Tutorial

Linux Exploitation Lab Setup

Build and run the vulnerable binaries used throughout the Linux Exploitation Fundamentals series, in Docker or natively.

4 min read beginner
Exploitation Infrastructure Linux Exploit Development

Prerequisites

  • Basic Linux command line knowledge
  • Docker (recommended) or a Debian-based x86-64 system
Table of Contents

The Linux Exploitation Fundamentals series walks through a progression of binary exploitation techniques. Every tutorial analyses a purpose-built vulnerable binary; this guide shows you how to build them and set up a working lab environment.

All source code lives in the linux-tutorial-tools repository on GitLab.

Warning

These binaries are intentionally vulnerable. Build and run them only inside an isolated VM or container, never on a production system.

What’s Included

Each directory contains a C source file, a Makefile with the exact compiler flags needed to reproduce the vulnerability, and a README explaining how to verify offsets on your system.

DirectoryBinaryTutorialArchNXPIECanaryRELRO
01-hidden-function/readerRedirecting Executionx86OffOffOffPartial
02-basic-overflow-x86/vulnBasic Stack Overflowx86OffOffOffPartial
03-overflow-x64/vulnerableStack Overflow x64x64OffOffOffPartial
04-ret2libc-x86/vulnerableReturn-to-libcx86OnOffOffNone
05-rop-x64/bypass_nxROP NX Bypassx64OnOffOffPartial
06-mprotect-rop/targetmprotect ROPx64OnOffOffN/A
07-aslr-bypass/targetASLR Bypassx64OnOffOffPartial
08-socket-reuse/serverSocket Reusex86OffOnOffPartial
09-format-string-x86/vulnFormat String x86x86OnOffOnPartial

NX is disabled for the first three exercises (shellcode on the stack) and on for most of the later ones (forcing ret2libc and ROP techniques); exercise 8 turns NX off again so the socket-reuse tutorial can demonstrate stack-resident shellcode in a remote service. PIE is only enabled for exercise 8, where the tutorial demonstrates leaking addresses to defeat it. Exercise 6 is statically linked so that mprotect is available directly in the binary. Exercise 9 leaves the stack canary on intentionally — the format string bug doesn’t smash the saved return pointer, and the same binary is used in the next tutorial to demonstrate canary leakage.

The Docker image includes every tool you need, GCC with multilib, GDB-PEDA, pwntools, ROPgadget, ropper, and checksec, with all binaries pre-built and ASLR disabled at startup.

git clone https://gitlab.com/sfoerster/linux-tutorial-tools.git
cd linux-tutorial-tools
docker compose up -d
docker compose exec lab bash

Once inside the container, verify the build:

checksec --file=01-hidden-function/reader
RELRO           STACK CANARY      NX            PIE
Partial RELRO   No canary found   NX disabled   No PIE

The container runs with --privileged and SYS_PTRACE capability so that GDB can attach to processes and ASLR can be toggled via /proc.

Native Setup (Alternative)

If you prefer to build natively on a Debian or Ubuntu system:

# Install dependencies
sudo apt update
sudo apt install -y gcc gcc-multilib gdb python3 python3-pip python3-venv \
    socat nasm netcat-openbsd checksec make curl git

# Clone and build
git clone https://gitlab.com/sfoerster/linux-tutorial-tools.git
cd linux-tutorial-tools
make

# Disable ASLR (required for all exercises except 07-aslr-bypass)
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

Note

Remember to re-enable ASLR when you’re done: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space

You’ll also want GDB-PEDA and pwntools:

# GDB-PEDA
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit

# pwntools + gadget finders
python3 -m venv ~/pwn
source ~/pwn/bin/activate
pip install pwntools ROPGadget ropper

Directory Structure

linux-tutorial-tools/
├── 01-hidden-function/    # reader binary (SUID exercise)
├── 02-basic-overflow-x86/ # vuln binary
├── 03-overflow-x64/       # vulnerable binary
├── 04-ret2libc-x86/       # vulnerable binary (NX on)
├── 05-rop-x64/            # bypass_nx binary
├── 06-mprotect-rop/       # target binary (static)
├── 07-aslr-bypass/        # target binary
├── 08-socket-reuse/       # server binary (PIE on)
├── 09-format-string-x86/  # vuln binary (canary on)
├── Dockerfile
├── docker-compose.yml
├── Makefile
└── tests/
    └── test_binaries.sh

Each exercise directory contains a Makefile with the exact flags used to compile the binary and a README.md that documents expected offsets and how to rederive them with GDB-PEDA if your compiler produces different results.

Verifying the Build

Run the included test script to validate that every binary has the correct security properties:

./tests/test_binaries.sh

Or verify an individual binary with checksec:

checksec --file=05-rop-x64/bypass_nx
RELRO           STACK CANARY      NX            PIE
Partial RELRO   No canary found   NX enabled    No PIE

[!important] Buffer offsets depend on your compiler version, glibc version, and build flags. If your exploit doesn’t work with the offsets shown in a tutorial, each exercise README explains how to rederive the correct offset with GDB-PEDA’s pattern create / pattern offset workflow.

Tooling Overview

The Docker image (and the native setup above) includes everything the tutorials reference:

  • GDB + PEDA, debugging, pattern creation, offset calculation
  • pwntools, Python exploit scripting (from pwn import *)
  • ROPgadget / ropper, automated gadget search for ROP chains
  • checksec, verify binary security properties (NX, PIE, canary, RELRO)
  • socat, network forwarding for the socket reuse exercise
  • nasm, assembler for custom shellcode
  • netcat, connecting to remote services