Back to Details

write-exploit

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Exploit Development Loop

漏洞利用开发循环

Write exploits iteratively — run, observe, fix, repeat until the flag drops.
以迭代方式编写漏洞利用程序——运行、观察、修复,重复直到获取flag。

Workflow

工作流程

  1. Understand the vulnerability — Read challenge source/binary analysis first
  2. Write initial exploit — Start simple, add complexity as needed
  3. Test against target — Run locally first, then remote
  4. Debug failures — Read output carefully, add debug prints, check assumptions
  5. Iterate — Fix and re-run until flag captured
  6. Clean up — Save working exploit as 
    solve.py
    , flag to 
    flag.txt
  1. 理解漏洞 — 首先阅读挑战的源码/二进制分析内容
  2. 编写初始漏洞利用程序 — 从简单开始,按需增加复杂度
  3. 针对目标测试 — 先本地运行,再远程测试
  4. 调试故障 — 仔细阅读输出,添加调试打印,检查假设
  5. 迭代 — 修复后重新运行,直到获取flag
  6. 整理 — 将可用的漏洞利用程序保存为
    solve.py
    ,flag保存到
    flag.txt

Exploit Templates

漏洞利用模板

Binary Exploitation (pwntools)

二进制漏洞利用(pwntools)

python
#!/usr/bin/env python3
from pwn import *

context.binary = elf = ELF('./binary')
python
#!/usr/bin/env python3
from pwn import *

context.binary = elf = ELF('./binary')

context.log_level = 'debug'

context.log_level = 'debug'

def conn(): if args.REMOTE: return remote('HOST', PORT) return process('./binary')
io = conn()
def conn(): if args.REMOTE: return remote('HOST', PORT) return process('./binary')
io = conn()

=== EXPLOIT HERE ===

=== EXPLOIT HERE ===

io.interactive()
undefined
io.interactive()
undefined

Web Exploitation (requests)

Web漏洞利用(requests)

python
#!/usr/bin/env python3
import requests
import sys

TARGET = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080'
s = requests.Session()
python
#!/usr/bin/env python3
import requests
import sys

TARGET = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080'
s = requests.Session()

=== EXPLOIT HERE ===

=== EXPLOIT HERE ===

print(f"FLAG: {flag}")
undefined
print(f"FLAG: {flag}")
undefined

Crypto Solve Script

密码学求解脚本

python
#!/usr/bin/env python3
from Crypto.Util.number import *
from pwn import *
python
#!/usr/bin/env python3
from Crypto.Util.number import *
from pwn import *

=== GIVEN VALUES ===

=== GIVEN VALUES ===

=== SOLVE ===

=== SOLVE ===

flag = long_to_bytes(m) print(f"FLAG: {flag.decode()}")
undefined
flag = long_to_bytes(m) print(f"FLAG: {flag.decode()}")
undefined

Pwntools Remote Interaction

Pwntools远程交互

python
#!/usr/bin/env python3
from pwn import *

io = remote('HOST', PORT)
python
#!/usr/bin/env python3
from pwn import *

io = remote('HOST', PORT)

Read until prompt

Read until prompt

io.recvuntil(b'> ')
io.recvuntil(b'> ')

Send payload

Send payload

io.sendline(payload)
io.sendline(payload)

Get response

Get response

response = io.recvline() print(f"Response: {response}")
response = io.recvline() print(f"Response: {response}")

Interactive mode for shell

Interactive mode for shell

io.interactive()
undefined
io.interactive()
undefined

Debug Tips

调试技巧

  • Use 
    context.log_level = 'debug'
    for full pwntools traffic
  • Add 
    print(f"[*] payload: {payload.hex()}")
    before sends
  • Use 
    io.recv(timeout=2)
    to see unexpected output
  • Check 
    io.can_recv()
    before blocking reads
  • Use 
    gdb.attach(io)
    for local debugging with breakpoints
  • For web: 
    print(r.status_code, r.text[:500])
    after every request
  • 使用
    context.log_level = 'debug'
    查看完整的pwntools流量
  • 在发送前添加
    print(f"[*] payload: {payload.hex()}")
  • 使用
    io.recv(timeout=2)
    查看意外输出
  • 在阻塞读取前检查
    io.can_recv()
  • 使用
    gdb.attach(io)
    进行带断点的本地调试
  • 针对Web漏洞:每个请求后使用
    print(r.status_code, r.text[:500])

Common Pitfalls

常见陷阱

  • Wrong endianness: Use 
    p64()
    for little-endian, 
    p64(val, endian='big')
    for big
  • Newline issues: 
    sendline()
    adds 
    \n
    , 
    send()
    doesn't — know which the server expects
  • Timing: Add 
    sleep(0.5)
    between sends if server is slow
  • Encoding: Web payloads may need URL encoding, base64, or hex
  • Stack alignment: x86-64 needs 16-byte alignment — add extra 
    ret
    gadget
  • Python 2 vs 3: pwntools works with bytes in Python 3 — use 
    b"string"
    not 
    "string"
  • 字节序错误:小端序使用
    p64()
    ,大端序使用
    p64(val, endian='big')
  • 换行问题
    sendline()
    会添加
    \n
    send()
    不会——要清楚服务器期望哪种方式
  • 计时问题:如果服务器响应慢,在发送之间添加
    sleep(0.5)
  • 编码问题:Web payload可能需要URL编码、base64或十六进制编码
  • 栈对齐:x86-64需要16字节对齐——添加额外的
    ret
    gadget
  • Python 2 vs 3:pwntools在Python 3中使用字节类型——使用
    b"string"
    而非
    "string"

Iteration Pattern

迭代模式

1. Write exploit → run → "Connection refused"
   Fix: Check host/port, is service up?

2. Write exploit → run → "EOF in recv"
   Fix: Server closed connection — payload crashed it. Check offsets.

3. Write exploit → run → wrong output
   Fix: Add debug prints, check each step's output matches expectation.

4. Write exploit → run → "flag{...}"
   Done! Save to flag.txt
1. 编写漏洞利用程序 → 运行 → "Connection refused"
   修复:检查主机/端口,服务是否启动?

2. 编写漏洞利用程序 → 运行 → "EOF in recv"
   修复:服务器关闭了连接——payload导致崩溃。检查偏移量。

3. 编写漏洞利用程序 → 运行 → 输出错误
   修复:添加调试打印,检查每一步的输出是否符合预期。

4. 编写漏洞利用程序 → 运行 → "flag{...}"
   完成!保存到flag.txt

Target

目标

$ARGUMENTS
$ARGUMENTS