Reverse Engineering → Exploit Dev — Techniques
We leave the stack for the glibc heap, where the allocator's own bookkeeping is the attack surface. You will learn chunks…
A format string bug — printf(user_input) instead of printf("%s", user_input) — gives you both an arbitrary memor…
Every chain so far hardcoded addresses, which only works with ASLR off. This is the keystone that makes it work on a real target: …
ret2libc calls one whole function — ROP generalises that to arbitrary computation built from borrowed scraps. A gadget is a few in…
NX kills shellcode on the stack, so stop injecting code and reuse code already there. libc is mapped into every process, executabl…
ret2win only worked because a win() existed. When it does not, you bring your own code. We hand-roll a null-free execve("/bin/sh")…
Return-Oriented Programming (ROP) chains together small existing code sequences ("gadgets") — each ending in RET — to execute arbi…