AgentSkillsCN

Exploit

利用

SKILL.md

/exploit - Exploit Generation

Generate exploit templates and payloads for identified vulnerabilities.

Usage

code
/exploit <vulnerability_type> [options]

Vulnerability Types

Buffer Overflow

code
/exploit buffer-overflow
/exploit bof

Generate pwntools template with:

  • Offset finding (cyclic pattern)
  • Return address overwrite
  • Shellcode or ROP chain placeholder

Format String

code
/exploit format-string
/exploit fmt

Generate template with:

  • Leak stack addresses
  • Arbitrary write primitives
  • GOT overwrite helpers

Heap Exploitation

code
/exploit heap
/exploit use-after-free
/exploit double-free

Generate template with:

  • Heap layout manipulation
  • Tcache/fastbin attack structures
  • House of X techniques

ROP Chain

code
/exploit rop
/exploit ret2libc

Generate template with:

  • Gadget finding
  • Libc leak
  • System/execve chain

SQL Injection

code
/exploit sqli

Generate payloads for:

  • Union-based
  • Boolean-based blind
  • Time-based blind
  • Error-based

XSS

code
/exploit xss

Generate payloads for:

  • Reflected XSS
  • Stored XSS
  • DOM-based XSS

SSTI

code
/exploit ssti

Generate payloads for:

  • Jinja2
  • Twig
  • Freemarker

Instructions

When the user invokes /exploit:

  1. Identify the vulnerability type from the argument

  2. Load the appropriate template from templates/

  3. Customize based on context:

    • If binary exists, extract addresses/offsets
    • If architecture known, adjust payload
    • If protections known, adapt technique
  4. Generate exploit script with:

    • Clear comments explaining each step
    • Debug helpers (gdb attach, logging)
    • Local and remote modes
    • Error handling
  5. Save to exploits/ directory with descriptive name

Template Structure

All exploit templates should include:

python
#!/usr/bin/env python3
"""
Exploit: <challenge_name>
Type: <vulnerability_type>
Author: Generated by CTF Solver
"""

from pwn import *

# Configuration
BINARY = './challenge'
HOST = 'host'
PORT = 1337

# Setup
context.binary = ELF(BINARY)
context.log_level = 'debug'  # Change to 'info' for cleaner output

def exploit(io):
    """Main exploitation logic"""
    # TODO: Implement exploit
    pass

if __name__ == '__main__':
    if args.REMOTE:
        io = remote(HOST, PORT)
    elif args.GDB:
        io = gdb.debug(BINARY, '''
            break main
            continue
        ''')
    else:
        io = process(BINARY)

    exploit(io)
    io.interactive()

Output

After generating:

  1. Display the exploit code
  2. Explain key sections
  3. Provide usage instructions:
    bash
    python exploit.py          # Local
    python exploit.py REMOTE   # Remote
    python exploit.py GDB      # Debug