# Binary Exploitation - [Stack](https://ir0nstone.gitbook.io/notes/binexp/stack.md) - [Introduction](https://ir0nstone.gitbook.io/notes/binexp/stack/introduction.md): An introduction to binary exploitation - [ret2win](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2win.md): The most basic binexp challenge - [De Bruijn Sequences](https://ir0nstone.gitbook.io/notes/binexp/stack/de-bruijn-sequences.md): The better way to calculate offsets - [Shellcode](https://ir0nstone.gitbook.io/notes/binexp/stack/shellcode.md): Running your own code - [NOPs](https://ir0nstone.gitbook.io/notes/binexp/stack/nops.md): More reliable shellcode exploits - [32- vs 64-bit](https://ir0nstone.gitbook.io/notes/binexp/stack/32-vs-64-bit.md): The differences between the sizes - [No eXecute](https://ir0nstone.gitbook.io/notes/binexp/stack/no-execute.md): The defence against shellcode - [Return-Oriented Programming](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming.md): Bypassing NX - [Calling Conventions](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming/calling-conventions.md): A more in-depth look into parameters for 32-bit and 64-bit programs - [Gadgets](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming/gadgets.md): Controlling execution with snippets of code - [Exploiting Calling Conventions](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming/exploiting-calling-conventions.md): Utilising Calling Conventions - [ret2libc/ret2system](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming/ret2libc.md): The standard ROP exploit - [Stack Alignment](https://ir0nstone.gitbook.io/notes/binexp/stack/return-oriented-programming/stack-alignment.md): A minor issue - [Format String Bug](https://ir0nstone.gitbook.io/notes/binexp/stack/format-string.md): Reading memory off the stack - [Stack Canaries](https://ir0nstone.gitbook.io/notes/binexp/stack/canaries.md): The Buffer Overflow defence - [PIE](https://ir0nstone.gitbook.io/notes/binexp/stack/pie.md): Position Independent Code - [Pwntools, PIE and ROP](https://ir0nstone.gitbook.io/notes/binexp/stack/pie/pwntools-pie-and-rop.md) - [PIE Bypass with Given Leak](https://ir0nstone.gitbook.io/notes/binexp/stack/pie/pie-exploit.md): Exploiting PIE with a given leak - [PIE Bypass](https://ir0nstone.gitbook.io/notes/binexp/stack/pie/pie-bypass.md): Using format string - [ASLR](https://ir0nstone.gitbook.io/notes/binexp/stack/aslr.md): Address Space Layout Randomisation - [ASLR Bypass with Given Leak](https://ir0nstone.gitbook.io/notes/binexp/stack/aslr/aslr-bypass-with-given-leak.md) - [PLT and GOT](https://ir0nstone.gitbook.io/notes/binexp/stack/aslr/plt_and_got.md): Bypassing ASLR - [ret2plt ASLR bypass](https://ir0nstone.gitbook.io/notes/binexp/stack/aslr/ret2plt-aslr-bypass.md) - [Virtual Addresses and Virtual Memory](https://ir0nstone.gitbook.io/notes/binexp/stack/virtual-addresses-and-virtual-memory.md) - [GOT Overwrite](https://ir0nstone.gitbook.io/notes/binexp/stack/got-overwrite.md): Hijacking functions - [Exploiting a GOT overwrite](https://ir0nstone.gitbook.io/notes/binexp/stack/got-overwrite/exploiting-a-got-overwrite.md) - [RELRO](https://ir0nstone.gitbook.io/notes/binexp/stack/relro.md): Relocation Read-Only - [Reliable Shellcode](https://ir0nstone.gitbook.io/notes/binexp/stack/reliable-shellcode.md): Shellcode, but without the guesswork - [ROP and Shellcode](https://ir0nstone.gitbook.io/notes/binexp/stack/reliable-shellcode/rop-and-shellcode.md) - [Using RSP](https://ir0nstone.gitbook.io/notes/binexp/stack/reliable-shellcode/using-rsp.md) - [ret2reg](https://ir0nstone.gitbook.io/notes/binexp/stack/reliable-shellcode/ret2reg.md): Using Registers to bypass ASLR - [Using ret2reg](https://ir0nstone.gitbook.io/notes/binexp/stack/reliable-shellcode/ret2reg/using-ret2reg.md) - [One Gadgets and Malloc Hook](https://ir0nstone.gitbook.io/notes/binexp/stack/one-gadgets-and-malloc-hook.md): Quick shells and pointers - [Syscalls](https://ir0nstone.gitbook.io/notes/binexp/stack/syscalls.md): Interfacing directly with the kernel - [Exploitation with Syscalls](https://ir0nstone.gitbook.io/notes/binexp/stack/syscalls/exploitation-with-syscalls.md) - [Sigreturn-Oriented Programming (SROP)](https://ir0nstone.gitbook.io/notes/binexp/stack/syscalls/sigreturn-oriented-programming-srop.md): Controlling all registers at once - [Using SROP](https://ir0nstone.gitbook.io/notes/binexp/stack/syscalls/sigreturn-oriented-programming-srop/using-srop.md) - [ret2dlresolve](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2dlresolve.md): Resolving our own libc functions - [Exploitation](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2dlresolve/exploitation.md) - [ret2csu](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2csu.md): Controlling registers when gadgets are lacking - [Exploitation](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2csu/exploitation.md) - [CSU Hardening](https://ir0nstone.gitbook.io/notes/binexp/stack/ret2csu/csu-hardening.md) - [Exploiting over Sockets](https://ir0nstone.gitbook.io/notes/binexp/stack/exploiting-over-sockets.md): File Descriptors and Sockets - [Exploit](https://ir0nstone.gitbook.io/notes/binexp/stack/exploiting-over-sockets/exploit.md): Duplicating the Descriptors - [Socat](https://ir0nstone.gitbook.io/notes/binexp/stack/exploiting-over-sockets/socat.md): More on socat - [Forking Processes](https://ir0nstone.gitbook.io/notes/binexp/stack/forking-processes.md): Flaws with fork() - [Stack Pivoting](https://ir0nstone.gitbook.io/notes/binexp/stack/stack-pivoting.md): Lack of space for ROP - [Exploitation](https://ir0nstone.gitbook.io/notes/binexp/stack/stack-pivoting/exploitation.md): Stack Pivoting - [pop rsp](https://ir0nstone.gitbook.io/notes/binexp/stack/stack-pivoting/exploitation/pop-rsp.md): Using a pop rsp gadget to stack pivot - [leave](https://ir0nstone.gitbook.io/notes/binexp/stack/stack-pivoting/exploitation/leave.md): Using leave; ret to stack pivot - [Pointer Authentication](https://ir0nstone.gitbook.io/notes/binexp/stack/pointer-authentication.md): An Arm hardware protection to combat ROP - [Memory Tagging Extension (MTE)](https://ir0nstone.gitbook.io/notes/binexp/stack/memory-tagging-extension-mte.md): Arm's MTE Hardware Protection - [Memory Integrity Enforcement](https://ir0nstone.gitbook.io/notes/binexp/stack/memory-integrity-enforcement.md) - [Heap](https://ir0nstone.gitbook.io/notes/binexp/heap.md): Still learning :) - [Introduction to the Heap](https://ir0nstone.gitbook.io/notes/binexp/heap/introduction-to-the-heap.md) - [Chunks](https://ir0nstone.gitbook.io/notes/binexp/heap/chunks.md) - [Freeing Chunks and the Bins](https://ir0nstone.gitbook.io/notes/binexp/heap/bins.md) - [Operations of the Fastbin](https://ir0nstone.gitbook.io/notes/binexp/heap/bins/operations-of-the-fastbin.md) - [Operations of the Other Bins](https://ir0nstone.gitbook.io/notes/binexp/heap/bins/chunk-allocation-and-reallocation.md) - [The Top Chunk and Remainder](https://ir0nstone.gitbook.io/notes/binexp/heap/the-top-chunk-and-remainder.md): Creating more heap space - [Malloc State](https://ir0nstone.gitbook.io/notes/binexp/heap/malloc-state.md) - [malloc\_consolidate()](https://ir0nstone.gitbook.io/notes/binexp/heap/malloc_consolidate.md): Consolidating fastbins - [Heap Overflow](https://ir0nstone.gitbook.io/notes/binexp/heap/heap-overflow.md) - [heap0](https://ir0nstone.gitbook.io/notes/binexp/heap/heap-overflow/heap0.md): http://exploit.education/phoenix/heap-zero/ - [heap1](https://ir0nstone.gitbook.io/notes/binexp/heap/heap-overflow/heap1.md): http://exploit.education/phoenix/heap-one/ - [Use-After-Free](https://ir0nstone.gitbook.io/notes/binexp/heap/use-after-free.md) - [Double-Free](https://ir0nstone.gitbook.io/notes/binexp/heap/double-free.md) - [Double-Free Protections](https://ir0nstone.gitbook.io/notes/binexp/heap/double-free/double-free-protections.md) - [Double-Free Exploit](https://ir0nstone.gitbook.io/notes/binexp/heap/double-free/double-free-exploit.md) - [Unlink Exploit](https://ir0nstone.gitbook.io/notes/binexp/heap/unlink-exploit.md) - [The Tcache](https://ir0nstone.gitbook.io/notes/binexp/heap/the-tcache.md): New and efficient heap management - [Tcache: calloc()](https://ir0nstone.gitbook.io/notes/binexp/heap/the-tcache/tcache-calloc.md) - [Tcache Poisoning](https://ir0nstone.gitbook.io/notes/binexp/heap/the-tcache/tcache-poisoning.md): Reintroducing double-frees - [The Malloc Maleficarum](https://ir0nstone.gitbook.io/notes/binexp/heap/the-malloc-maleficarum.md): The first heap exploits - [The House of Force](https://ir0nstone.gitbook.io/notes/binexp/heap/the-malloc-maleficarum/the-house-of-force.md): Exploiting the wilderness - [Tcache Keys](https://ir0nstone.gitbook.io/notes/binexp/heap/tcache-keys.md): A primitive double-free protection - [Safe Linking](https://ir0nstone.gitbook.io/notes/binexp/heap/safe-linking.md) - [Kernel](https://ir0nstone.gitbook.io/notes/binexp/kernel.md) - [Introduction](https://ir0nstone.gitbook.io/notes/binexp/kernel/introduction.md) - [Writing a Char Module](https://ir0nstone.gitbook.io/notes/binexp/kernel/writing-a-char-module.md) - [An Interactive Char Driver](https://ir0nstone.gitbook.io/notes/binexp/kernel/writing-a-char-module/a-communicatable-char-driver.md) - [Interactivity with IOCTL](https://ir0nstone.gitbook.io/notes/binexp/kernel/writing-a-char-module/interactivity-with-ioctl.md): A more useful way to interact with the driver - [A Basic Kernel Interaction Challenge](https://ir0nstone.gitbook.io/notes/binexp/kernel/a-basic-kernel-interaction-challenge.md) - [Compiling, Customising and booting the Kernel](https://ir0nstone.gitbook.io/notes/binexp/kernel/compiling-customising-and-booting-the-kernel.md): Instructions for compiling the kernel with your own settings, as well as compiling kernel modules for a specific kernel version. - [Double-Fetch](https://ir0nstone.gitbook.io/notes/binexp/kernel/double-fetch.md): The most simple of vulnerabilities - [Double-Fetch without Sleep](https://ir0nstone.gitbook.io/notes/binexp/kernel/double-fetch/double-fetch-without-sleep.md): Removing the artificial sleep - [The Ultimate Aim of Kernel Exploitation - Process Credentials](https://ir0nstone.gitbook.io/notes/binexp/kernel/the-ultimate-aim-of-kernel-exploitation-process-credentials.md) - [Kernel ROP - ret2usr](https://ir0nstone.gitbook.io/notes/binexp/kernel/kernel-rop-ret2usr.md): ROPpety boppety, but now in the kernel - [Debugging a Kernel Module](https://ir0nstone.gitbook.io/notes/binexp/kernel/debugging-a-kernel-module.md): A practical example - [SMEP](https://ir0nstone.gitbook.io/notes/binexp/kernel/smep.md): Supervisor Memory Execute Protection - [Kernel ROP - Disabling SMEP](https://ir0nstone.gitbook.io/notes/binexp/kernel/smep/kernel-rop-disabling-smep.md): An old technique - [Kernel ROP - Privilege Escalation in Kernel Space](https://ir0nstone.gitbook.io/notes/binexp/kernel/smep/kernel-rop-privilege-escalation-in-kernel-space.md): Bypassing SMEP by ropping through the kernel - [Kernel ROP - Stack Pivoting](https://ir0nstone.gitbook.io/notes/binexp/kernel/smep/kernel-rop-stack-pivoting.md) - [SMAP](https://ir0nstone.gitbook.io/notes/binexp/kernel/smap.md): Supervisor Memory Access Protection - [Overwriting modprobe\_path](https://ir0nstone.gitbook.io/notes/binexp/kernel/modprobe_path.md): A simple way to pop a shell - [KASLR](https://ir0nstone.gitbook.io/notes/binexp/kernel/kaslr.md) - [KPTI](https://ir0nstone.gitbook.io/notes/binexp/kernel/kpti.md): Kernel Page Table Isolation - [Kernel Heap](https://ir0nstone.gitbook.io/notes/binexp/kernel/page.md): The pain of it all - [Heap Structures](https://ir0nstone.gitbook.io/notes/binexp/kernel/heap-structures.md) - [TODO](https://ir0nstone.gitbook.io/notes/binexp/kernel/todo.md): Random stuff I want to mention somewhere, but too small for its own page - [Browser Exploitation](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation.md) - [\*CTF 2019 - oob-v8](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/ctf-2019-oob-v8.md): Setting Up - [The Challenge](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/ctf-2019-oob-v8/the-challenge.md): The actual challenge - [picoCTF 2021 - Kit Engine](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/picoctf-2021-kit-engine.md): A lesson in floating-point form - [picoCTF 2021 - Download Horsepower](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/picoctf-2021-download-horsepower.md): Another OOB, but with pointer compression - [Browser Architecture](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/browser-architecture.md): A look at how browsers work under the hood - [Operation of the Renderer](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/browser-architecture/operation-of-the-renderer.md): How the renderer process works - [An Introduction to Turbofan](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/an-introduction-to-turbofan.md): V8's Optimizer - [A Typer Bug](https://ir0nstone.gitbook.io/notes/binexp/browser-exploitation/an-introduction-to-turbofan/a-typer-bug.md): One of my favourites - [Memory Safety](https://ir0nstone.gitbook.io/notes/binexp/memory-safety.md): Languages like Rust and Swift claim to be "memory-safe". What does that mean? - [C++ Smart Pointers](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/c++-smart-pointers.md): C++'s foray into memory safety - [RAII (Resource Acquisition is Initialization)](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/raii-resource-acquisition-is-initialization.md) - [Garbage Collection](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/garbage-collection.md) - [Tracing Garbage Collection](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/garbage-collection/tracing-garbage-collection.md) - [Automatic Reference Counting](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/garbage-collection/automatic-reference-counting.md): Apple's preferred approach to automatic memory management - [Rust](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/rust.md): The poster child for memory safety - [Python (and C#, Java)](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/python-and-c-java.md) - [Swift](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/swift.md): Swift uses purely ARC. How does it fix the problems that arise without a tracing garbage collector? - [Sandboxing](https://ir0nstone.gitbook.io/notes/binexp/memory-safety/sandboxing.md) - [Dynamic Binary Instrumentation](https://ir0nstone.gitbook.io/notes/binexp/dynamic-binary-instrumentation.md): Manipulating programs without the source --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ir0nstone.gitbook.io/notes/binexp.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.