Skip to main content
Binary exploitation covers the craft of finding and abusing memory-corruption vulnerabilities in compiled programs to redirect execution, leak data, or gain arbitrary code execution. This section walks through the most important primitives and protections you will encounter.

What is binary exploitation?

When a program mishandles memory — reads or writes past the end of a buffer, uses freed memory, or misinterprets attacker-controlled data — an attacker may be able to overwrite sensitive structures such as return addresses, function pointers, or heap metadata to redirect execution flow. The core goal is almost always the same: control the instruction pointer (EIP/RIP on x86, LR/PC on ARM) so arbitrary code runs in the context of the target process.

Key vulnerability classes

Stack Overflow

Writing past the end of a stack buffer, overwriting the saved return address and achieving control flow hijacking.

Return-Oriented Programming

Chaining existing code gadgets to build arbitrary computation without injecting new code.

Heap Exploitation

Abusing allocator internals — use-after-free, double-free, and bin attacks — to redirect execution or corrupt data.

Format String

Exploiting unchecked printf-family calls to read from or write to arbitrary memory addresses. See stack-based techniques for exploitation primitives.

Common binary protections

Modern toolchains and operating systems ship several mitigations. Understanding them is prerequisite to defeating them.
A randomised value placed between the local variables and the saved return address. Before the function returns, the runtime checks that the canary is intact. Any linear stack overflow that overwrites the return address will corrupt the canary and trigger an abort.Bypasses: information leak to read the canary, bruteforcing in forking servers (one byte at a time), or exploits that skip the canary entirely (e.g., format strings targeting the return address directly).
The OS randomises the base addresses of the stack, heap, and shared libraries on each execution. Without knowing where code lives an attacker cannot hardcode gadget addresses.Bypasses: information leaks (format strings, partial overwrites), brute force (32-bit), or targets with ASLR disabled.
Pages are marked either writable or executable but not both. Shellcode placed on the stack cannot be directly executed.Bypass: Return-Oriented Programming (ROP) — reuse existing executable code.
The main binary itself is loaded at a randomised base address (like a shared library), extending ASLR to the executable’s own code and GOT.Bypasses: information leak of a code pointer, partial overwrites using only the low bytes of an address.
Full RELRO makes the GOT (Global Offset Table) read-only after dynamic linking, preventing overwrite attacks that redirect PLT calls.Partial RELRO only protects some segments; full RELRO is the stronger form.

Enabling core dumps for debugging

When developing or analysing an exploit, core files capture the exact memory state of a crashed process. 
# Allow unlimited core dump size for the current session
ulimit -c unlimited

# Analyse a core file with GDB
gdb /path/to/binary /path/to/core_file
For a persistent setting, add the following to /etc/security/limits.conf: 
* soft core unlimited

Exploit development workflow

1

Identify the vulnerability

Fuzz the target, review source code, or reverse engineer to find where user input can overflow a buffer, trigger a use-after-free, or cause another memory error.
2

Determine what you control

Work out which registers or memory locations you can influence and to what extent. A De Bruijn sequence (cyclic pattern) is the standard way to measure the exact offset to the return address.
3

Audit protections

Run checksec on the binary to enumerate enabled mitigations.
checksec --file=./target
4

Plan a bypass chain

Select the appropriate technique for the protection set: ROP for NX, info-leak for ASLR/PIE, heap grooming for canary bypass in forking servers, and so on.
5

Write and iterate the exploit

Use pwntools to automate interaction, build ROP chains, and pack addresses. Test locally then adapt for the remote target.

Essential tools

ToolPurpose
pwntoolsPython exploit-development framework — packing, ROP, process/socket interaction
GDB + GEF / pwndbgDynamic analysis with heap visualisation and pattern generation
ROPgadget / ropperStatic gadget search in ELF binaries and libraries
checksecEnumerate binary protections
ltrace / straceTrace library and system calls at runtime
Ghidra / IDAReverse engineering and static analysis
All the techniques in this section assume a Linux/ELF target unless stated otherwise. Windows exploitation (SEH overflows, WoW64, kernel) is covered under the platform-specific pages.

Build docs developers (and LLMs) love

Get started for freeTalk to us