Exploit Development
Domain: exploit-dev
Binary exploit development domain providing ROP/JOP gadget search, shellcode encoding, mitigation detection, and offset calculation.
Profiles
- full
Typical scenarios
- ROP chain building
- Shellcode encoding and obfuscation
- Binary protection detection
- Buffer overflow offset calculation
Common combinations
- exploit-dev + binary-instrument
- exploit-dev + memory
Full tool list (20)
| Tool | Description |
|---|---|
exploit_find_gadgets | Search for ROP/JOP/COP/COOP gadgets in a binary file. Returns addresses, instructions, and bytes for each gadget. Supports filtering by regex pattern and gadget type. User must provide target binary. |
exploit_build_rop_chain | Construct a ROP chain for a specified goal (execve, write_memory, call_function). Automatically searches for required gadgets and chains them. Returns hex chain and gadget list. User must provide command/address/function as needed. |
exploit_encode_shellcode | Encode shellcode to avoid bad characters or detection. Supports alphanumeric, unicode, XOR, and fnstenv encodings. Returns encoded shellcode and decoder stub. User must provide raw shellcode. |
exploit_analyze_mitigations | Detect binary security mitigations (NX/DEP, PIE/ASLR, stack canary, RELRO, FORTIFY_SOURCE). Returns boolean flags for each protection. |
exploit_calculate_offsets | Calculate buffer overflow offset from crash value and De Bruijn pattern. Used to determine exact EIP/RIP overwrite offset. |
exploit_generate_pattern | Generate De Bruijn sequence for offset finding. Every 4-byte substring is unique, allowing precise offset calculation from crash dumps. |
exploit_find_jmp_esp | Find "jmp esp" / "call esp" style gadgets for stack pivoting. Searches for jump/call instructions targeting a specific register. |
exploit_cache_stats | Get exploit-dev cache statistics including hit rate, memory usage, and entry count. Used for performance monitoring and cache tuning. |
exploit_cache_clear | Clear all cached exploit-dev results. Use when binaries have been modified or to free memory. |
exploit_cache_configure | Update exploit-dev cache configuration (TTLs, memory limits, enable/disable). Changes take effect immediately. |
exploit_build_heap_spray | Generate heap spray payload for predictable heap layout. Supports V8 (ArrayBuffer), IE (BSTR), and generic (ArrayBuffer) spray targets. Returns spray code, allocation count, and predictability score. |
exploit_build_format_string | Generate format string exploit payload for arbitrary write. Uses %hn (2-byte) writes for reliability. Returns hex payload and reliability assessment. |
exploit_solve_constraints | Solve a system of constraints using the Z3 SMT solver. Each constraint is a JavaScript-like boolean expression (e.g. "x > 10", "y <= 20", "x + y < 100"). Constraints are conjunctive (AND-ed together). Supports int, real, bool, and bitvec variable types. Returns sat/unsat/unknown plus an optional model with variable assignments when SAT. Use this for ROP gadget verification, opaque predicate inversion, and general constraint solving. |
exploit_verify_rop_chain | Verify a user-supplied ROP chain against an exploit goal using Z3. Decodes the hex chain into gadget addresses, matches each to a known gadget, simulates the register effects, and checks whether the final state satisfies the goal (e.g. execve syscall registers, write_memory address/value, call_function ABI args). Use this to audit hand-crafted or third-party ROP chains before use. Returns valid flag, decoded chain, final register state, violations, and warnings. |
exploit_generate_egghunter | Generate egghunter shellcode for constrained buffer sizes. An egghunter searches process memory for a 4-byte "egg" tag (repeated twice) and jumps to the real shellcode following it. Supports Linux x86 access(2)-based and Windows SEH-based egghunters. Reference: skape, "Safely Searching Process Virtual Address Space" (2004). |
exploit_build_stack_pivot | Find and assemble stack pivot gadgets from a binary. Stack pivots redirect the stack pointer (ESP/RSP) to a controlled buffer, enabling ROP chains when limited stack space is available. Detects xchg(add/sub/mov,sp), push/pop(sp), leave, and add sp,N pivot patterns. |
exploit_cache_invalidate | Invalidate cached exploit-dev results for a specific binary (by path). Computes the binary hash and removes all matching cache entries. Call without binaryPath to clear the entire cache. Use when binaries have been recompiled or modified. |
exploit_build_jop_chain | Build a JOP (Jump-Oriented Programming) chain from binary gadgets. JOP bypasses CFI by chaining gadgets via an indirect-jump dispatcher (e.g. jmp [rax]) instead of ret. Discovers dispatcher candidates, groups functional gadgets by dispatch register, and assembles a chain that covers the specified goal constraints. Also supports COP (Call-Oriented) and COOP (Counter-Object Oriented) chains. |
exploit_discover_one_gadget | Discover one-gadget (single-address shell-spawning) offsets for common libc versions. First checks a built-in database (glibc 2.23/2.27/2.31/2.35/2.39 for x64/x86, musl 1.2), then falls back to heuristic binary scanning for custom libcs. Returns offsets with constraints (e.g. "[rsp+0x70] == NULL") that must be satisfied for the one-gadget to work. Also lists all known libc identities when called with listKnown=true. |
exploit_generate_pwntools | Generate a pwntools-compatible Python exploit script (exploit.py). Accepts ROP chain data, JOP chain data, shellcode payload, or one-gadget offset and emits a ready-to-run script with proper ELF loading, remote/local I/O setup, and payload assembly. Templates: io, rop, shellcode, ret2libc, format. |