ABE – Applied Binary Exploitation
Contact
For questions, remarks and complaints, or if you missed the first lecture but still want to participate, please contact placeholder@example.com.
Administrative notes
This is the website for the module MA-INF 3322 Applied Binary Exploitation (Uni Bonn) / M(CSP|I|VG)-[1-3]-WP[CFS]-[1-4] Applied Binary Exploitation (HBRS).
You may take this course even if you have passed BA-INF 148 Program Analysis and Binary Exploitation (PABE) during your bachelor’s.
You cannot take this course if you have already passed MA-INF 3322 Program Analysis and Binary Exploitation (PABE).
Note: This time the lecture will be hybrid. The lectures will be recorded. Exercise meetings will not be recorded.
This course is offered at the University of Bonn and at Hochschule Bonn-Rhein-Sieg. There will be no eCampus course and no LEA course. All lecture materials will be made available on this website instead.
Time and Location
The exercise on 2025-05-14 will take place in room 0.02 (Lernlabor Cybersicherheit) will be postponed to 2025-05-21 and will be held online only.
The lectures take place on Tuesday 10-12 CEST. The first lecture takes place on Tuesday, 2025-04-08.
Tutorials take place on Wednesday 14-16 CEST. The first tutorial takes place on Wednesday, 2025-04-16.
Note that tutorials only take place every other week (see schedule below).
Online participation for lectures and exercises is possible via BBB. You do not need to login / create an account in order to join.
Lectures and tutorials usually take place in room Bonn-Beuel at Fraunhofer FKIE at Zanderstraße 5, 53177 Bonn-Bad Godesberg. Map of the location
You probably want to take the public transport to Bad Godesberg Stadthalle and walk the ~350m to the building.
The lecture hall is located in the basement. Enter the building, register at the front desk, then go down the stairs, turn around, and go straight to the lecture hall.
There may be a few dates where the lecture hall is not available. Pay attention to announcements regarding room changes on the mailing list!
Schedule
This preliminary schedule is of course subject to change.
| Nr | Date | Lecture Topics |
|---|---|---|
| 0 | 2025-04-08 | Welcome! Administrative Remarks |
| 1 | 2025-04-15 | Vulnerability Research / Bug Hunting |
| 2025-04-16 | Sheet 0 Tutorial, Sheet 1 released | |
| 2 | 2025-04-22 | Stack-based Buffer Overflows: Calling Conventions, ret2libc |
| 3 | 2025-04-29 | Stack-based Buffer Overflows: Shellcode |
| 2025-04-30 | Sheet 1 Tutorial, Sheet 2 released | |
| 4 | 2025-05-06 | Code Reuse Attacks: ROP |
| 5 | 2025-05-13 | Code Reuse Attacks: Advanced Techniques |
| 2025-05-14 | ||
| 6 | 2025-05-20 | Format Strings Exploits / glibc ptmalloc Internals |
| 2025-05-21 | Sheet 2 Tutorial | |
| 7 | 2025-05-27 | Heap glibc: Use-After-Free |
| 2025-05-28 | Sheet 3 Tutorial, Sheet 4 released | |
| 8 | 2025-06-03 | Heap glibc: Unlink Exploit |
| 2025-06-10 | - No Lecture - | |
| 9 | 2025-06-17 | Heap glibc: House of Orange Pt. 1 |
| 2025-06-18 | Sheet 4 Tutorial, Sheet 5 released | |
| 10 | 2025-06-24 | Heap glibc: House of Orange Pt. 2 |
| 11 | 2025-07-01 | Real World Case Study: Exim RCE Exploit Pt. 1 |
| 2025-07-02 | Sheet 5 Tutorial | |
| 12 | 2025-07-08 | Real World Case Study: Exim RCE Exploit Pt. 2 |
| 13 | 2025-07-15 | Invited Talk (TBA) |
Please note that the dates may differ from BASIS and Co. Only the dates on this site are final.
Exams
The information in this section is preliminary, and subject to change.
- The exams will be oral exams.
- The exams will take place at Zanderstraße 5, 53177 Bonn-Bad Godesberg.
- There will be two exam periods.
- The first exam period will be on 2025-08-04 to 2025-08-06.
- Timeslots will be assigned after the last exercise sheet has been graded. You will receive an email asking you for your availability.
- The second exam period will be on 2025-09-01 and 2025-09-02.
- Timeslots will be assigned after the first exam period. You will receive an email asking you for your availability.
Exam location
The exam takes place at the Fraunhofer FKIE, Zanderstraße 5, 53177 Bonn-Bad Godesberg. Map of the location
You probably want to take the public transport to “Bad Godesberg Stadthalle” and walk the ~350m to the building.
You have been assigned a time slot for your oral exam and received it via email. Please arrive a few minutes before your slot starts, and plan your travels accordingly. If you know you are running late, please email us.
Once you arrive, ring the doorbell left of the revolving door, and the doorkeeper will let you in. Tell the doorkeeper that you are here for the ABE exam. They will direct you towards the exam room “Gronau”, which is located on the ground floor on the left side from the entrance.
Exam procedure
If the door of the exam room is closed, please wait in front of the room until you are invited in.
There will be multiple people: The professor, a second interviewer, and a third person who types the examination protocol.
At the very beginning, we will check your student ID and ID card or passport. So remember to bring those with you 🙂
We will spend about 20 minutes quizzing you about the lecture contents (might be a bit more or less depending on how it goes). This is aided by some slides (usually from the lecture material) that we can put on a display in the room. It is always a good idea to let us know what you think (instead of saying nothing) even if you don’t have the answer yet. It’s also okay to honestly say that you did not learn a specific topic, so we can move on to something else.
Once the exam is over, we send you out of the room for a short while to discuss your grade.
Then you may come back in, collect your grade, chat a bit, and leave again through the same door you came in.
What kind of questions will be asked?
-
We show you an exploit (probably in Python) and you have to explain what kind of exploit it is and how it works, what the bug class is and how exploits of that kind work in general.
-
We show you some code (C or ASM), you tell us what it does and how to find an exploit. Furthermore, what is special about this kind of exploit? What are the constraints?
-
There will also be questions about lecture slides where we removed some elements (words, numbers, arrows, …) and ask you about those missing elements:
- For example: What does the address
0x13374223mean? Explain what you see on the slide and fill in the blanks?
- For example: What does the address
-
Some questions will be about the slides with no modifications at all.
To summarize: We will mostly ask technical questions instead of broad and generic questions. The code snippets will have a manageable size! Just take a look at this example: https://godbolt.org/z/nq6GYK. Check out the C code and the Assembly. Use the colors to match the C code to the machine code instructions.
How do I know if I am well-prepared?
If you invested the time to do the exercises, you should be safe. If not, try to solve some of them before the exam and really understand what you are doing. It’s also an excellent idea to imagine what we could ask you and try to answer the question to yourself. Often you will notice if you can explain everything smoothly or if you still have a knowledge gap.
Description
Our computers run a lot of closed source binary programs meaning that the source code of those programs is not available. Naturally, those programs contain bugs, mistakes that the programmer made during the development. Those bugs could (under certain circumstances) be exploited by attackers and thus may lead to arbitrary code execution. In this lecture we aim to teach you how to find well known exploitable bugs and how to exploit them. After a brief recap of basic binary program analysis such as static and dynamic analysis, we will talk about vulnerability discovery in general, meaning that you will learn how to find exploitable bugs by yourself. Next we move on to basic stack-based buffer overflows and add mitigation techniques (stack cookies, NX, ASLR, RELRO, …) as we progress and exploit them as well. After we finished the topic of stack-based buffer overflows we move on to more advanced topics such as heap exploitation, use-after-free exploits and others. The lecture ends with an analysis of a sophisticated real-world exploit.
At the last lecture date, there will be a guest lecture from a renowned expert. Past guest lecturers were:
2024: Cedric Halbronn (@saidelike): Evolution of exploit development over the last 15 years
2023: Robert Xiao (@nneonneo): Exploiting a Filesystem Driver in a Kernel CTF Challenge
2021: Claudio Guarnieri (@botherder): A talk about journalists, human rights defenders and dissidents that face increasingly sophisticated digital threats and what to do about it.
2020: Maddie Stone (@maddiestone): Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild
2019: Gynvael Coldwind (@gynvael): Notes on Computer Hardware and Security
2018: Thomas Dullien (@halvarflake): Fundamentals of Security Exploits