100+ Free OSED Practice Questions

Pass your OffSec Exploit Developer (OSED) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~30-40% first attempt (community estimate) Pass Rate

100+ Questions

100% Free

1 / 10

Question 1

Score: 0/0

In the Microsoft x86 cdecl calling convention used on 32-bit Windows OSED targets, who is responsible for cleaning up the arguments pushed onto the stack after a function call?

The callee (RET imm16)

The caller, via add esp, N after the CALL

Neither — it is automatic

The OS kernel

to track

2026 Statistics

Key Facts: OSED Exam

48 hrs

Exam Duration

OffSec (47h45m practical)

2 of 3

Challenges to Pass

OffSec

32-bit

Primary Architecture

OffSec EXP-301

$2,499

Learn One Price

OffSec annual

3 yrs

Validity

OffSec (since 2023)

Advanced

Difficulty

OffSec 300-level

The OSED exam is NOT multiple choice — it is a 47h45m hands-on lab with 3 independent exploit-development challenges plus a 24-hour reporting window. You must deliver fully working exploits for 2 of the 3 challenges to pass. Our 100 practice questions on this site build the underlying knowledge (x86 assembly, WinDbg, mona.py, ROP, SEH, shellcoding) — they do NOT replicate the exam. Certification is valid 3 years. No formal prerequisites, but strong C + x86 + Windows internals expected.

Sample OSED Practice Questions

Try these sample questions to test your OSED exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In the Microsoft x86 cdecl calling convention used on 32-bit Windows OSED targets, who is responsible for cleaning up the arguments pushed onto the stack after a function call?

A.The callee (RET imm16)

B.The caller, via add esp, N after the CALL

C.Neither — it is automatic

D.The OS kernel

Explanation: cdecl passes arguments right-to-left on the stack and the caller cleans them up with `add esp, <size>` after the CALL. stdcall uses callee cleanup (RET imm16), so distinguishing the two matters when crafting exploits. Neither the OS nor 'automatic cleanup' is correct.

2Which mona.py command generates a list of ROP gadgets for building VirtualProtect / VirtualAlloc chains on 32-bit Windows modules?

A.!mona config

B.!mona rop -m *.dll -cp nonull

C.!mona bytearray

D.!mona find -s 'shellcode'

Explanation: `!mona rop -m *.dll -cp nonull` searches loaded modules for useful gadgets avoiding null bytes in addresses. It produces rop_chains.txt with suggested chains for VirtualProtect/VirtualAlloc. `!mona config` sets the workdir, `!mona bytearray` generates a byte-array for badchar analysis, `!mona find` searches memory for strings.

3Which register's value must a SEH-based overflow exploit typically control to hijack the Structured Exception Handler chain on 32-bit Windows?

A.EAX

B.EIP via overwriting the 'next SEH' and the SEH handler pointer on the stack

C.ESP directly

D.EBX

Explanation: An SEH overflow overwrites the 'pointer to next SEH' and the SEH handler pointer on the stack. When the exception fires, Windows walks the SEH chain and calls the corrupted handler; attackers typically point it to a pop-pop-ret gadget in a non-SafeSEH module so the 'next SEH' attacker-controlled DWORD becomes the jump target.

4Why is a pop-pop-ret gadget specifically used for SEH handler takeover?

A.It pops RAX and RBX

B.Windows places a pointer to the 'next SEH' in a known stack location when calling the handler; pop-pop-ret lands EIP on that pointer

C.It disables DEP

D.It patches cookies

Explanation: When the OS calls the SEH handler it arranges the stack so that a known offset contains the address of the EXCEPTION_REGISTRATION (which starts with 'next SEH'). Two pops followed by a RET discards two stack values and returns into 'next SEH', which the attacker controls as a short JMP to shellcode.

5Which tool is commonly used alongside Immunity Debugger / WinDbg for generating/encoding shellcode on OSED labs?

A.Wireshark

B.msfvenom

C.nmap

D.Metasploit Community Edition only

Explanation: msfvenom (Metasploit's payload generator) produces shellcode for various targets and encodes it to avoid bad characters. Wireshark captures traffic, nmap scans networks, and 'Metasploit Community Edition only' is not a standard OSED choice. You will also write custom shellcode, but msfvenom is the go-to generator.

6Which DEP-bypass technique uses a ROP chain that ends by calling VirtualProtect to mark the shellcode region executable?

A.ret2libc via VirtualProtect

B.Stack spraying

C.Format string leak

D.Heap feng shui

Explanation: A classic ROP chain loads VirtualProtect's arguments (lpAddress, dwSize, PAGE_EXECUTE_READWRITE=0x40, lpflOldProtect) and calls it, turning the stack-resident shellcode into executable memory. This is the canonical 32-bit Windows DEP bypass. The other terms are related but distinct techniques.

7An OSED exploit requires shellcode with no null bytes, 0x0A, or 0x0D. Which mona.py command helps identify badchars via comparison?

A.!mona bytearray + !mona compare

B.!mona jmp

C.!mona seh

D.!mona modules

Explanation: Generate a clean byte-array (0x01-0xFF minus known badchars) with `!mona bytearray`, place it as the payload, crash the target, then use `!mona compare` pointing at the expected bytearray to find discrepancies — those are additional badchars. The other mona commands target different phases.

8Which SEH hardening mitigates naive SEH overwrites by validating the handler address against a whitelist compiled into the module?

A.SafeSEH

B.ASLR

C.DEP

D.CFG

Explanation: SafeSEH embeds a list of valid SEH handlers per module; when an exception fires, the handler address is verified. Modules compiled with /SAFESEH are excluded from exploitation. SEHOP adds a linked-list integrity check at OS level. ASLR/DEP/CFG are other mitigations.

9Which technique finds a pop-pop-ret gadget inside a non-SafeSEH module for an SEH-overwrite exploit?

A.!mona seh -cp nonull

B.!mona jmp

C.!mona config

D.msfvenom -l

Explanation: `!mona seh` filters gadgets to pop-pop-ret found in modules without SafeSEH, optionally skipping bad chars. This directly supports SEH-overflow exploitation. `!mona jmp` finds JMP/CALL ESP-style gadgets; `!mona config` is setup; `msfvenom -l` lists payloads.

10Which OSED concept relies on searching process memory for a pair of signature bytes (e.g., w00tw00t) to locate a larger payload?

A.Heap spray

B.Egghunter

C.ROP

D.Format string

Explanation: An egghunter is a short stager that scans process address space for an 8-byte signature (the 'egg', repeated twice) and jumps to it once found. This technique helps when the initial overflow buffer is too small to hold full shellcode. The other options describe different techniques.

About the OSED Exam

The OffSec Exploit Developer (OSED) is OffSec's advanced Windows user-mode exploit-development certification tied to the EXP-301 course. Topics include reverse engineering in IDA Pro, stack overflows, SEH overwrites, egg hunters, format string bugs, heap overflows, DEP/ASLR bypass via ROP (mona.py), custom shellcode, and PE binary backdooring on 32-bit Windows.

Questions

3 scored questions

Time Limit

47 hours 45 minutes + 24 hours reporting

Passing Score

2 of 3 challenges (full working exploits)

Exam Fee

$2,499 (Learn One annual subscription) (OffSec (Offensive Security))

OSED Exam Content Outline

Module 1-4

WinDbg, x86 Assembly & PE Format

Registers, calling conventions, stack frames, PE headers (IMAGE_NT_HEADERS, sections, IAT, EAT), WinDbg commands (!peb, bp, dd, u, g), IDA Pro navigation

Module 5-7

Stack Overflows, SEH & Egg Hunters

Classic EIP overwrite, SEH chain corruption, SafeSEH/SEHOP bypass, pop-pop-ret, egghunters (w00tw00t, NtDisplayString), Unicode/badchar handling

Module 8-10

ROP, DEP & ASLR Bypass

Building ROP chains with mona.py, VirtualAlloc/VirtualProtect/WriteProcessMemory gadgets, partial overwrite to defeat ASLR, return-to-libc techniques, stack pivoting

Module 11-13

Shellcoding & PE Backdooring

Custom shellcode (PEB walking, GetProcAddress resolution), msfvenom encoders, format string exploitation, code cave injection into PE binaries, hijacking execution flow

How to Pass the OSED Exam

What You Need to Know

Passing score: 2 of 3 challenges (full working exploits)
Exam length: 3 questions
Time limit: 47 hours 45 minutes + 24 hours reporting
Exam fee: $2,499 (Learn One annual subscription)

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

OSED Study Tips from Top Performers

1Build exploits for vulnserver.exe from scratch — do not just follow walkthroughs

2Master mona.py commands: !mona modules, !mona rop -m *.dll -cp nonull, !mona jmp -r esp

3Practice writing ROP chains on paper before using automated tools — understand gadget chaining

4Learn the PEB walk in shellcode: fs:[30h] -> Ldr -> InMemoryOrderModuleList to find kernel32

5Set up WinDbg with !peb, bp VirtualProtect, and understand the call stack at crash

6Know Structured Exception Handler (SEH) chain layout: pointer to next SEH, pointer to handler

7These are knowledge checks — the real exam is 48 hours of hands-on exploit writing

Frequently Asked Questions

Is the OSED exam multiple choice?

No. The OSED exam is fully practical — 3 independent exploit-development challenges over 47 hours 45 minutes, then 24 hours to submit the report. You must deliver working proof-of-concept exploits for 2 of the 3 to pass; partial exploitation does not earn points. Our 100 practice questions on this site are knowledge checks for the underlying skills (x86 asm, WinDbg, ROP, SEH, mona.py) — they do not replicate the exam.

What is the OSED passing score?

You must successfully complete 2 out of 3 exploit-development challenges. Each challenge requires a fully working exploit — partial progress awards zero points. This binary scoring is why OSED feels harder than the point percentage suggests.

Is OSED 32-bit or 64-bit?

OSED (EXP-301) focuses primarily on 32-bit Windows user-mode exploitation. While the concepts transfer to 64-bit, the lab targets and exam challenges are built on 32-bit binaries. For 64-bit kernel exploitation, you want OSEE (EXP-401).

What tools do I need to know for OSED?

IDA Pro (or Ghidra), WinDbg (primary debugger per updated course), Immunity Debugger (legacy), mona.py (ROP gadget hunting), msfvenom (shellcode generation), Python (exploit scripting), and Visual Studio / MASM for custom shellcode. Our practice questions reference each of these.

How long should I study for OSED?

Plan 3-6 months of dedicated study beyond the EXP-301 course materials. Build HackTheBox / try exploit.education / run vulnserver. Use our 100 practice questions to identify conceptual weak spots (SEH chains, ROP gadget selection, egghunter logic, PE format) before committing to the exam voucher.

How should I use these practice questions?

Treat them as knowledge validators for the EXP-301 modules. If you miss questions on mona.py usage, ROP chain construction, or WinDbg breakpoint commands, revisit those course sections and build the primitive by hand in a lab VM. The real exam tests execution speed — knowledge is a prerequisite, not the bottleneck.