Skip to content

Exploit Development

Domain: exploit-dev

Binary exploit development domain providing ROP/JOP gadget search, shellcode encoding, mitigation detection, and offset calculation.

Profiles

  • full

Typical scenarios

  • ROP chain building
  • Shellcode encoding and obfuscation
  • Binary protection detection
  • Buffer overflow offset calculation

Common combinations

  • exploit-dev + binary-instrument
  • exploit-dev + memory

Full tool list (20)

ToolDescription
exploit_find_gadgetsSearch for ROP/JOP/COP/COOP gadgets in a binary file. Returns addresses, instructions, and bytes for each gadget. Supports filtering by regex pattern and gadget type. User must provide target binary.
exploit_build_rop_chainConstruct a ROP chain for a specified goal (execve, write_memory, call_function). Automatically searches for required gadgets and chains them. Returns hex chain and gadget list. User must provide command/address/function as needed.
exploit_encode_shellcodeEncode shellcode to avoid bad characters or detection. Supports alphanumeric, unicode, XOR, and fnstenv encodings. Returns encoded shellcode and decoder stub. User must provide raw shellcode.
exploit_analyze_mitigationsDetect binary security mitigations (NX/DEP, PIE/ASLR, stack canary, RELRO, FORTIFY_SOURCE). Returns boolean flags for each protection.
exploit_calculate_offsetsCalculate buffer overflow offset from crash value and De Bruijn pattern. Used to determine exact EIP/RIP overwrite offset.
exploit_generate_patternGenerate De Bruijn sequence for offset finding. Every 4-byte substring is unique, allowing precise offset calculation from crash dumps.
exploit_find_jmp_espFind "jmp esp" / "call esp" style gadgets for stack pivoting. Searches for jump/call instructions targeting a specific register.
exploit_cache_statsGet exploit-dev cache statistics including hit rate, memory usage, and entry count. Used for performance monitoring and cache tuning.
exploit_cache_clearClear all cached exploit-dev results. Use when binaries have been modified or to free memory.
exploit_cache_configureUpdate exploit-dev cache configuration (TTLs, memory limits, enable/disable). Changes take effect immediately.
exploit_build_heap_sprayGenerate heap spray payload for predictable heap layout. Supports V8 (ArrayBuffer), IE (BSTR), and generic (ArrayBuffer) spray targets. Returns spray code, allocation count, and predictability score.
exploit_build_format_stringGenerate format string exploit payload for arbitrary write. Uses %hn (2-byte) writes for reliability. Returns hex payload and reliability assessment.
exploit_solve_constraintsSolve a system of constraints using the Z3 SMT solver. Each constraint is a JavaScript-like boolean expression (e.g. "x > 10", "y <= 20", "x + y < 100"). Constraints are conjunctive (AND-ed together). Supports int, real, bool, and bitvec variable types. Returns sat/unsat/unknown plus an optional model with variable assignments when SAT. Use this for ROP gadget verification, opaque predicate inversion, and general constraint solving.
exploit_verify_rop_chainVerify a user-supplied ROP chain against an exploit goal using Z3. Decodes the hex chain into gadget addresses, matches each to a known gadget, simulates the register effects, and checks whether the final state satisfies the goal (e.g. execve syscall registers, write_memory address/value, call_function ABI args). Use this to audit hand-crafted or third-party ROP chains before use. Returns valid flag, decoded chain, final register state, violations, and warnings.
exploit_generate_egghunterGenerate egghunter shellcode for constrained buffer sizes. An egghunter searches process memory for a 4-byte "egg" tag (repeated twice) and jumps to the real shellcode following it. Supports Linux x86 access(2)-based and Windows SEH-based egghunters. Reference: skape, "Safely Searching Process Virtual Address Space" (2004).
exploit_build_stack_pivotFind and assemble stack pivot gadgets from a binary. Stack pivots redirect the stack pointer (ESP/RSP) to a controlled buffer, enabling ROP chains when limited stack space is available. Detects xchg(add/sub/mov,sp), push/pop(sp), leave, and add sp,N pivot patterns.
exploit_cache_invalidateInvalidate cached exploit-dev results for a specific binary (by path). Computes the binary hash and removes all matching cache entries. Call without binaryPath to clear the entire cache. Use when binaries have been recompiled or modified.
exploit_build_jop_chainBuild a JOP (Jump-Oriented Programming) chain from binary gadgets. JOP bypasses CFI by chaining gadgets via an indirect-jump dispatcher (e.g. jmp [rax]) instead of ret. Discovers dispatcher candidates, groups functional gadgets by dispatch register, and assembles a chain that covers the specified goal constraints. Also supports COP (Call-Oriented) and COOP (Counter-Object Oriented) chains.
exploit_discover_one_gadgetDiscover one-gadget (single-address shell-spawning) offsets for common libc versions. First checks a built-in database (glibc 2.23/2.27/2.31/2.35/2.39 for x64/x86, musl 1.2), then falls back to heuristic binary scanning for custom libcs. Returns offsets with constraints (e.g. "[rsp+0x70] == NULL") that must be satisfied for the one-gadget to work. Also lists all known libc identities when called with listKnown=true.
exploit_generate_pwntoolsGenerate a pwntools-compatible Python exploit script (exploit.py). Accepts ROP chain data, JOP chain data, shellcode payload, or one-gadget offset and emits a ready-to-run script with proper ELF loading, remote/local I/O setup, and payload assembly. Templates: io, rop, shellcode, ret2libc, format.

Released under AGPL-3.0-only