts && cd tuts
git clone --branch main --depth 1 https://github.com/alex-maleno/Fuzzing-Module.git
cd Fuzzing-Module/exercise1 && mkdir build && cd build
CC=/usr/local/bin/afl-clang-fast CXX=/usr/local/bin/afl-clang-fast++ cmake ..
make && cd ../ && mkdir seeds && cd seeds && for i in {0..4}; do dd if=/dev/urandom of=seed_$i bs=64 count=10; done && cd ../build
afl-fuzz -i /home/dev/tuts/Fuzzing-Module/exercise1/seeds/ -o out -m none -d -- /home/dev/tuts/Fuzzing-Module/exercise1/build/simple_crash
# Phase 2
cd /home/dev/tuts/Fuzzing-Module/exercise2 && mkdir build && cd build
CC=/usr/local/bin/afl-clang-lto CXX=/usr/local/bin/afl-clang-lto++ cmake ..
make && cd ../ && mkdir seeds && cd seeds && for i in {0..4}; do dd if=/dev/urandom of=seed_$i bs=64 count=10; done && cd ../build
afl-fuzz -i /home/dev/tuts/Fuzzing-Module/exercise2/seeds/ -o out -m none -d -- /home/dev/tuts/Fuzzing-Module/exercise2/build/medium
```

### Day 2: Continue Fuzzing with `AFL++`

- **Goal**: Understand and apply advanced fuzzing techniques.
- **Activities**:
  - _Reading_: Continue with "Fuzzing for Software Security Testing and Quality Assurance" (From 3.3 to 3.9.8).
  - _Exercise_:
    - Experiment with different `AFL++` options (for example, dictionary-based fuzzing, persistent mode).
    - Running `AFL++` with a real-world application like a file format parser to mimic real-world scenarios.

```bash
cd /home/dev/tuts && git clone --branch master --depth 1 https://github.com/davisking/dlib.git
cd dlib/tools/imglab && mkdir -p build && cd build && export AFL_USE_UBSAN=1 && export AFL_USE_ASAN=1
export ASAN_OPTIONS="detect_leaks=1:abort_on_error=1:allow_user_segv_handler=0:handle_abort=1:symbolize=0"
sudo apt install libx11-dev
cmake -DCMAKE_C_COMPILER=afl-clang-fast -DDLIB_NO_GUI_SUPPORT=0 -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fsanitize=address,leak,undefined -g" -DCMAKE_C_FLAGS="-fsanitize=address,leak,undefined -g" ..
make -j8 && mkdir -p fuzz/image/in && cp /home/dev/tuts/dlib/examples/faces/testing.xml fuzz/image/in/
afl-fuzz -i fuzz/image/in -o fuzz/image/out -M Master -- ./imglab --stats @@
afl-fuzz -i fuzz/image/in -o fuzz/image/out -S Slave -- ./imglab --stats @@
sudo apt install gdb
git clone --branch master --depth 1 https://github.com/jfoote/exploitable.git ~/soft/exploitable
cd ~/soft/exploitable && sudo python3 setup.py install
wget -O ~/.gdbinit-gef.py -q https://gef.blah.cat/py && echo source ~/.gdbinit-gef.py >> ~/.gdbinit
sudo apt install valgrind
afl-collect -d crashes.db -e gdb_script -r -rr ./fuzz/image/out/Master ./afl-collect -j 8 -- ./imglab --stats @@%
```

### Day 3: Introduction to Google FuzzTest

- **Goal**: Understand in-process fuzzing with FuzzTest.
- **Activities**:
  - _Reading_: Continue with "Fuzzing for Software Security Testing and Quality Assurance" (From 4.2.1 to 4.4).
  - _Online Resource_: [Google FuzzTest](https://github.com/google/fuzztest) - Follow the tutorial and examples.
  - _Exercise_: Write a simple fuzz target using FuzzTest.

```bash
cd /home/dev/tuts && mkdir first_fuzz_project && cd first_fuzz_project
git clone --branch main --depth 1 https://github.com/google/fuzztest.git
cat <<EOT >> CMakeLists.txt
cmake_minimum_required(VERSION 3.19)
project(first_fuzz_project)

# GoogleTest requires at least C++17
set(CMAKE_CXX_STANDARD 17)

add_subdirectory(fuzztest)

enable_testing()

include(GoogleTest)
fuzztest_setup_fuzzing_flags()
add_executable(
  first_fuzz_test
  first_fuzz_test.cc
)

link_fuzztest(first_fuzz_test)
gtest_discover_tests(first_fuzz_test)
EOT
cat <<EOT >>