## https://sploitus.com/exploit?id=890BA360-FDE1-5965-A311-97B26D1FC545
# C Memory-Safety & Exploit-Mitigations
Three self-contained demos of classic C vulnerability classes โ each with its
own deliberately vulnerable program, a hardened counterpart or a working
exploit, and a write-up covering the actual mechanism (verified by compiling,
running, and either crashing or popping a shell, not just described).
| Folder | Vulnerability class | Goal |
|---|---|---|
| [`struct-overwrite-auth-bypass/`](struct-overwrite-auth-bypass) | Spatial memory safety (unchecked `strcpy`, unsigned integer underflow) | Flip an access-control flag adjacent to a fixed-size buffer to gain admin access without any password; separately, crash the program via an integer-underflow-driven out-of-bounds read |
| [`integer-safe-arithmetic/`](integer-safe-arithmetic) | Integer overflow / underflow / undefined behavior | Show a naive arithmetic routine silently returning wrong results (or crashing) under overflow, then a hardened routine that detects the same cases and refuses instead โ verified with a 2000-case property test against a Python oracle |
| [`stack-smash-mitigations/`](stack-smash-mitigations) | Classic stack buffer overflow (control-flow hijack) | Gain a shell via `ret2win` against the same vulnerable program built three ways: no protection, stack canary, and canary+PIE/ASLR โ leaking the canary and the code base through a second bug in the same program each time it's needed |
## Why this works
C gives no memory or integer safety by default: array accesses aren't
bounds-checked, and signed/unsigned arithmetic overflow either invokes
undefined behavior or silently wraps. All three folders exploit variations
of the same root cause โ code trusts a length or a value it never validated
โ but at different levels: corrupting an adjacent struct field to flip an
authorization check, corrupting an arithmetic result, and corrupting a
saved return address to redirect control flow outright. The mitigations in
`stack-smash-mitigations/` (stack canaries, PIE/ASLR) don't fix the
underlying bug โ they raise the cost of exploiting it, and each is bypassed
in turn using a second, independent bug in the same program (an
out-of-bounds *read*) to leak exactly the secret the mitigation relies on.
## Tooling
- C, compiled with GCC (`gcc`), `-O0` and explicit protection flags per target
- Exploits in Python with [pwntools](https://github.com/Gallopsled/pwntools)
- `gdb` + [pwndbg](https://github.com/pwndbg/pwndbg) for stack-layout verification during development
- Dev environment pinned via `flake.nix` (Nix), see [Reproducing this](#reproducing-this)
## Attribution
Every program, bug, and exploit here is original โ written from scratch for
this repository, not derived from any specific course, textbook, or third
party's source code. The vulnerability *classes* demonstrated (stack buffer
overflows, integer overflow/underflow, canary and ASLR bypass techniques)
are standard, widely taught topics in software security education generally;
nothing here reproduces any particular assignment, exercise text, or
proprietary material.
## Disclaimer
For educational purposes and authorized security research only. All targets
are self-contained fictional programs built and run entirely on your own
machine โ do not apply these techniques to systems you don't own or don't
have explicit permission to test.
## Reproducing this
```
nix develop # or: install gcc, gdb, gnumake, python3 + pwntools yourself
cd
make
# see each folder's README for how to run/exploit it
```
## License
Code and write-ups in this repository are licensed under the MIT License, see [LICENSE](LICENSE).