BSides London 2014 was a milestone for me. Not because of the conference itself — though it was great — but because it was the first time I’d stood in front of a room full of people I’d never met and tried to teach them something I genuinely cared about.
Exploit development. Stack-based buffer overflows. From scratch. In sixty minutes.
Terrifying? A little. Worth it? Absolutely.
The workshop
The format was a one-hour hands-on session on stack-based buffer overflows, covering the full process from fuzzing through to a working Remote Code Execution exploit. Every space filled. That alone was a good sign — people weren’t just curious, they actually showed up and stayed.
The target was the FreeFloat FTP server — the same vulnerable application used in Abusing The Stack, which documents the full process and video walkthrough if you want to follow along.
The session started with fuzzing — understanding why you send malformed input, what a crash tells you, and how you get from “the application stopped responding” to “I control EIP.” From there, the room worked through offset identification, bad character analysis, shellcode generation, and payload delivery. By the end of the hour, everyone had built a working Remote Code Execution exploit using custom shellcode.
In sixty minutes. With people who’d never done it before.
What this confirmed for me
Teaching exploit development to complete strangers is genuinely one of the most satisfying things I’ve done in this industry. And it confirmed something I’d suspected for a while: the “black art” reputation that surrounds exploit development keeps a lot of people out of a discipline they’re entirely capable of learning.
When you strip it back to fundamentals and walk people through it hands-on, the lightbulb moments happen fast. You can see the exact point where someone goes from “I don’t understand what EIP has to do with anything” to “oh — I control where the program goes next.” That shift, in a room full of people, all at roughly the same time — that’s what makes workshops worth running.
If you missed it
The full process is documented — video included — in the original Abusing The Stack post:
Work through it yourself. Set up a lab, grab the FreeFloat FTP server, and follow every step. Don’t skip the parts where things don’t work immediately — those are the parts that actually teach you something.
BSides London 2014 was the first workshop. It won’t be the last.