Hands-on exploit development in C covering classic and modern vulnerability classes on x86 Linux. Each module demonstrates a specific technique from first principles — no frameworks, no shortcuts.
This project documents a practical journey through memory exploitation techniques, progressing from basic stack corruption to bypassing multiple modern mitigations in sequence. All exploits are implemented and tested on 32-bit Linux.
The foundation of memory exploitation. Demonstrates how writing past the bounds of a stack buffer overwrites the saved return address, redirecting execution to attacker-controlled code.
- Stack memory layout and return address overwriting
- Offset calculation to reach EIP
- Controlling execution flow
When the stack is marked non-executable, shellcode injected directly cannot run. This module demonstrates bypassing DEP using ret2libc — redirecting execution to existing libc functions instead.
- ret2libc technique with
system(),exit(), and/bin/sh - Building the payload without injecting shellcode
- Understanding calling conventions on 32-bit x86
ASLR randomizes the base addresses of libraries and stack at each run. This module demonstrates defeating ASLR on 32-bit systems where the address space is small enough to make brute-force feasible, or through information leak techniques.
- ASLR entropy limitations on 32-bit systems
- Reliable exploit execution despite randomization
Stack canaries place a random value between local variables and the saved return address. Writing past the canary corrupts it, triggering a crash before the return. This module demonstrates bypassing canary protection.
- How canaries are placed and checked by the compiler
- Techniques to leak the canary value
- Exploiting while preserving canary integrity
RELRO protects the GOT (Global Offset Table) from being overwritten. This module demonstrates understanding GOT/PLT mechanics and working within or around RELRO constraints.
- GOT/PLT internals and why they are an exploitation target
- Differences between Partial and Full RELRO
- Exploitation strategies under each protection level
When both DEP and code injection are blocked, ROP chains existing executable code fragments (gadgets) together to build arbitrary computation. This module demonstrates constructing a working ROP chain.
- Finding and selecting ROP gadgets from binaries and libc
- Chaining gadgets to control registers and call functions
- Building a functional ROP payload from scratch
| Mitigation | Status |
|---|---|
| NX / DEP | ✅ Bypassed |
| ASLR | ✅ Bypassed (32-bit) |
| Stack Canary | ✅ Bypassed |
| RELRO | ✅ Bypassed |
- Architecture: x86 (32-bit)
- OS: Linux (Kali / Ubuntu)
- Tools: GDB, pwndbg, Python, pwntools
This project is a learning-oriented security research environment. All techniques are demonstrated on intentionally vulnerable binaries in a controlled lab setup. The goal is to deeply understand how memory corruption vulnerabilities work at the instruction level — knowledge that is foundational to vulnerability research, fuzzing, and defensive security engineering.