John Berry, Sergey Bratus, Winter 2025
Syllabus
The class is currently scheduled for the 3B slot.
TAs
Mohamed Dawood
Jonah Weinbaum
Office hours: TBD
What this class is about
There is one undeniable fact about computing systems we build today: no matter how hard we try, they cast a long shadow of unintended, unexpected, yet reproducible behaviors. The practice of finding out and programming these behaviors is called exploitation. We will study the patterns and principles of this practice.
Cyber exploitation is an essential discipline for studying what any given system really is and does, as opposed to what people believe it does, and how it can be programmed in unexpected ways. Initially thought to be a mere mix of clever and not-so-clever tricks that second-guessed programmer mistakes, cyber exploitation evolved into a discipline of its own. We will cover its founding examples.
Class materials
To join the class, join the class’ “Dojo” at pwn.college
We will be using Discord for our X hour and other communications. If you don’t have a Discord account or want to use a separate account for this class, please create an account and join our server with this link (updated).
Week 1: Please complete the pwn.college assignments on the Unix shell and OS in the class dojo above.
A Tiny Guide to the x86 Assembly
Depending on your learning style, you may find Chapters 1-3 of the following very helpful (skip 3.4) Introduction to x86 platforms and x86 assembly language
Week 2: Assembly reading and writing practice
x86 assemply slides – Slides from the 1/9/25 class.
x86 assembly cheatsheet – x86 assembly hints (32 bit version)
GDB debugging cheatsheet – Basic GDB debugger commands
GDB dashboard – Configurable, auto-updated register and assembly displays for GDB
Materials from invited lecture by Travis Goodspeed – see Exhibit 98
Week 3: Assembly, GDB, and Reverse Engineering
Assembly template Template that we used in class for assembly
syscall reference - Here you can find syscall numbers and register arguments.
x86 assembly slides – Slides from the 1/21/25 class. The challenges were at the end.
Binary Ninja Cloud – Free access to binary ninja via your browser.
Ghidra – Download Ghidra
IDA – Free version of IDA
Challenges
demo-1; demo-2; challenge-1; challenge-2; challenge-3; challenge-4
Links
Week 4: Memory Corruption
Examples
overflow_local – overflow_local.c
overflow_return – overflow_return.c
overflow_return_with_conditions – overflow_return_with_conditions.c
overflow_return_middle – overflow_return_middle.c
overflow_return_partial – overflow_return_partial.c
overflow_leak – overflow_leak.c – exploit
overflow_address_leak – overflow_address_leak.c – exploit
overflow_canary_leak – overflow_canary_leak.c – exploit
uninit_cookie – uninit.c – exploit
uninit_effect – uninit.c – exploit
Teeny Elf – How to make the littlest ELF
Week 6 - Shellcoding
Week 7 - ROP
In class examples – Tarball of the code, and exploits
Historic inspirations
Once upon a time, there was a series of puzzles for aspiring hackers looking to understand memory corruption in C programs that ran the Internet at that time (and largely still do). This series was exquisitely crafted by Gerardo Richarte (gera), a legendary researcher whose ideas described in short posts to the Bugtraq mailing list had a way of being rediscovered by academics 7–10 years later, in full-length papers.
These exercises were known as ABOs, Advanced Buffer Overflows. They now live at https://github.com/gerasdf/InsecureProgramming.