binary-exploitation-labs

Name: binary-exploitation-labs
Rating: 5 (6 reviews)
2026-06-16 | CVSS 5.3
## https://sploitus.com/exploit?id=B237A549-E40D-5B85-95E8-94EFF4E5201E
# Binary Exploitation & Reverse Engineering Labs

Hands-on labs in low-level memory analysis and binary exploitation of C programs and Unix
binaries, completed for **ENPM691 — Hacking of C Programs & Unix Binaries** (University of
Maryland). The labs progress from fundamentals (memory layout, assembly analysis, debugging)
to modern exploitation techniques (stack overflows, ROP, GOT hijacking, format strings,
canary bypass, heap use-after-free, and SUID privilege escalation).

Each lab is **code-first**: its `README.md` shows the vulnerable program and the exploit
inline, with the runnable source extracted into `src/`. The full IEEE-formatted report
(methodology, annotated debugger/disassembly screenshots, discussion) lives in `report/`
for the rigorous version.

## Lab Environment

All work was performed in a controlled VM for educational/authorized security research only.

| Component | Version |
|-----------|---------|
| OS | Kali Linux 2024.4 (Rolling), kernel 6.11.2 |
| Architecture | x86_64 (programs compiled `-m32` where noted) |
| Compiler | GCC 14.2.0 |
| Debugger | GDB 16.1 + pwndbg 15.2 |
| Protections | ASLR / NX toggled per lab to demonstrate technique vs. mitigation |

## Labs

| # | Lab | Focus | Key technique / protection |
|---|-----|-------|----------------------------|
| 01 | [Variable Alignment & Allocation](labs/01-variable-alignment-32bit/) | Memory fundamentals | Automatic-variable sizing & alignment in 32-bit |
| 02 | [Assembly & Compiler Optimizations](labs/02-assembly-compiler-optimizations/) | Reverse engineering | How GCC lowers multiplies to shifts/LEA |
| 03 | [Variable Memory Layout](labs/03-variable-memory-layout/) | Memory fundamentals | Stack / heap / BSS / data / extern placement |
| 04 | [Automated Debugging via Scripting](labs/04-automated-debugging-scripting/) | Tooling | GDB/pwndbg scripting for repeatable analysis |
| 05 | [Stack Overflow & Shellcode](labs/05-stack-overflow-shellcode/) | Exploitation | Return-address overwrite, function-pointer cast, shell-spawning shellcode |
| 06 | [JMP ESP Exploit](labs/06-jmp-esp-exploit/) | Exploitation | `jmp esp` redirection → root shellcode |
| 07 | [ROP Chains](labs/07-rop-chains/) | Exploitation | ROP gadget chain to bypass **NX**, `execve("/bin/sh")` |
| 08 | [GOT Overwrite](labs/08-got-overwrite/) | Exploitation | Hijacking the Global Offset Table to call `system()` |
| 09 | [Format String Exploit](labs/09-format-string-exploit/) | Exploitation | `printf` format-string write → GOT hijack → SUID root |
| 10 | [Stack Canary Bypass](labs/10-stack-canary-bypass/) | Exploitation | `scanf("%lf")` quirk to skip the canary & saved RBP |
| 11 | [Heap Use-After-Free](labs/11-heap-use-after-free/) | Exploitation | Dangling-pointer reallocation to hijack logic / spawn shell |
| 12 | [SUID Open File Descriptor](labs/12-suid-open-fd-exploit/) | Privilege escalation | Leaked FD across privilege drop → write to root-owned file |

## Skills Demonstrated

- Reverse engineering and dynamic analysis with GDB/pwndbg, `objdump`, `readelf`, `checksec`
- x86 / x86-64 assembly reading and the C-to-assembly mapping
- The full memory model: stack frames, heap allocator behavior, GOT/PLT, calling conventions
- Modern exploit mitigations (ASLR, NX, stack canaries) and the techniques that defeat or
  require disabling them
- Shellcode usage, ROP gadget chaining, and privilege-escalation primitives
- Clear technical writing and reproducible methodology

## Repository Layout

```
labs/NN-topic/        # one folder per lab
  README.md           # start here: vuln + exploit shown inline, reproduce steps
  src/                # extracted runnable source (vulnerable .c, exploit .py, commands.sh)
  report/             # the formatted report + its inputs
    *.pdf             #   the IEEE write-up (full methodology & figures)
    *.tex             #   LaTeX source
    *.eps / *.png     #   figures (debugger output, disassembly)
template/             # shared IEEEtran template + environment notes
IMAGES-TODO.md        # deferred: convert report figures (EPS->PNG) for inline display
```

> LaTeX build artifacts (`.aux`, `.log`, `.dvi`, `.ps`, …) are intentionally excluded via
> `.gitignore`; the `.tex` sources and PDFs are committed.

## Disclaimer

These labs were completed in an isolated lab VM against intentionally vulnerable, self-authored
programs for academic purposes. The techniques are presented for **defensive education and
authorized security research only**.