Adam Hultman — Software Engineer, Vancouver

Security

🔓 Binary Exploit Visualizer

Step through classic memory corruption attacks. See how buffer overflows, format strings, ROP chains, heap exploits, and use-after-free bugs actually work.

Vulnerable Source Code

// vulnerable.c
#include <string.h>
#include <stdio.h>
void vulnerable(char *user_input) {
    char buffer[16];
    int authenticated = 0;
    // No bounds checking!
    strcpy(buffer, user_input);
    if (authenticated) {
        printf("Access granted!\n");
    }
}
int main(int argc, char **argv) {
    vulnerable(argv[1]);
    return 0;
}

Try It Yourself Mode

Type your own input and watch the stack corrupt in real time (char buf[8])

Step 1 / 8

Phase:

normal

Function Prologue

The CPU executes `push rbp; mov rbp, rsp` to save the caller's frame pointer and set up a new stack frame. The return address was already pushed by the CALL instruction.

Current Instruction

push rbp; mov rbp, rsp

Stack Memory

High addresses (top) → Low addresses (bottom)

0x7fff0048

arg: user_input

0x7fff1000

0x7fff0040

return address

0x00401076

0x7fff0038

saved RBP

0x7fff0090

0x7fff0030

canary (unused)

0x00000000

0x7fff0028

local_var_i

0x00000000

0x7fff0024

buffer[12..15]

0x00000000

0x7fff0020

buffer[8..11]

0x00000000

0x7fff001c

buffer[4..7]

0x00000000

0x7fff0018

buffer[0..3]

0x00000000

0x7fff0014

padding

0x00000000

0x7fff0010

(stack below)

0x00000000

0x7fff000c

(stack below)

0x00000000

Buffer

Locals

Saved RBP

Return Addr

Args

Registers

RSP

0x7fff0018

RBP

0x7fff0038

RIP

0x004010a0

Input So Far

(none)

Mitigations

The following defenses can prevent or mitigate this class of attack:

Stack canariesASLRNX bit (DEP)Use strncpy / strlcpy

How Modern Protections Work

🐦

Stack Canary

Active

A random value placed between the buffer and saved RBP. If overwritten, the program aborts before returning.

🎲

ASLR

Active

Randomizes the base addresses of the stack, heap, and libraries on each execution, making gadget addresses unpredictable.

🚫

NX / DEP

Active

Marks the stack and heap as non-executable. Prevents running shellcode injected into buffers.

📍

PIE

Position-Independent Executable. Randomizes the base address of the main binary, not just libraries.

🔗

CFI

Control-Flow Integrity. Validates that indirect branches target expected locations, breaking ROP chains.

🔒

Safe Unlinking

Validates that a freed chunk's forward and backward pointers are consistent before unlinking, preventing heap metadata corruption.

🔬

ASAN

AddressSanitizer detects use-after-free, heap overflow, and other memory errors at runtime with shadow memory tracking.

🏷️

MTE

Memory Tagging Extension (ARM) assigns tags to memory allocations. Accessing freed or out-of-bounds memory with a stale tag triggers a fault.

How It Works

This visualizer simulates the memory layout of an x86-64 process during a memory corruption attack. Each colored row represents a memory cell in the stack frame or heap.

In a real system, the stack grows downward (toward lower addresses). When a function is called, the CPU pushes the return address and the caller saves its frame pointer (RBP). Local variables, including buffers, are allocated below these critical values.

The fundamental problem: if a buffer can be written past its bounds, the attacker can overwrite the return address and hijack control flow when the function returns. On the heap, corrupting allocator metadata or reusing freed memory can achieve similar results. Decades of exploit techniques and mitigations have evolved from these observations.