BSidesKC | April 26-27, 2019 | Plexpod Westport: 300 E 39th St, Kansas City, MO 64111

Basic Memory Corruption: Introduction to Stack-based Exploitation

Friday: 9am-5pm

This is a course on basic stack-based exploitation. We’ll begin with a review of how memory management works within an IA32 architecture, before diving headfirst into classic attacks such as buffer overflows, format string exploits, and DTOR/GOT overwrites. We’ll also learn how to write shellcode and bypass non-executable stacks using return-to-libc attacks. Finally, we’ll go over some basic mitigations to the techniques we’ve learned.
This is meant to be a foundational course that can serve as jumping off point for students wishing to learn more advanced topics such as ROP chains, heap sprays, use after free, and defeating ASLR.

Workshop Outline:

I. Basic Concepts

I.1. Memory Management
I.2. Assembly
I.3. Recognizing C and C++ Code Constructs in Assembly

II. The IA32 Call Stack

II.1. Buffers
II.2. Lab Exercise: Buffer Overrun
II.3. The Call Stack
II.4. Lab Exercise: Watching the Call Stack in Action
II.5. Functional Control Flow
II.6. Lab Exercise: Functional Control Flow

III. Buffer Overflows

III.1. Basic Buffer Overflows
III.2. Overwriting the Return Address
III.3. Lab Exercise: Overwriting the Return Address
III.4. Taking Control of Execution
III.5. Lab Exercise: Taking Control of Execution
III.6. Executing Arbitrary Code
III.7. NOP Sleds
III.8. Lab Exercise: Privilege Escalation Exploit
III.9. Return to libc: Defeating Non-Executable Stacks
III.10 Lab Exercise: Return to libc Attack

IV. Introduction to Shellcode

IV.1. System Calls
IV.2. Lab Exercise: System Calls
IV.3. Making Our Shellcode Injectable
IV.4. Lab Exercise: Making Our Shellcode Injectable
IV.5. Spawning a Shell
IV.6. Lab Exercise: Spawning a Shell

V. Format String Exploits

V.1. Format Strings
V.2. Format String Bugs
V.3. Format String Denial of Service (DoS) Attacks
V.4. Lab Exercise: Format String Denial of Service (DoS) Attacks
V.5. Format String Information Disclosures
V.6. Lab Exercise: Format String Information Disclosures
V.7. Exploiting Format String Bugs to Execute Arbitrary Code
V.8. Lab Exercise: Exploiting Format String Bugs to Execute Arbitrary Code

Student Requirements:

  • A laptop equipped with VMWare or VirtualBox and provisioned with at least 25GB of disk space and 8GB of memory.
  • Prior exposure to C programming, assembly, and basic memory management concepts are highly recommended in order to benefit from this course.


Gabriel Ryan is an offensive security R&D and red teamer. He is the author of EAPHammer, a toolkit for performing targeted rogue access point attacks against enterprise wireless networks. Gabriel has presented at DEF CON, DerybCon, Hackfest, and several Security BSides conferences on topics ranging from infrastructure security to access control protocols and red team tradecraft. His professional interests include wireless security, systems internals, low-level programming, and infrastructure automation.