## https://sploitus.com/exploit?id=1BF0634C-CE51-5BC4-9278-E457B1143B09
# Binary Exploitation & Reverse Engineering Lab
Hands-on memory-corruption exploitation and reverse engineering. Three escalating
exploitation challenges โ a local stack overflow, a **blind remote** overflow, and
**defeating modern mitigations** (stack canary, non-executable stack, and `ptrace`
anti-debugging) with a ret2libc chain โ plus a **static reverse-engineering**
challenge recovering a password from an obfuscated, encrypted Java binary.
> โ ๏ธ **Lab disclaimer.** All work was performed against intentionally vulnerable
> programs in an **isolated lab environment** for educational purposes. The
> servers in this repo are minimal replicas I wrote to develop and test exploits
> locally. Nothing here targets real systems, and no live infrastructure,
> credentials, or third-party material is included. All addresses are
> environment-specific and must be recovered with a debugger.
---
## What this demonstrates
- Reverse engineering 32-bit ELF binaries with **GDB** and **objdump**:
reconstructing stack frames, locating saved EBP / return addresses, computing
overflow offsets with cyclic patterns
- Reliable **stack buffer overflows** using NOP sleds and injected shellcode
- Bypassing a naive length check via **`unsigned char` integer wraparound**
- **GOT overwrite** to hijack control when `main()` calls `exit()` instead of
returning
- **Blind remote exploitation**: developing against a local replica, then
brute-forcing the return address to land a **reverse shell**
- Defeating exploit mitigations:
- patching out **`ptrace` anti-debugging** in a local debug copy
- recovering a **predictable, time-seeded stack canary**
- **ret2libc** (`system("/bin/sh")`) to defeat a **non-executable stack**
- Binary patching with radare2 / hexedit; exploit tooling in Python
(`struct`, `socket`, `ctypes`)
- **Static reverse engineering**: GPG decryption, JAR unpacking, **JAD bytecode
decompilation**, reading obfuscated Java, and recognizing a repeating-key XOR
cipher from decompiled logic
---
## Challenges
| # | Folder | Type | Focus |
|---|--------|------|-------|
| 1 | [`01-local-overflow`](01-local-overflow) | Exploitation | Stack overflow fundamentals: shellcode + NOP sled, length-check bypass, GOT overwrite |
| 2 | [`02-remote-overflow`](02-remote-overflow) | Exploitation | Blind remote overflow: local replica, return-address brute-force, reverse shell |
| 3 | [`03-mitigation-bypass-prog9`](03-mitigation-bypass-prog9) | Exploitation | Anti-debug bypass + canary recovery + ret2libc against NX |
| 4 | [`04-reverse-engineering-java`](04-reverse-engineering-java) | Reverse engineering | Decrypt + decompile an obfuscated Java binary; recover a XOR-encoded password |
Each folder has a `NOTES.md` walkthrough of the approach and the exploit
script(s) I wrote.
---
## Repository layout
```
binary-exploitation-lab/
โโโ README.md
โโโ 01-local-overflow/
โ โโโ NOTES.md
โ โโโ exploit_basic.py
โ โโโ exploit_lengthcheck_bypass.py
โ โโโ exploit_got_overwrite.py
โ โโโ exploit_got_target.py
โโโ 02-remote-overflow/
โ โโโ NOTES.md
โ โโโ vulnerable_server.c # local replica
โ โโโ remote_exploit.py
โโโ 03-mitigation-bypass-prog9/
โโโ NOTES.md
โโโ exploit_ret2libc.py
โโโ 04-reverse-engineering-java/
โโโ NOTES.md
โโโ solve.py # generic repeating-key XOR solver
```
---
## Tools
`GDB` ยท `objdump` ยท `radare2` ยท `hexedit` ยท `GCC` ยท `gpg` ยท `JAD` ยท `Python` (`struct`, `socket`, `ctypes`)
## Concepts
NX / DEP ยท stack canaries ยท ASLR ยท PIE ยท ret2libc ยท GOT/PLT ยท `ptrace`
anti-debugging ยท calling conventions ยท NOP sleds