/exploit - Exploit Generation
Generate exploit templates and payloads for identified vulnerabilities.
Usage
code
/exploit <vulnerability_type> [options]
Vulnerability Types
Buffer Overflow
code
/exploit buffer-overflow /exploit bof
Generate pwntools template with:
- •Offset finding (cyclic pattern)
- •Return address overwrite
- •Shellcode or ROP chain placeholder
Format String
code
/exploit format-string /exploit fmt
Generate template with:
- •Leak stack addresses
- •Arbitrary write primitives
- •GOT overwrite helpers
Heap Exploitation
code
/exploit heap /exploit use-after-free /exploit double-free
Generate template with:
- •Heap layout manipulation
- •Tcache/fastbin attack structures
- •House of X techniques
ROP Chain
code
/exploit rop /exploit ret2libc
Generate template with:
- •Gadget finding
- •Libc leak
- •System/execve chain
SQL Injection
code
/exploit sqli
Generate payloads for:
- •Union-based
- •Boolean-based blind
- •Time-based blind
- •Error-based
XSS
code
/exploit xss
Generate payloads for:
- •Reflected XSS
- •Stored XSS
- •DOM-based XSS
SSTI
code
/exploit ssti
Generate payloads for:
- •Jinja2
- •Twig
- •Freemarker
Instructions
When the user invokes /exploit:
- •
Identify the vulnerability type from the argument
- •
Load the appropriate template from
templates/ - •
Customize based on context:
- •If binary exists, extract addresses/offsets
- •If architecture known, adjust payload
- •If protections known, adapt technique
- •
Generate exploit script with:
- •Clear comments explaining each step
- •Debug helpers (gdb attach, logging)
- •Local and remote modes
- •Error handling
- •
Save to exploits/ directory with descriptive name
Template Structure
All exploit templates should include:
python
#!/usr/bin/env python3
"""
Exploit: <challenge_name>
Type: <vulnerability_type>
Author: Generated by CTF Solver
"""
from pwn import *
# Configuration
BINARY = './challenge'
HOST = 'host'
PORT = 1337
# Setup
context.binary = ELF(BINARY)
context.log_level = 'debug' # Change to 'info' for cleaner output
def exploit(io):
"""Main exploitation logic"""
# TODO: Implement exploit
pass
if __name__ == '__main__':
if args.REMOTE:
io = remote(HOST, PORT)
elif args.GDB:
io = gdb.debug(BINARY, '''
break main
continue
''')
else:
io = process(BINARY)
exploit(io)
io.interactive()
Output
After generating:
- •Display the exploit code
- •Explain key sections
- •Provide usage instructions:
bash
python exploit.py # Local python exploit.py REMOTE # Remote python exploit.py GDB # Debug