Complete Guide

🔥 Advanced

Binary Exploitation (Pwn)

A core hacking pillar focusing on exploiting low-level vulnerabilities in compiled binaries. This guide covers memory corruption, control flow hijacking, and modern mitigation bypasses.

Advanced Topic

Binary exploitation requires understanding of assembly language, memory architecture, calling conventions, and operating system internals. Recommended prerequisites: x86/x64 assembly basics, C programming, GDB fundamentals.

Exploit Development Workflow

🔍

Recon

Binary analysis

🐛

Find Bug

Fuzzing, audit

🎯

Trigger

Crash, control

💥

Exploit

Bypass, execute

🐚

Shell

Code execution

What You'll Learn

Stack-based buffer overflow exploitation
Return-Oriented Programming (ROP)
Heap exploitation techniques
Format string vulnerabilities
ASLR and PIE bypass methods
Shellcode development
Pwntools scripting
GDB and debugging techniques

Core Topics

Buffer Overflows →

Understanding stack-based buffer overflows, EIP control, and shellcode execution.

ROP Chains →

Return Oriented Programming to bypass NX/DEP protections.

Heap Exploitation →

Attacking the heap allocator, use-after-free, and heap grooming.

Format Strings →

Exploiting format string vulnerabilities for memory reads and writes.

ASLR/PIE Bypass →

Techniques for defeating address randomization protections.

Process Memory Layout

Stack Memory (High → Low)

0xFFFFFFFF - Kernel Space

Stack - Local vars, return addr ↓

↓ grows down

Heap - Dynamic allocation ↑

.bss - Uninitialized data

.data - Initialized data

.text - Code segment

0x00000000 - Reserved

Stack Frame

Arguments (passed to function)

Return Address ← Target!

Saved EBP/RBP (frame pointer)

Local Variables (buffers, etc.)

Canary (if stack protection)

Buffer overflows occur when local variables overflow into return address.

Security Mitigations

Protection	Description	Bypass
NX/DEP	Stack not executable	ROP chains, ret2libc
ASLR	Randomize memory addresses	Info leak, brute force
Stack Canary	Detect stack overflow	Leak canary, format string
PIE	Position Independent Executable	Leak base address
RELRO	Read-only relocations (GOT)	Partial: GOT overwrite
CFI	Control Flow Integrity	Advanced: JIT-ROP

Checking Binary Protections

bash

# Using checksec (pwntools)
checksec ./binary

# Example output:
#     Arch:     amd64-64-little
#     RELRO:    Partial RELRO
#     Stack:    Canary found
#     NX:       NX enabled
#     PIE:      No PIE (0x400000)

# Using file
file ./binary

# Check ASLR status (Linux)
cat /proc/sys/kernel/randomize_va_space
# 0 = Off, 1 = Conservative, 2 = Full

# Disable ASLR for testing
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

# Install from package manager

Quick Start: Pwntools

exploit.py

python

from pwn import *

# Set architecture
context.arch = 'amd64'
context.log_level = 'debug'

# Connect to binary or remote
# p = process('./vuln')
p = remote('pwn.ctf.com', 1337)

# Create payload
payload = b'A' * 72           # Padding to return address
payload += p64(0xdeadbeef)    # Overwrite return address

# Send payload
p.sendline(payload)

# Interactive shell
p.interactive()

Practice Resources

Recommended practice platforms: pwnable.kr, pwnable.tw, HackTheBox, TryHackMe, and PicoCTF for beginners. Always practice in legal, authorized environments.

Binary Exploitation (Pwn)

Exploit Development Workflow

Recon

Find Bug

Trigger

Exploit

Shell

What You'll Learn

Core Topics

Process Memory Layout

Stack Memory (High → Low)

Stack Frame

Security Mitigations

Checking Binary Protections

Essential Tools

pwntools

GDB + pwndbg

Ghidra

ROPgadget

one_gadget

radare2

Quick Start: Pwntools

Related Topics

Malware Analysis

Reverse Engineering

Web Exploitation

Metasploit Cheatsheet