Set of practical binary exploitation challanges

Vašek Šraier


The following is a set of binary exploitation challenges I have created for the Protab summer camp. The challenges are ordered based on difficulty and I recommend going through them in order.

Before we start, just a technical note. Because the buffer overflows in the challenges lead to remote code execution, I really tried to protect my server. The code runs in a small custom Firecracker VM with very limited resources. While I believe the setup is quite secure, if you happen to find a security issue (not the buffer overflows), please report it to me. My contact is at my homepage.

General information about the tasks

To simulate “real” environment, all tasks can be solved over the network with the executables running on my server. The communication happens over websockets. I recommend using websocat:

websocat -E --binary wss://

When you complete a challenge, you will always get a flag - usually a random word. You’ll know when you see it.

Task 1

In this task, you will experiment with the most basic buffer overflow exploit and you’ll overwrite an innocent variable.

Recommended way to solve this challenge:

( echo '0123456789abcdef' | xxd -r -p - -; cat ) | websocat -E --binary wss://

Task 2

Pretty much the same task as before, except you won’t get the source code.

Task 3

Your goal here is to overwrite the return pointer. To make it a bit harder, there are also stack canaries present.

Task 4

Same as before, just the getFlag() function now expects an argument with a specific value. Have a look at the System V ABI. Using ROP and a pop register; ret; gadget (ropper -f executable), provide the function with the correct argument. Stack canaries are still present.

Task 5

Get a remote shell. Easy, isn’t it? The flag is in the file /flag5

Resolve the location of the system() function using the memory leak (watch out, libc is always linked at a different location). Use that to construct a payload executing a shell.

These tools might help you:

Task 6

Can you get a remote shell in the task 3?