Binary Exploitation — Fuzz to Working Exploit.

Corruption classes

• Stack buffer overflow. Classic strcpy on stack array. Defenses: stack canary, ASLR, NX. Still exploitable with info-leak + ROP.
• Heap buffer overflow. Overflow into adjacent chunk's metadata or into adjacent object's pointer/vtable. Modern hardened allocators (mimalloc, scudo, jemalloc with shadow chunks) raise the bar.
• Use-after-free. Free, then dereference. Reclaim controlled data into the freed slot, fake vtable, hijack control flow on next virtual call. Mitigated by MarkUs / GarbageCollector-style allocators in browsers.
• Type confusion. Object treated as different type than its actual layout. Common in JIT engines; primitive for arbitrary R/W via fake array length.
• Double-free. Free same chunk twice; tcache or fastbin poisoning gives arbitrary write. glibc 2.27+ has tcache double-free check.
• Integer overflow. malloc(n * sizeof(x)) where n * sizeof(x) overflows; small allocation, large copy.
• Format string. printf(user_input) with no format. %n writes; %s reads. Rare in modern code thanks to compiler warnings.

Fuzzing — discovery to triage

• AFL++ for grey-box. Compile target with afl-cc; corpus seed → coverage-guided mutation. Add ASAN-instrumented build for cleaner crash signal.
• libFuzzer for in-process. Per-function harness; faster per iteration than AFL. Best for library APIs.
• Honggfuzz for kernel / hardware-assisted. Hardware perf-counter coverage. Good when source-level instrumentation isn't available.
• Crash triage.
  • ASAN report → classification (heap-buffer-overflow, use-after-free, etc.).
  • Minimize input — afl-tmin / libFuzzer's -minimize_crash=1.
  • Reproduce under gdb / rr / time-travel debugger. rr particularly valuable: record once, walk forward and back to find root cause.
  • Categorize: control-flow-hijackable, info-leak, DoS-only. Only the first two are primary exploitation targets.

Exploitation pipeline — crash to working RCE

1. Establish primitives. Arbitrary read, arbitrary write, control of PC, control of stack pivot, control of a function pointer.
2. Defeat ASLR. Info leak primitive → leak a libc/binary address → compute base.
3. Defeat DEP/NX. ROP chain. ROPgadget, ropper, one_gadget for single-call magic gadgets.
4. Defeat stack canary. Often shares low byte (zero on Linux); leak via partial overwrite, or brute one byte at a time if fork-server.
5. Defeat CFG (Windows) / CET (Intel).
   • CFG checks indirect calls against valid-target bitmap. Bypass: find valid target that lets you continue control flow attacker-favorably, or attack the bitmap itself.
   • CET (shadow stack) detects ROP via return-mismatch. Bypass: JOP via indirect jumps not protected by shadow stack, or attack systems that don't enforce shadow stack.
6. Execute payload. Spawn shell (Linux), Reverse TCP (Windows). Or open registry / token / process for privilege.

Windows internals — offensive relevance

• Object Manager. Named kernel objects live in namespace (\BaseNamedObjects, \Sessions\N). Symbolic link abuse: create symlink in user-controllable namespace pointing to privileged target, then privileged process resolves through it.
• Token mechanics. SeImpersonatePrivilege + service that connects to attacker-controlled named pipe → impersonate SYSTEM-context client. PrintSpoofer, RemotePotato chain on this.
• Kernel callbacks. EDR drivers register callbacks via PsSetCreateProcessNotifyRoutineEx, ObRegisterCallbacks. From kernel exploit primitive (e.g., signed-driver-load) the callback list can be unhooked to blind EDR.
• HVCI / VBS. Hypervisor-Enforced Code Integrity blocks unsigned kernel code execution. Bypass requires vulnerable signed driver that performs attacker-controlled read/write — BYOVD pattern.