Working, verified solutions to a representative subset of the Syracuse SEED Labs spanning software, cryptography, network, and web security — an independent, educational implementation, part of a csdiy.wiki full-catalog build.
This repository is authorized self-study of a public university security
course. Every exploit here targets the course's own intentionally
vulnerable programs / lab sandboxes, run entirely inside an isolated local
WSL2 environment (private 10.9.0.0/24 network namespaces, lab-local files, a
localhost-only web app). Nothing here targets real third-party systems, and
there is no malware, botnet/C2, DoS, or detection-evasion tooling. The memory
-corruption labs deliberately disable modern defenses (-fno-stack-protector,
-z execstack, ASLR off) only inside the sandbox so the classic techniques
can be studied. Use this material to learn how attacks work and how to defend
against them.
The SEED project (Syracuse University, Prof. Wenliang Du) offers 40+ hands-on security labs. The full set ships as a large Ubuntu VM with multi-container topologies (Elgg/phpBB web apps, VPN, Mitnick multi-host, etc.). This repo implements a genuinely representative, substantial subset that runs offline on a Windows host via WSL2 Ubuntu, and captures real output from each attack. Labs that fundamentally require the full SEED VM or a vulnerable kernel are called out as documented partials below.
| Lab | What it does | Result (measured) |
|---|---|---|
| buffer-overflow | Stack smash of a setuid-root binary, shellcode setuid(0)+execve |
Unprivileged seed gets uid=0(root) shell |
| return-to-libc | Defeat non-executable stack via system("/bin/sh") |
Shell spawned through libc (NX bypassed) |
| format-string | %n arbitrary write + stack leak |
target flipped 0x11223344 → 0xdeadbeef |
| race-condition | TOCTOU access()/fopen() symlink race |
Injected UID-0 account into a root-owned file (won in ~2 tries) |
| dirty-cow | CVE-2016-5195 PoC | Partial — kernel 6.18 patched, file unchanged (see below) |
| Lab | What it does | Result (measured) |
|---|---|---|
| secret-key-encryption | AES ECB vs CBC leakage; break a substitution cipher | ECB 12288 duplicate blocks vs CBC 0; substitution recovered 98.5% (988/1003 chars) |
| hash-length-extension | Forge SHA256(key‖msg) MAC with no key |
Forged MAC verifies against the real key |
| rsa | Keygen/enc/dec/sign from scratch; factoring attack | 512-bit roundtrip + sign/verify OK; 63-bit modulus factored → plaintext recovered |
| padding-oracle | CBC PKCS#7 padding-oracle decryption | Full plaintext recovered, no key used |
| Lab | What it does | Result (measured) |
|---|---|---|
| packet-sniffing-spoofing | Passive ICMP sniff (hub) + forged-source ICMP | Captured victim↔server ICMP; spoofed request reached server |
| arp-cache-poisoning | Continuous ARP flood → MITM | Victim cache maps server → attacker MAC; redirected traffic captured |
| tcp-attacks | TCP RST injection with exact seq | Live connection RESET (server + client both observe) |
| dns-spoofing | Race the resolver, forge an A record | Victim resolves to attacker's 6.6.6.6 (beats real 1.2.3.4) |
| firewall | Stateful iptables/netfilter policy | Victim ICMP + TCP/8080 allowed; attacker ICMP + TCP/9999 blocked |
| Lab | What it does | Result (measured) |
|---|---|---|
| sql-injection | Auth bypass + UNION exfiltration on /login |
Logged in as admin with no password; dumped all credentials |
| xss | Reflected + stored XSS | Raw <script> served unescaped; safe endpoint escapes it |
| csrf | Forged state-changing POST | Victim email changed to attacker@evil.com; token endpoint returns 403 |
Sample captured evidence (software-security/buffer-overflow/results/run.log):
### ROOT SHELL SPAWNED ###
uid=0(root) gid=1002(seed) groups=1002(seed)
and the ECB-vs-CBC image leakage (crypto/secret-key-encryption/results/):
original.bmp, encrypted_ecb.bmp (structure still visible), encrypted_cbc.bmp (noise).
- Software — buffer-overflow, return-to-libc, format-string, race-condition · dirty-cow (documented partial)
- Crypto — secret-key-encryption, hash-length-extension, rsa, padding-oracle
- Network — packet-sniffing-spoofing, arp-cache-poisoning, tcp-attacks, dns-spoofing, firewall
- Web — sql-injection, xss, csrf
16 labs verified end-to-end + 1 documented partial, covering all four SEED categories.
seed-labs/
├── software-security/ # C memory-safety & OS labs (WSL2, 32-bit)
│ ├── buffer-overflow/ return-to-libc/ format-string/ race-condition/ dirty-cow/
├── crypto/ # from-scratch Python crypto attacks
│ ├── secret-key-encryption/ hash-length-extension/ rsa/ padding-oracle/
├── network/ # scapy attacks over network namespaces
│ ├── common/topo.sh # shared bridge + 3-host 10.9.0.0/24 topology
│ ├── packet-sniffing-spoofing/ arp-cache-poisoning/ tcp-attacks/ dns-spoofing/ firewall/
├── web/ # local vulnerable Flask app + attacks
│ ├── webapp/app.py # intentionally vulnerable app (SQLi/XSS/CSRF)
│ ├── sql-injection/ xss/ csrf/
└── each lab: source + run.sh + results/run.log (captured real output)
All labs run inside WSL2 Ubuntu (Linux is required for gcc -m32, setuid,
network namespaces, scapy, and iptables). One-time setup:
# inside WSL2 Ubuntu, as root (the default WSL user)
sudo apt-get install -y gcc-multilib gdb libpcap-dev iproute2 iptables
python3 -m venv ~/seed-venv
~/seed-venv/bin/pip install -r requirements.txt # scapy flask pycryptodome requests
# run any lab (each is self-contained and prints its own evidence):
bash software-security/buffer-overflow/run.sh
bash crypto/rsa/run.sh
bash network/arp-cache-poisoning/run.sh
bash web/sql-injection/run.sh
# ... or everything:
bash scripts/run_all.shEach run.sh relocates its build off the Windows drive (drvfs cannot hold
setuid bits), compiles/launches the target, performs the attack, and writes a
log to that lab's results/ directory.
Every result above is the actual output of running the lab, saved under each
lab's results/run.log. Highlights:
- buffer-overflow / race-condition — real privilege escalation: an unprivileged user obtains a root shell / writes a root-owned file.
- crypto — the from-scratch SHA-256 is cross-checked against
hashlib; the padding-oracle and RSA-factoring attacks recover the exact original secrets. - network — captured packet lines show the sniffed/redirected/forged frames (source IPs, MAC addresses, sequence numbers) for each attack.
- web — HTTP responses show the auth bypass, the unescaped
<script>, and the CSRF'd state change, each with a safe-endpoint contrast.
- dirty-cow (CVE-2016-5195) — the PoC compiles and runs, but the WSL2 kernel
(6.18) is patched, so the root-owned file is not modified;
run.logcaptures the "PATCHED: file unchanged" outcome. Requires a vulnerable kernel (< 4.8.3), which is out of scope for a modern host. - Full SEED-VM / multi-container labs — the exact SEED web apps (Elgg, phpBB), the VPN, Mitnick multi-host TCP hijack, and Meltdown/Spectre labs need the complete SEED Ubuntu VM or specific hardware. The web labs here use a representative local Flask app that reproduces the same SQLi/XSS/CSRF classes; the network attacks use isolated namespaces instead of separate VMs.
- Global ASLR can't be turned off on the WSL2 kernel, so the memory labs disable
it per process with
setarch -R(equivalent effect). - Docker/WSL2 sets the bridge FORWARD policy to DROP and routes bridged frames
through iptables;
network/common/topo.shsetsnet.bridge.bridge-nf-call-iptables=0for the lab segment and restores it on teardown.
C (32-bit, gcc 13.3), Python 3.12 (scapy, pycryptodome, Flask, requests), bash, gdb, iproute2 network namespaces, iptables/netfilter — all on WSL2 Ubuntu 24.04.
- How stack layout, saved return addresses, shellcode, and NX/ASLR/canary defenses interact — and how ret2libc and format strings sidestep them.
- Why textbook crypto fails: ECB structure leakage, Merkle–Damgård length extension, CBC padding oracles, and small-modulus RSA factoring.
- Layer-2/3 trust assumptions: ARP has no authentication, TCP trusts sequence numbers, DNS trusts the first matching answer — and how a stateful firewall re-imposes policy.
- The web trinity: injection (SQLi), output encoding (XSS), and request provenance (CSRF), each with its concrete defense.
Based on the SEED Labs by Prof. Wenliang Du, Syracuse University (https://seedsecuritylabs.org/). This repository is an independent educational reimplementation; all original lab designs and specifications belong to their authors. Original code here is released under the MIT License and is intended solely for authorized, ethical security education.