binary-exploitation-writeup

Name: binary-exploitation-writeup
Rating: 5 (3 reviews)
2026-06-18 | CVSS 0.0
## https://sploitus.com/exploit?id=2B2850BD-5CCC-5FC9-BAFC-E1011A676871
# Binary Exploitation — Buffer Overflow & Format String Attack

Hands-on exploration of classic binary exploitation techniques on intentionally vulnerable 32-bit C programs. Covers the full exploitation lifecycle from vulnerability discovery to root shell, alongside analysis of four modern mitigations and their bypass techniques.

---

## Topics

| # | Topic | Writeup |
|---|---|---|
| 1 | Buffer overflow → reverse root shell | [01_buffer_overflow.md](writeup/01_buffer_overflow.md) |
| 2 | ASLR and brute-force bypass | [02_aslr.md](writeup/02_aslr.md) |
| 3 | Stack Guard (canary) analysis and bypass | [03_stack_guard.md](writeup/03_stack_guard.md) |
| 4 | Non-executable stack (NX bit) | [04_nonexec_stack.md](writeup/04_nonexec_stack.md) |
| 5 | Format string attack with ASLR on | [05_format_string.md](writeup/05_format_string.md) |

---

## Environment

- OS: Ubuntu 24 (64-bit host, 32-bit target via `-m32`)
- Debugger: GDB
- Shellcode: `msfvenom`
- Listener: `netcat`

---

## Key Results

- Buffer overflow exploited to obtain a **reverse root shell** (`uid=0`) via `msfvenom` reverse TCP shellcode
- ASLR bypassed via brute-force loop with 3000-byte NOP sled
- Stack canary bypassed by XOR-calculating the canary value and spoofing it in the payload
- NX bit confirmed to block shellcode execution; ROP discussed as bypass
- Format string exploit modified two heap bytes simultaneously in a **single program run with ASLR enabled** — no GDB, no hardcoded addresses

---

## Repo Structure

```
vulnerable/
  stack.c              annotated vulnerable buffer overflow program
  format_string.c      annotated vulnerable format string program
exploits/
  exploit.py           buffer overflow exploit with inline documentation
writeup/
  01_buffer_overflow.md
  02_aslr.md
  03_stack_guard.md
  04_nonexec_stack.md
  05_format_string.md
```

---

## Disclaimer

All programs are intentionally vulnerable. All testing was performed in an isolated virtual machine. This repo exists for educational purposes — to demonstrate how these attacks work and what mitigations defend against them.