CS38, Security and Privacy, Spring 2005
The following is a list of short tutorials, HOWTOs
and articles about exploiting buffer oveflow vulnerabilities.
Most of these are non-scholarly in nature, and instead of
taking a broad view of the problem, dive directly into
the details of exploiting a particular architecture.
A point of interest about them is that they, to an extent,
represent the attackers' view and attitude.
Note: Urls on this page do not necessarily point to
the author's page -- in cases when it moved or disappeared,
I am merely pointing to an available copy mirrored by
Note: Shellcoding normally requires some command of the
assembly language of the target platform, and some
debugger experience. Luckily, you can learn as you
read/go along -- see x86 and GDB links below.
Buffer overflows & shellcoding tutorials
- Buffer overflows demystified,
- Designing shellcode demystified,
Also covered by the intro chapter of Shellcoder's Handbook
- Smashing the stack for fun and profit,
This is the classic reference, one HAS to quote it :-)
- Shellcoding for Linux and Windows Tutorial,
Gives a primer on syscalls and Nasm, my assembler of choice.
- Writing shellcode,
Another tutorial, more Nasm and x86 assembly examples
A small neat collection of shellcodes and tutorials. Also has a Debian alert newsfeed.
- Shellcode Assembly: Smashing the Mac for Fun and Profit,
This is for PowerPC/OS X (Darwin).
Format string vulns
- Basic integer overflows,
If-branching based on comparison of signed and unsigned integers gives rise to a class of vulnerabilities often left in the code by novice or even experienced C programmers. This Phrack paper has elementary examples and useful discussion.
Return to libc
This technique is used when the stack memory pages are marked
non-executable (e.g., ExecShield, used by Fedora Core). The idea
is that all the code that the attacker wants executed is likely
already contained in the process address space (e.g., in loaded
lobraries) or, as an advanced technique, can be loaded into it
by the OS dynamic loader, on demand! All that is needed is to
skillfully construct the stack frames to point to the desired
This technique can be thwarted by randomizing the addresses
at which the libraries load in each process, but this only
complicates the attack, but does not preclude it. The PaX Linux kernel
patch provides both the non-executable stack protection and
and address space randomization. The article below deals with
- The advanced return-into-lib(c) exploits: PaX case study.,
Useful recap of return-to-libc exploits. The dynamic loading part is a bit dense; Levin's book will help to understand it.
Using GDB and other UNIX tools
There are plenty of GDB tutorials on the web. Please let me
know if you find a good one.
Exploiting vulnerabilities, next level
- Insecure Programming by example,
Short examples of exploitable C code: simple unchecked buffers to overflow, format string vulnerabilities, and more. Good example of a "hacker homework".
- badc0ded collection of documents on exploits,
Many bits of technical info, in no particular order.
The free framework for developing shellcodes. A number of packaged exploits ready to run and yield shell. Professional tools like this (CoreImpact, Canvas) cost >10000+ .
x86 Assembly language
- A Tiny Guide to Programming in 32-bit x86 Assembly Language,
Very useful intro to x86 assembly, exactly the kind needed for shellcode. Also details the function call convention (the layout of the structures created by a function call on the stack -- this layout is the target of "stack smashing"). Recommended reading for shellcode intro.
- PC Assembly Language,
This is a free textbook created by the author for teaching x86 assembly. It complements Bob Neveln's book (see Books), which spends most of its energy demystifying the PC hardware. Use this as a reference. Has a Nasm tutorial and examples.
- www.linuxassembly.org tutorials,
Look the the "nasm" links. There are a better start than the full Nasm manual below.
- Nasm examples,
Useful examples, lovely design.
- The Netwide Assembler: NASM,
Nasm is my recommended assembler for shellcoding work. This is the Nasm manual. Skim the examples, you will not need the full power of Nasm (it can do pretty elaborate macro substitutions etc, at times resembling a real compiler).
- Appendix B of the above, the x86 instructions reference,
Intel's x86 assembly instructions are many and varied. They are also very confusing, because every instruction has special forms for all the backwards compatibility modes that an x86 processor supports. Luckily, you don't need many instructions to write meaningful shellcode, and you can always look up others that you encounter on the web (just googling for them works).
- Startup state of Linux/i386 ELF binary,
Konstantin Boldyshev (of http://linuxassembly.org/)
Details on how programs are launched on Linux, particularly what the memory layout looks like.
- Calling conventions on the x86 platform,
A short summary of various x86 calling conventions
|If you look for free x86 assembly references on the web, you|
will most likely discover Randall Hyde's voluminous (1000+ pages)
books. These books are not very helpful for learning assembly
hacking, because they often omit "unnecessary" details and
are oriented towards the author's own High Level Assembly language.
Back to Dartmouth CS Home Page