Share
## https://sploitus.com/exploit?id=E6812B62-9BA3-552D-B770-87B3114229D0
# Threadbare โ€” Exploit-Development Training Lab

## Introduction

Threadbare is a hands-on exploit-development lab built around a deliberately vulnerable multithreaded TCP service called **tdsvc** (Thread Dispatch Service). The lab guides you from first principles โ€” reading the binary, understanding its concurrency model, and fingerprinting its mitigations โ€” through a complete exploit chain that achieves remote code execution via a reverse shell. Every technique you practise here maps directly to real-world skills: information leaks, control-flow hijacking, ROP chain construction, and stack-pivot trampolines.

The target, tdsvc, is a 58-thread x86-64 service. Two ingress threads accept TCP connections, parse framed requests, and enqueue jobs onto a mutex-protected queue. Fifty-four worker threads dequeue those jobs and dispatch them to handlers โ€” both intentional bugs live in those handlers. Two egress threads drain a separate response queue and write replies back to clients. This architecture lets you observe how bugs surface inside a thread pool and why standard single-threaded exploit assumptions sometimes need adjusting.

The lab is self-contained and sequential. You work through eight modules, each building on the last, with tiered hints and a complete walkthrough available if you get stuck. By the end you will have written a pwntools exploit script that reliably defeats live ASLR and lands an interactive reverse shell against a running instance of tdsvc.

---

## Safety

tdsvc binds exclusively to **127.0.0.1:9999** and never listens on any external interface. All exploit traffic in this lab targets the loopback address. The lab does not disable ASLR system-wide, does not modify kernel parameters, and contains no destructive payload surface โ€” the most it does is spawn `/bin/bash` locally. Do not deploy tdsvc on a shared machine, a VM with bridged networking, or any host reachable from an untrusted network. It is intentionally broken software.

---

## Prerequisites

- Comfort reading and writing C (pointer arithmetic, structs, memory layout)
- x86-64 assembly basics (registers, calling convention, stack frame layout)
- Linux CLI fluency (processes, file descriptors, netcat, tmux/screen)
- Python 3 for scripting exploits

You do **not** need prior exploit-development experience; that is what the lab teaches.

---

## Setup

Run the setup script once from the lab root:

```
bash setup.sh
```

The script is idempotent โ€” re-running it is safe. It will:

1. Verify or install gdb
2. Install pwndbg into `~/tools/pwndbg`
3. Install ropper and pwntools via pip
4. Verify that `nc` (netcat) is available
5. Build tdsvc with `make`
6. Print a checksec summary of the resulting binary

After setup completes, build manually at any time with:

```
make          # build bin/tdsvc
make run      # start tdsvc (blocks; use a second terminal for the exploit)
make checksec # re-print mitigation summary
make clean    # remove build artefacts
```

---

## Module Syllabus

| # | Directory | Title | What you do |
|---|-----------|-------|-------------|
| 00 | `modules/00-environment.md` | Environment | Verify the toolchain, explore the lab layout, confirm tdsvc builds and binds |
| 01 | `modules/01-recon.md` | Reconnaissance | Read the source, map the thread model, enumerate mitigations, draft an attack plan |
| 02 | `modules/02-the-leak.md` | The Leak | Craft OP_RANGE frames to trigger the OOB read; compute PIE base, libc base, and heap pointer |
| 03 | `modules/03-control-flow-hijack.md` | Control-Flow Hijack | Measure the exact offset to the saved RIP via OP_PROCESS; overwrite it with a controlled value |
| 04 | `modules/04-trampoline.md` | Stack-Pivot Trampoline | Find a `pop rsp; ret` gadget; pivot execution into the heap buffer; understand why the inline space is too small |
| 05 | `modules/05-rop-chain.md` | ROP Chain | Build the execve ROP chain in `conn->payload`; lay out the argument strings; chain the gadgets |
| 06 | `modules/06-egress-delivery.md` | Egress Delivery | Set up the reverse-shell listener; trigger the full chain; catch the shell |
| 07 | `modules/07-reliability.md` | Reliability | Handle threading races, add retry logic, harden the exploit for consistent one-shot execution |

---

## File Layout

```
exploit-lab/
โ”œโ”€โ”€ README.md               โ† you are here
โ”œโ”€โ”€ setup.sh                โ† one-time toolchain installer
โ”œโ”€โ”€ verify.sh               โ† end-to-end exploit validator
โ”œโ”€โ”€ Makefile                โ† build, run, checksec, clean targets
โ”œโ”€โ”€ src/                    โ† tdsvc source code
โ”‚   โ””โ”€โ”€ tdsvc.c
โ”œโ”€โ”€ modules/                โ† lab modules (work through in order)
โ”‚   โ”œโ”€โ”€ 00-environment.md
โ”‚   โ”œโ”€โ”€ 01-recon.md
โ”‚   โ”œโ”€โ”€ 02-the-leak.md
โ”‚   โ”œโ”€โ”€ 03-control-flow-hijack.md
โ”‚   โ”œโ”€โ”€ 04-trampoline.md
โ”‚   โ”œโ”€โ”€ 05-rop-chain.md
โ”‚   โ”œโ”€โ”€ 06-egress-delivery.md
โ”‚   โ””โ”€โ”€ 07-reliability.md
โ”œโ”€โ”€ hints/                  โ† tiered hints (try these before walkthrough/)
โ”œโ”€โ”€ cheatsheets/            โ† quick-reference cards for tools
โ”‚   โ”œโ”€โ”€ gdb-pwndbg.md
โ”‚   โ”œโ”€โ”€ ropper.md
โ”‚   โ””โ”€โ”€ pwntools.md
โ”œโ”€โ”€ walkthrough/            โ† step-by-step narrative (spoilers)
โ”œโ”€โ”€ solution/               โ† complete working exploit script (spoilers)
โ”‚   โ””โ”€โ”€ exploit.py
โ””โ”€โ”€ bin/                    โ† compiled output (created by make)
    โ””โ”€โ”€ tdsvc
```

---

## Running verify.sh

`verify.sh` is the lab's acceptance test. It builds a fresh tdsvc, starts it under live ASLR, runs `solution/exploit.py`, and confirms that a reverse shell connected and ran a command. Run it from a normal terminal (not inside gdb):

```
bash verify.sh
```

A passing run prints something like:

```
[+] Build OK
[+] tdsvc started (pid 12345)
[+] exploit.py connected
[+] shell command confirmed: uid=1000(user)
[+] PASS
```

If it fails, check that nothing else is already bound to 9999, that the listener port is free, and that pwntools is installed.

---

## How to Work Through the Lab

Start at module 00 and proceed in order. Each module states its goal, gives you the relevant source locations and protocol details, poses a set of tasks, and points at hints when needed. Resist the urge to jump ahead โ€” the later modules assume specific results (leaked addresses, measured offsets) that you compute in earlier ones.

When you get stuck, consult the tiered hints in `hints/` first. Hints are numbered and graduated: hint 1 gives a nudge, hint 2 gives a stronger direction, hint 3 essentially tells you what to do without writing the code for you. Only open `walkthrough/` or `solution/` when you have genuinely exhausted the hints and want to understand a technique rather than rediscover it. Reading the solution without attempting the work first is a reliable way to feel like you learned something without actually having done so.