Share
## https://sploitus.com/exploit?id=A4D45F03-C62B-5A5B-9EEA-C298ACC9155B
# Exploit Development Lab โ€” From Stack Smash to Kernel 0-Day (2026)

A progressive 12-class exploit development training lab covering modern memory corruption techniques. Each class builds on the previous one, escalating from basic stack smashing to a full Windows kernel exploitation chain. Designed for vulnerability researchers who want hands-on practice with real exploitation primitives.

## 12 Progressive Classes

| # | Class | Technique | Exploit Primitive | Platform |
|---|-------|-----------|-------------------|----------|
| 01 | Stack Buffer Overflow | ret2shellcode | Direct EIP/RIP control | Linux x64 |
| 02 | DEP Bypass | ROP chains | Code reuse via gadgets | Linux x64 |
| 03 | ASLR Bypass | Info leak + ROP | Pointer leak defeats randomization | Linux x64 |
| 04 | Stack Cookie Bypass | Pre-cookie variable corruption | Overwrite locals before canary check | Linux x64 |
| 05 | Heap Overflow | Chunk metadata corruption | Overwrite adjacent object function pointer | Linux x64 |
| 06 | Use-After-Free | Object reclaim + callback hijack | Reclaim freed object with controlled data | Linux x64 |
| 07 | UAF + Pool Spray | Named pipe spray (0x60 bucket) | Deterministic reclaim via NP_DATA_QUEUE_ENTRY | Linux x64 |
| 08 | Type Confusion | Wrong cast โ†’ controlled R/W | Misinterpreted struct fields give arb access | Linux x64 |
| 09 | Arbitrary Read | OOB read โ†’ KASLR defeat | Leak kernel base from adjacent objects | Linux x64 |
| 10 | Arbitrary Write | Unlink / write-what-where | Controlled pointer write to any address | Linux x64 |
| 11 | Full Chain | Leak โ†’ Write โ†’ Shell | Combine classes 9+10 into complete exploit | Linux x64 |
| 12 | Windows Kernel | Prefetch KASLR + PreviousMode + Token | Arbitrary write โ†’ PreviousMode flip โ†’ SYSTEM | Windows x64 |

## Structure

Each class has:
- `src/vuln.c` โ€” Intentionally vulnerable C program with the target bug class
- `src/build.sh` โ€” Compile with specific flags (e.g., `-no-pie -fno-stack-protector`)
- `exploit/exploit.py` โ€” Working Python/pwntools exploit solution
- `README.md` โ€” Technique explanation and exploitation walkthrough

Additional:
- `c-fundamentals/` โ€” 10 exercises covering pointers, memory layout, structs, stack frames, heap internals, integer overflow, string bugs, file parsing, race conditions, and bitwise operations
- `shared/` โ€” Common utilities and shellcode

## Build All
```bash
for d in class*/; do (cd "$d/src" && bash build.sh); done
```

## Prerequisites
- Linux x64 (WSL2 Ubuntu works fine)
- gcc, python3, pwntools (`pip install pwntools`)
- For class 12: Windows 11 with WinDbg and a test driver

## Companion: Real-World CVE PoCs

The `real-cves/` directory (not included in this repo, clone separately) contains working exploits for real Linux kernel vulnerabilities mapped to each class:

| CVE | Bug Class | Maps to Classes |
|-----|-----------|----------------|
| CVE-2024-1086 (nftables) | Stack overflow | 01, 02, 04 |
| CVE-2025-21756 (nftables UAF) | Use-after-free | 03, 06, 09, 10, 11 |
| io_uring KASLR leak | Info leak | 03 |
| StackRot (CVE-2023-3269) | Race + stack pivot | 04 |
| io_uring heap overflow | Heap corruption | 05 |
| nftables UAF variant | UAF + pool spray | 06, 08 |
| vsock UAF | UAF | 06 |
| CVE-2026-43284 (Dirty Frag) | Page cache corruption | 10 |

## Author

Shravan Kumar Sheri โ€” [github.com/Sheri98](https://github.com/Sheri98)

Security researcher focused on vulnerability discovery, exploit development, and fuzzing.
4 published CVEs | OSCP | OSS-Fuzz contributor