Getting Started with Binary Exploitation

TLDR

• Prerequisites: Learn C, assembly and the Linux terminal
• Create a free account on pwn.college and complete their lectures and modules
• Supplement with CTFs

Prerequisite Knowledge

C programming

A solid understanding of the C programming language is essential for binary exploitation. While you don’t need to be a professional programmer, you should be familiar with concepts like data types, C strings, common input/output functions, memory allocation, and process address space.

Once you’re comfortable with C, learning other languages will be easier, as many popular languages (Python, C++, Java) share a C-like syntax.

Assembly

You can learn any assembly language, but the most common are Intel’s x86 and x64, representing 32-bit and 64-bit architectures, respectively. If you’re just starting, I recommend learning x86 (32-bit) first, as its calling conventions are more straightforward (at least in my experience). Once you’ve mastered x86, you can move on to x64.

You don’t need to be an expert in assembly either. Focus on the following topics:

• The purpose and use of registers
• Function calling conventions
• Memory segments (stack, heap, data, etc.)

Study Plan

Learn C

I recommend starting with C by Example. Complete the lessons using a text editor, not an IDE. While Integrated Development Environments (IDEs) are helpful, they can hide many details through features like auto-completion. Using a text editor like Visual Studio Code or Vim will force you to write all your code yourself and compile it using gcc. Although this might feel tedious at first, learning to compile and debug code is a critical skill.

Learn Assembly and How to Debug Code

As you work through the lessons from C by Example, try loading your compiled binaries into a debugger. This will help you become comfortable with debugging and understanding assembly language. I suggest using gdb for this. For now, skip any add-ons like gdb-peda or pwndbg. These tools are great and will be useful later, but it’s better to master the basics first.

Basic Linux Terminal Usage

The Linux terminal will become an essential tool in your binary exploitation journey. A fun way to learn more about the terminal is through the Bandit wargame on OverTheWire. Don’t hesitate to look up writeups if you get stuck—there’s no shame in it!

Capture the Flag (CTF)

Capture the Flag challenges are my favorite way to learn cybersecurity topics. Look for beginner-friendly CTFs like picoCTF and focus on their binary exploitation challenges. If you get stuck, refer to writeups to understand the solutions.

Beyond CTFs, try wargames like Exploit Education or the Narnia series from OverTheWire. These progressively challenging exercises are designed to sharpen your skills.

pwn.college

Pwn.college is an educational cybersecurity platform created by hackers at Arizona State University. It offers lectures from professors alongside numerous CTF challenges to reinforce the material. Since it’s free, I highly recommend it for learning low-level computer security topics.

Suggested dojos:

• Computing 101 - Learn about CPU registers, syscalls, memory, and more.
• Linux Luminarium - Introduction to the Linux terminal and commands.
• Program Security - Covers shellcode injection, reverse engineering, memory errors, and program exploitation.
• System Security - Explores sandboxes, race conditions, kernel security, and system exploitation.
• Software Exploitation - Focuses on return-oriented programming, format strings, heap and kernel exploitation, and more.

Courses and Certifications

Here are a few paid courses that cover binary exploitation and reverse engineering:

Fundamentals of Software Exploitation by RET2 Systems

This paid online course teaches how to exploit 64-bit Linux executables and develop exploits in Python. It covers modern binary exploitation mitigations such as Stack Canaries, NX/DEP, and ASLR.

The course is an adaptation from the Modern Binary Exploitation course from RPI.

I recommend completing some of the pwn.college material before diving into this course.

SANS SEC 660: Advanced Penetration Testing, Ethical Hacking and Exploit Development (GXPN)

This is a high-cost course that covers more than just exploit development, including penetration testing. Its exploit development sections focus on Linux and Windows, bypassing security mitigations, fuzzing, debugging, and more.

The associated certificate is the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN).

Windows User Mode Exploit Development (OSED) from OffSec

This OffSec course focuses on exploiting 32-bit Windows user-mode applications. Though somewhat outdated, it’s still valuable for learning fundamental exploit development concepts on Windows. You’ll reverse engineer real software using IDA Pro and write exploits in Python.

FAQ

What is binary exploitation, and why is it important?

Binary exploitation is leveraging a vulnerabilitity in an executable for unintended purposes. Classic examples are buffer overflow attacks, integer overflows, race conditions, and use-after-free exploits.

It is important for developers to understand how their insecure code can be exploited by a malicious actor.

With the rise of memory-safe languages, is it still worth learning exploit development in 20XX?

Yes. C, C++ and memory corruption vulnerabilities will still be prevelant for the forseeable future. I created a video on this topic a couple months ago.

Should I begin with Linux or Windows for exploit development? What are the key differences?

My personal opinion is that either OS is fine. There are more CTFs and wargames for Linux ELFs, so perhaps start there. Either way, you will need an understanding of x86 and x64 assembly. Linux and Windows have different calling conventions, but besides that there is a lot of overlap.

Who typically hires exploit developers, and what roles do they fill?

This will vary by country, but in the United States:

• Big Tech (i.e. Google Project Zero, IBM X-Force)
• Government and the alphabet club
• Work as a freelance vulnerability researcher

How long does it take to become proficient in exploit development?

This will vary by person. If you already have experience programming/reverse-engineering/penetration testing/etc than you will understand the material faster than a complete beginner.

For a beginner, I recommend grinding CTFs and wargames for the first year until you are comfortable with the concepts.

What tools and software are essential for learning exploit development?

You will need to be comfortable using:

• A debugger
• A disassembler
• A fuzzer
• A scripting language
• A text-editor

Which tools and software are personal preference or whatever the company utilizes.

Are certifications important for exploit development jobs? If so, which ones?

Certifications are less important for exploit development jobs than penetration testing. Employers would rather see previous research experience, CTF events or publications.

Check the job description for the role you are applying to and see if they suggest any certifications.

What common mistakes should beginners avoid when learning binary exploitation?

Patience is key! This can be a very challenging field and it can take a long time to truly grasp some of the low-level concepts.

Content Creators I Recommend

There are several high quality content creators for security research, exploit development and reverse engineering. Here are a few of my personal favorites:

• LiveOverflow
• John Hammond
• Stephen Sims (Off By One Security)
• exploit.club newsletter