No solution provided.
| Exercise | Challenge | Type | Status | Message |
|---|
| User | Challenge | Status | Submitted | Actions |
|---|
| Username | Role | Points | Status | Actions |
|---|
When enabled, all users can access all challenges without needing to complete prerequisites. When disabled, users must complete challenges progressively (first challenge in each exercise is always unlocked).
When enabled, students can view the global leaderboard showing all users' scores. When disabled, the global leaderboard will be hidden from students.
When enabled, students can access the sandbox environment for free experimentation. When disabled, the sandbox will be hidden and only challenges will be available.
When enabled, users will see detailed ASLR validation run results after submitting solutions to ASLR-enabled challenges. This setting overrides per-challenge settings - if disabled, no ASLR results will be shown regardless of challenge settings.
Prisma Studio provides a visual interface to view and edit data in your database. This is a powerful tool for admins to directly manage database records.
⚠️ Warning: Direct database modifications bypass application logic and validations. Use with caution and ensure data integrity.
Status: Checking...
Manage the simulated libc library assembly code. The libc provides standard functions (printf, malloc, gets, etc.) and ROP gadgets for exploitation challenges.
Loading libc configurations...
The Admin Dashboard provides comprehensive control over the Exploit Simulator platform.
Exercises are categories that group related challenges (e.g., "Buffer Overflow Basics")
Click "New Challenge" and fill in:
Click "Open C Compiler" to write C code and compile it to assembly automatically
Switch to Student View to test if the challenge works as intended
💡 Tip: Start with security features disabled for easier challenges, then progressively enable them for advanced levels.
The emulator includes a built-in C compiler that translates C code into x86 assembly code compatible with the simulator. This allows you to write programs in C and see exactly how they compile to assembly.
int, char, char*, void, structsif/else, while, for, do-while, break, continue, returnint and char&) and dereference (*) operators. and ->), nested structs++, --)printf, scanf, malloc, free, strcpy, strcmp, getsint main() {
char name[20];
printf("Enter your name: ");
scanf("%s", name);
printf("Hello, %s!\\n", name);
int i;
for (i = 0; i < 5; i++) {
printf("Count: %d\\n", i);
}
return 0;
}"Hello\\n")gets function is available but marked as unsafe (just like in real systems)_start entry point that calls mainThe compiler supports C struct definitions and operations:
struct Point { int x; int y; };struct Point p; or struct Point *ptr;p.x = 10; (dot operator) or ptr->x = 10; (arrow operator)struct Rectangle {
struct Point top_left;
struct Point bottom_right;
int color;
};
struct Rectangle rect;
rect.top_left.x = 0;
rect.top_left.y = 0;
rect.color = 0xFF0000;Function pointers allow storing and calling functions indirectly:
int (*operation)(int, int); - pointer to function taking two ints, returning intoperation = add; - assign function address to pointerresult = operation(5, 3); - call function through pointerint add(int a, int b) { return a + b; }
int multiply(int a, int b) { return a * b; }
struct Calculator {
int (*operation)(int, int);
int last_result;
};
struct Calculator calc;
calc.operation = add;
calc.last_result = calc.operation(10, 5); // Calls add(10, 5)CFI is a security feature that protects against control flow hijacking attacks:
__cfi_init function to initialize the runtime table__cfi_check function to validate call targetsNote: CFI adds runtime overhead but significantly improves security against ROP/JOP attacks.
These C functions are available in the emulator for creating vulnerable programs:
printf(const char *format, ...)
Print formatted output to stdout
printf("Hello %s\\n", name);
printf("Value: %d, Hex: %x\\n", val, val);
gets(char *buffer)
⚠️ VULNERABLE: Read input until newline (no bounds checking)
char buffer[64]; gets(buffer); // Classic buffer overflow vulnerability!
strcpy(char *dest, const char *src)
⚠️ VULNERABLE: Copy string without bounds checking
char buffer[16]; strcpy(buffer, user_input); // Overflow if input > 16!
memcpy(void *dest, const void *src, size_t n)
Copy n bytes from src to dest
memcpy(buffer, shellcode, sizeof(shellcode));
exit(int status)
Terminate program with status code
exit(0); // Success exit(1); // Error
scanf(const char *format, ...)
Read formatted input from stdin
int num;
scanf("%d", &num);
char buffer[100];
scanf("%s", buffer); // Vulnerable to overflow!
malloc(size_t size)
Allocate memory from heap
char *buffer = (char *)malloc(100); if (buffer == NULL) exit(1);
free(void *ptr)
Free allocated memory
free(buffer); buffer = NULL; // Prevent use-after-free
strcmp(const char *s1, const char *s2)
Compare two strings
if (strcmp(password, "secret") == 0) {
win();
}
strlen(const char *s)
Get string length
int len = strlen(user_input); if (len > 64) return; // Basic bounds check
memset(void *s, int c, size_t n)
Fill memory with constant byte
char buffer[100]; memset(buffer, 0, sizeof(buffer)); // Zero out buffer
system(const char *command)
⚠️ DANGEROUS: Execute shell command
system("cat flag.txt"); // Command injection risk!
system(user_input); // VERY dangerous!
win() / flag() / secret()
Custom functions that print the flag when called
void win() {
printf("FLAG{you_found_it}\\n");
}
📘 Note: The vulnerable functions (gets, strcpy, system, scanf with %s) are intentionally insecure for educational exploitation exercises.
🛡️ Stack Canary: When enabled in security settings, a random value is placed between local variables and the return address. The canary is checked before function return - if modified, the program terminates. This prevents most buffer overflow exploits but can be bypassed with information leaks or by avoiding the canary.
Supported x86 instructions for writing assembly challenges:
mov eax, 0x41414141 ; Move immediate value mov eax, [ebp-0x10] ; Move from memory mov [esp], eax ; Move to memory push eax ; Push to stack pop ebx ; Pop from stack lea eax, [ebp-0x20] ; Load effective address xchg eax, ebx ; Exchange values
add eax, 0x10 ; Addition sub esp, 0x40 ; Subtraction mul ebx ; Unsigned multiply div ecx ; Unsigned divide inc eax ; Increment dec ebx ; Decrement and eax, 0xff ; Bitwise AND or eax, ebx ; Bitwise OR xor eax, eax ; Bitwise XOR (zero register) not eax ; Bitwise NOT shl eax, 2 ; Shift left shr ebx, 1 ; Shift right
jmp 0x08048000 ; Unconditional jump je label ; Jump if equal (ZF=1) jne label ; Jump if not equal (ZF=0) jg label ; Jump if greater jl label ; Jump if less call function ; Call function ret ; Return from function ret 0x10 ; Return and clean stack nop ; No operation int 0x80 ; System call (Linux)
push ebp ; Save base pointer mov ebp, esp ; Set up stack frame sub esp, 0x40 ; Allocate local space leave ; Restore stack frame ret ; Return
cmp eax, 0x41 ; Compare values test eax, eax ; Test (AND without storing)
💡 Exploitation Tip: Focus on controlling EIP (instruction pointer) to redirect program flow to your shellcode or win function!
Minimum 12 characters
Are you sure you want to delete user ? This action cannot be undone.