{"id":13781941,"url":"https://github.com/RPISEC/MBE","last_synced_at":"2025-05-11T15:32:07.820Z","repository":{"id":38375164,"uuid":"37784277","full_name":"RPISEC/MBE","owner":"RPISEC","description":"Course materials for Modern Binary Exploitation by RPISEC","archived":false,"fork":false,"pushed_at":"2021-12-09T17:20:50.000Z","size":355,"stargazers_count":5633,"open_issues_count":11,"forks_count":894,"subscribers_count":348,"default_branch":"master","last_synced_at":"2025-04-02T05:44:12.806Z","etag":null,"topics":["ctf","exploitation","wargame"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RPISEC.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-06-20T20:12:04.000Z","updated_at":"2025-03-31T09:13:45.000Z","dependencies_parsed_at":"2022-07-12T02:17:24.376Z","dependency_job_id":null,"html_url":"https://github.com/RPISEC/MBE","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMBE","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMBE/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMBE/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RPISEC%2FMBE/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RPISEC","download_url":"https://codeload.github.com/RPISEC/MBE/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253588634,"owners_count":21932291,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ctf","exploitation","wargame"],"created_at":"2024-08-03T18:01:31.068Z","updated_at":"2025-05-11T15:32:06.942Z","avatar_url":"https://github.com/RPISEC.png","language":"C","readme":"# Modern Binary Exploitation - CSCI 4968\nThis repository contains the materials as developed and used by [RPISEC](http://rpis.ec) to\nteach Modern Binary Exploitation at [Rensselaer Polytechnic Institute](http://rpi.edu) in\nSpring 2015. This was a university course developed and run solely by students to teach\nskills in vulnerability research, reverse engineering, and binary exploitation.\n\n\u003cp align=\"center\"\u003e\n\u003cimg width=\"600px\" src=\"/resources/images/mbe.jpg\" alt=\"MBE\"/\u003e\n\u003c/p\u003e\n\n## About the Course\n\nVulnerability research \u0026 exploit development is something totally outside the bounds of what\nyou see in a normal computer science curriculum, but central to a lot of what we RPISEC\nmembers find ourselves doing in our free time. We also find that subjects in offensive\nsecurity tend to have a stigma around them in university that we would like to help shake\noff. These are practical, applied skills that we're excited to share with those interested\nin learning.\n\nThe question this course posed was _'Can we teach a bunch of programmers how to pwn?'_\n\n**Course website:** [http://security.cs.rpi.edu/courses/binexp-spring2015/](https://web.archive.org/web/20210710080726/http://security.cs.rpi.edu/courses/binexp-spring2015/)\n\n**Syllabus:** [http://security.cs.rpi.edu/courses/binexp-spring2015/Syllabus.pdf](https://web.archive.org/web/20210413214448/http://security.cs.rpi.edu/courses/binexp-spring2015/Syllabus.pdf)\n\n### Course Abstract\n\n\u003e_Cybersecurity is one of the fastest growing fields in computer science, though its study is rarely covered in academia due to its rapid pace of development and its technical specificity. Modern Binary Exploitation will focus on teaching practical offensive security skills in binary exploitation and reverse engineering. Through a combination of interactive lectures, hands on labs, and guest speakers from industry, the course will offer students a rare opportunity to explore some of the most technically involved and fascinating subjects in the rapidly evolving field of security._\n\n\u003e_The course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux-based userland binary exploitation. It will then transition into protections found on modern systems (Canaries, DEP, ASLR, RELRO, Fortify Source, etc) and the techniques used to defeat them. Time permitting, the course will also cover other subjects in exploitation including kernel-land and Windows based exploitation._\n\n### Prerequisite Knowledge\nThis course carried a prereq of\n[Computer Organization - CSCI 2500](http://catalog.rpi.edu/preview_course_nopop.php?catoid=10\u0026coid=16571)\nat RPI. Computer Organization is RPI's basic computer architecture course that teaches\nthings like C, MIPS assembly, x86 assembly, Datapaths, CPU Pipelining, CPU Caching,\nMemory Mapping, etc.\n\nOur expected demographic for Modern Binary Exploitation was students with zero reverse\nengineering or binary exploitation knowledge. That said, to be able to take this course\nyou will probably need at least the following skills.\n* Working knowledge of C/C++\n* Any assembly level experience\n* Basic Linux command line experience\n\n### Lecture Breakdown\nLecture | Title | Topics\n------- | ----- | ------\n01 | Syllabus and Review | Linux, C, x86\n02 | Introduction to Reverse Engineering | Tools and the VM\n03 | Extended Reverse Engineering | GDB \u0026 IDA\n04 | Intro to Memory Corruption | ELF, the stack, calling conventions, buffer overflows\n05 | Shellcoding / Code Injection | Writing shellcode, developing scenario relevant payloads\n06 | Format String Vulnerabilities | Format strings, DTOR/GOT overwrites\n07 | DEP and ROP | Data Execution Prevention, writing ROP chains, ret2libc\n08 | Secure Systems and Game Console Exploitation | OpenBSD, SELinux, GRSEC, Game Console Exploitation\n09 | Address Space Layout Randomization (ASLR) | Overview, info leaks, partial overwrites, ASLR closure\n10 | Heap Exploitation | Heap structure and concepts, corruption, use after free\n11 | Misc Concepts and Stack Cookies | Signed/unsignedness issues, uninitialized data, etc, bypassing stack cookies\n12 | C++ Differences and Concepts | C++ basics, structures, vTables, exceptions\n13 | Linux Kernel Exploitation | Kernel basics, kernel exploitation, mitigations (mmap_min_addr, kallsyms, SMEP/SMAP), bypassing mitigations\n14 | Exploitation on 64bit, ARM, Windows | Exploitation differences on other architectures \u0026 platforms\n15 | Automation \u0026 The Future of Exploitation | Fuzzing, taint analysis, dynamic instrumentation, SMT/SAT solvers\n\n*Refer to [ERRATA.md](https://github.com/RPISEC/MBE/blob/master/ERRATA.md) for slide corrections.*\n\n### Lab Breakdown\nLab | Topic | Corresponding Lectures\n--- | ----- | ----------------------\n[01](/src/lab01) | Reverse Engineering | 01-03\n[02](/src/lab02) | Memory Corruption | 04\n[03](/src/lab03) | Shellcoding | 05\n[04](/src/lab04) | Format Strings | 06\n[P1](/src/project1) | Project 1 | 01-06 (Comprehensive)\n[05](/src/lab05) | DEP and ROP | 07\n**XX** | **ASLR should always be enabled from this point on** | **See VM Information for details**\n[06](/src/lab06) | ASLR | 09\n[07](/src/lab07) | Heap | 10\n[08](/src/lab08) | Misc and Stack Cookies | 11\n[09](/src/lab09) | C++ | 12\n[P2](/src/project2) | Project 2 | 01-12 (Comprehensive)\n[10](/src/lab10) | Linux Kernel | 13\n\n### Repository Breakdown\n* [src/](/src) - Source code for labs\n* [setup_wargame.sh](/setup_wargame.sh),[external_tools.sh](/external_tools.sh) - Install scripts to setup MBE on an Ubuntu 14.04 32-bit machine\n* [MBE_release.tar.gz](https://github.com/RPISEC/MBE/releases/download/v1.1_release/MBE_release.tar.gz) - Binaries for labs and projects\n* [MBE_lectures.tar.gz](https://github.com/RPISEC/MBE/releases/download/v1.1_release/MBE_lectures.tar.gz) - PDFs of all lecture slides\n* [MBE_VM.vmdk.gz](https://github.com/RPISEC/MBE/releases/download/v1.1_release/MBE_VM.vmdk.gz) - A vmdk (disk image) of a VM that is already setup\n\n## Labs - The RPISEC Warzone\n\nThe Warzone is a custom wargame that was built from the ground up for this course. It provided\na complete and consistent learning platform for us to release the labs and projects to the\nstudents. The wargame was built ontop of a vanilla Ubuntu 14.04 32-bit server install, and is\nmodeled after existing local privilege escalation themed wargames. If you have ever played\nthe fantastic [IO wargame](https://io.netgarage.org/) (formerly hosted at SmashTheStack), the Warzone has a\nsomewhat similar structure.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"/resources/images/warzone.png\" alt=\"RPISEC Warzone\"/\u003e\n\u003c/p\u003e\n\nSome basic tweaks have been made in an attempt to isolate players from each other and create\nan individual experience, but it's probably far from perfect. It also comes pre-installed with\nsome tools, scripts, and configs that can make a beginner's life a bit easier in exploit\ndevelopment.\n\nYou can roll with the Warzone we designed, or you can try to setup your own using our scripts.\n___\n### Option One - Pre-made Warzone VM\nAs the years pass, compilers will change, security will improve, and the challenges in this\nrepo may no longer be solvable. Because of this, we have created a virtual machine disk image\nthat closely replicates the universal Warzone wargame server we ran for the duration of this\ncourse. The VM has all the tools setup, challenges pre-compiled, and lab accounts ready to go.\nHopefully it will endure the test of time.\n\n#### Virtual Machine Setup\n\nRPISEC is a huge advocate of VMware because of its quality and stability, so we recommend\nusing our disk image below with VMware Workstation, VMware Fusion, or VMware Player. That\nsaid, it should also work with VirtualBox.\n\nVMware provides a great [2 minute video](https://www.youtube.com/watch?v=I6WfFLQwoPg) on how to setup a virtual machine using an existing disk image.\n\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://www.youtube.com/watch?v=I6WfFLQwoPg\"\u003e\u003cimg src=\"/resources/images/vmware.png\" alt=\"Final\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n1. Download [MBE_VM.vmdk.gz](https://github.com/RPISEC/MBE/releases/download/v1.1_release/MBE_VM.vmdk.gz) from our release page\n2. Extract the archive to obtain the disk image\n3. Using VMware go to `File-\u003eNew Virtual Machine...` and create a Custom VM\n4. When prompted for `Guest Operating System Installation`, select `I will install the operating system later`\n5. You can use the default options for almost all the prompts you encounter. For specs, we suggest the following:\n  * 1 processor / core\n  * 512 MB of RAM\n  * NAT Networking\n6. When prompted to `Select a Disk`, select `Use an existing virtual disk` and navigate to the .vmdk you extracted\n7. In the end your final screen should look something like this. Click Finish and then power on the VM.\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"/resources/images/final.png\" alt=\"Final\"/\u003e\n\u003c/p\u003e\n\n\n#### How to Play\nWe tried to keep the course fairly self contained but if you find yourself lost or struggling [OverTheWire's Bandit](http://overthewire.org/wargames/bandit/) is a great intro to Linux wargames. You can also poke people on [IRC](#contact) if you have questions.\n* SSH is pre-setup on the VM, but we need an IP. First, sign in through the VMWare or VirtualBox console. To find the IP address type:\u003cbr\u003e\n  ```$ ip addr```\u003cbr\u003e\n  \u003cp align=\"center\"\u003e\n  \u003cimg src=\"/resources/images/ip_addr.png\" alt=\"ip addr\"/\u003e\n  \u003c/p\u003e\n  and then SSH using [PuTTY](http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe) or a command line client\u003cbr\u003e\n  \u003ccode\u003e$ ssh lab1C@172.16.29.130\u003c/code\u003e\u003cbr\u003e\n  \u003ccode\u003elab1C@172.16.130's password: lab01start\u003c/code\u003e\u003cbr\u003e\n* Navigate to `/levels/labXX` to begin\u003cbr\u003e\n  ```$ cd /levels/lab01```\n* The Warzone is structured like any local privilege escalation wargame.\nYou must exploit a challenge to escalate your privileges and gain access to another user (level).\nOnce you exploit a level and escalate to the next user (confirm with `whoami`), read their password from their home dir\u003cbr\u003e\n  ```$ cat /home/lab1B/.pass```\n* SSH in using the new username and password to continue!\n\n#### VM information\n* admin user: `gameadmin:gameadmin`\n* lecture user: `lecture:lecture`\n* rc files are in `/etc/cfg`\n  * All lab/project users have symlinks to these files in their home directories\n  * These files are also symlinked in `/etc/skel`\n* To begin a lab, login as `labXC:lab0Xstart`\n  * e.g. `lab1C:lab01start`\n  * Projects are `projectX:projectXstart`\n* Levels are in `/levels`\n* Passwords are in `/home/$USER/.pass`\n* Tools are installed in `/tools` and `/usr/local/bin`\n* **ASLR must be enabled after completing the DEP/ROP lab, and stay enabled for the rest of the course**\n  * Until reboot: ```# echo 2 \u003e /proc/sys/kernel/randomize_va_space```\n  * Persist reboot: ```# echo 'kernel.randomize_va_space = 2' \u003e /etc/sysctl.d/01-disable-aslr.conf```\n\n___\n### Option Two - Make a Custom Warzone\nWe have provided a bash script that will fully setup the exact environment in the provided VM. \n\n**DO NOT RUN THIS SCRIPT ON YOUR PERSONAL COMPUTER, RUN IT IN A VIRTUAL MACHINE**\n\n1. Download [MBE_release.tar.gz](https://github.com/RPISEC/MBE/releases/download/v1.1_release/MBE_release.tar.gz)\n2. Move the archive to your VM or machine and extract it \u003cbr\u003e\n  **NOTE: It is not recommended to run the script from /tmp, as the sticky bits can screw up wildcards** \u003cbr\u003e\n  ```$ tar xzvf MBE_release.tar.gz```\n3. Modify the configuration variables at the top of [setup_wargame.sh](/setup_wargame.sh) to suit your needs\n4. Make the setup script executable and run it with sudo\u003cbr\u003e\n  ```$ chmod +x ./setup_wargame.sh```\u003cbr\u003e```$ sudo ./setup_wargame.sh```\u003cbr\u003e\nIt should take about 10-20 minutes to complete depending on your internet connection and the\nnumber of Ubuntu updates.\n\n## Frequently Asked Questions\n\n#### Why can't I login to lab1c?\nAccount names are case sensitive, so please check that you're logging in as lab1**C**\n\n#### Why am I getting 'permission denied' errors?\nThe warzone marks many files as immutable to prevent users from changing them and\nruining the game for other players. For example, we don't want the lab2B user to\ndelete its `.pass` file or `/levels` files. A few system files, such as `/etc/passwd`,\nare also marked immutable. \n\nIf you would like to modify or delete these files simply remove the immutable flag\n```bash\nchattr -i filename\n```\nWe recommend that you add the flag back when you are done making your changes\n```bash\nchattr +i filename\n```\n\n#### Where are the lab solutions?\nPosting solutions spoils the fun and grind of the game, and as an academic resource it is\nlikely some of these materials may be re-used by other classes in the future. As goes with\nmost wargames, we would like to ask that you refrain from publicly posting writeups or\nexploits to the labs and projects.\n\nIf you are ever stuck on a problem or have any questions, you're more than welcome to\nask on [IRC](#contact).\n\n#### Why are the lecture slides for XYZ so sparse?\nThis was a very hands on course, so almost every lecture we had students slinging GDB commands\nor following along with us on screen. The slides were accessory to the lectures and may have\ngaps or experience brevity at times. With seven of us creating and giving lectures, the slides\nand teaching styles vary a bit. We did our best to keep them consistent. \n\n#### Do you have videos of the lectures?\nSadly we did not record any of the lectures, maybe next time.\n\n#### Why provide the lab sources to the students?\nWe're huge fans of reversing / CTF challenges, but reversing is mostly a time problem. With\nstudents juggling other classes and work during the school semester, we'd rather them focus on\nlearning the exploitation techniques without the overhead of reversing every binary. \n\n#### These challenges are really easy, what gives?\nThe 50 students that enrolled had little to no prior computer security experience. The labs \nare not designed to be novel CTF challenges, they're meant to be more academic examples paced\nto crystallize the concepts. Seasoned CTF'ers can probably blow through most of these\nchallenges in a day or two. \n\n#### Why didn't you cover subject XYZ?\nIf XYZ is related to vulnerability research, we're all ears. The course is far from perfect\nand we are open to hear any feedback for improving it. \n\n#### Will this course be taught again at RPI?\nThere's a lot of interest in having it offered again, so it's being considered for Spring\n2016. The feedback was almost exclusively positive with the students finding the material\nchallenging, but engaging. We've got dozens of ideas on how to make it even better next time.\n\n#### Where can I learn more?\nPlay more wargames:\n* [SmashTheStack IO](http://io.smashthestack.org/)\n* [Pwnable KR](http://pwnable.kr/)\n* [OverTheWire](http://overthewire.org/wargames/)\n* [Reversing KR](http://reversing.kr/)\n* [W3Challs](http://w3challs.com/)\n\nAnd when they're happening, play [CTFs](https://ctftime.org/)!\n\n#### \u003ca name=\"contact\"\u003e\u003c/a\u003eI have a question, how can I get in touch with you?\nOur club keeps a pretty active [IRC](http://rpis.ec/irc) presence. Someone there can probably\nanswer your question.\n\n**Server:** `irc.rpis.ec`\n**Port:** `6667`, or `6697` (SSL)\n\n\nIf you would like a more formal means of communication, you can reach us at `contact [at] rpis.ec`\n\n\n# Licensing\nThis course was explicitly designed for academic \u0026 educational use only. Please keep this\nin mind when sharing and distributing our course material. The specific licenses involved\ncan be found below.\n\n**Lecture Slides**\n\nThe lectures are covered by the Creative Commons Attribution-NonCommercial 4.0\nInternational license [CC BY-NC 4.0](https://creativecommons.org/licenses/by-nc/4.0/legalcode).\n\u003cp align=\"center\"\u003e\n\u003ca href=\"https://creativecommons.org/licenses/by-nc/4.0/\"\u003e\u003cimg src=\"/resources/images/cc-by-nc.png\" alt=\"CC BY-NC 4.0\"/\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n**Code**\n\nThe code in this repo is covered by the BSD 2-Clause license. You can view this license in [LICENSE](/LICENSE).\n\n# Acknowledgements\nHundreds of hours and countless all nighters went into the production and execution of\nthis course. This section serves to recognize those who made all of this possible.\n\n## Original Authors\n  * Patrick Biernat\n  * Jeremy Blackthorne\n  * Alexei Bulazel\n  * Branden Clark\n  * Sophia D'Antoine\n  * Markus Gaasedelen\n  * Austin Ralls\n\n## Special Thanks\n  * The [RPI CS Department](http://www.cs.rpi.edu/) for giving us this opportunity and letting us run with it\n  * Professor Bülent Yener for sponsoring such a course\n  * Our students who put up with us all semester\n","funding_links":[],"categories":["Table of Contents","Courses","Uncategorized","Training","C","Advisories","C (286)","Security","others","🔍 Reverse Engineering, Buffer Overflow, and Exploit Development","Support","Everything Cyber"],"sub_categories":["Reverse Engineering, Buffer Overflow and Exploit Development","Free","Uncategorized","Classes","Introduction to CS","RPI Classes"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRPISEC%2FMBE","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRPISEC%2FMBE","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRPISEC%2FMBE/lists"}