SKILL: Exploit Development

Metadata

• Skill Name: exploit-development
• Folder: offensive-exploit-development
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/development.md

Description

Exploit development operational guide: environment setup, debugging workflow, PoC development lifecycle, writing reliable exploits, using pwntools/pwndbg, heap exploitation techniques, and weaponization considerations. Use when actively developing exploits or setting up an exploit dev environment.

Trigger Phrases

Use this skill when the conversation involves any of: exploit development, pwntools, pwndbg, heap exploitation, PoC development, exploit reliability, weaponization, debugging workflow, exploit dev environment

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

---------------- | --------------------------------- | ------------------------------ | ----------------------------------------------------------- | | DEP / NX | All major OSes | Code execution in data pages | ROP/JOP pivot to RWX or change page permissions | | ASLR | All | Base‑address disclosure | Info leak + partial overwrite / brute‑force | | CFG (v1) | Windows 8.1+ | Indirect calls integrity | Abuse writable/exempt module, ret‑slide into target | | CET Shadow Stack | Windows 10 2004+, Linux 6.1 (x86) | Return‑address integrity | Disable CET (SetProcessMitigationPolicy) or pivot via JOP | | XFG | Windows 11 22H2+ | Indirect‑call target integrity | Use JOP gadgets or stub out guard function section | | GuardEHContinuation | Windows 11 24H2 (x64) | SEH overwrite attempts | JOP stub into verified handler region | | MTE | Android 14+, Linux 6.8 (ARM64) | Heap/stack OOB & UAF | Tag brute‑force or TAGSYNC alias | | CIG / ACG | Windows 10+ | Unsigned code / RWX pages | Map signed RWX driver or relocate section |

Testing & Refinement

Exit Criteria

• Exploit succeeds on clean target VM snapshot.
• No unintended crashes after execution; system remains stable.
• Execution time ≤ 30 seconds (tune per target).
• CI replay job in .github/workflows/exploit.yml passes.
• Regression corpus added to fuzzing seed set.

Quick‑start

• Replay script: scripts/repro.sh
• rr recording helper: scripts/record_rr.py
• Coverage diff helper: tools/afl_cov_compare.py

Debugging Techniques

• Strategic use of debuggers to analyze vulnerable applications
• Tracing execution flow and memory states
• Identifying exploitation opportunities

WinDbg Commands

For SEH exploitation:

# exception data will be inside TEB under NtTib->ExceptionList
dt nt!_TEB

# getting the <exp_addr> of exceptionlist
!teb

# getting the first item in the exception handler linked list, continue to see them using the `Next` param
# the last item should be `ntdll!FinalExceptionHandlerPad`
dt _EXCEPTION_REGISTRATION_RECORD <exp_addr>

# getting more information about the exception
!exchain

# setting a breakpoint on the exceution handler
bp ntdll!ExecuteHandler2

# see what is execution handler doing(use it to identify exploitation point in buffer)
u @eip L11

# to identify bad pods, execute till eip is yours, then
# repeat the process several times to identify all bad chars
dds esp L5 # identify second argument
db <second_argument>

# finding a pop/pop/ret
.load wdbgext
!wdbgext.modlist
lm m <module_without_dep_aslr_safeseh>
$><G:\Projects\poppopret.wds
u <first_adr_found> L3
# we need to create a short jump in our shellcode

# looking for our shellcode
!exchain
bp <adr>
g
# run the following till after your short jump
t
!teb
s -b <stack_limit> <stack_base> 90 90 90 90 43 43 43 43 43 43 43 43
dd <shellcode_adr> L65
? <shellcode_adr> - <current_esp>

For general WinDbg commands:

# finding out a suitable jump stub
lm m syncbrs # to get start <addr> of a module named syncbrs
dt ntdll!_IMAGE_DOS_HEADER <addr> # to get e_lfanew that has the offset to PE header
? <pe_header> # to get the hex addr
dt ntdll!_IMAGE_NT_HEADERS64 <addr>+<pe_hex_header> # to get image optional header
dt ntdll!_IMAGE_OPTIONAL_HEADER64 <addr>+<pe_hex_header>+<pe_optional_header> # to get DllCharachteristics
# you can automate this using process explorer or process hacker
# find an executable or module without DEP, ASLR
lm m libspp.dll # get the base address of the suitable module you found previously
s -b <mod_start_addr> <mod_end_addr> 0xff 0xe4 # find `jmp $esp` inside that module
# make sure the address doesn't contain bad chars
u <jmp_esp_addr> # to confirm
bp <jmp_esp_addr>
# override eip with jmp_esp_addr to force the program to jump to esp after buffer overflow
t
dc eip L4 # you should see the rest of your shellcode here

# checking which process we're currently in
!process @@(@$prcb->CurrentThread->ApcState.Process) 0

For UAF debugging:

# HEAP information
!heap -s # to print heap information
dt _HEAP <heap_addr> # to print infromation regarding a heap
dt _LFH_HEAP <heap_addr> # to print information about a low fragmentation header heap

# Identifying UAF location
# attach to crashed application, identify the name of function that crashed
uf <crashed_function_name> # to see the function
dd rcx  # to checkout what got filled, replace rcx with the register name from above
dt _DPH_BLOCK_INFORMATION rcx-20 # usefull information
!heap -p -a rcx # call stack information, what led to this object being freed

Reproducibility & CI

Modern exploit chains should replay deterministically in CI so regressions are caught quickly.

GitHub Actions snippet

name: exploit-regression
on: [push, pull_request]
jobs:
  replay:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Build target container
        run: docker build -t vulnapp ./docker
      - name: Run exploit replay
        run: scripts/repro.sh --ci --target vulnapp

Tested‑With Tool Matrix

[!TIP] Keep this matrix in each PoC directory so future contributors can reproduce results exactly.

Special Topics

Kernel Exploitation

Goals

Privilege Escalation

• Get SYSTEM Level Permissions
  • Steal the system token (find and copy the system token PID 4 and replace your own token )
  • Patch privileges
  • sideload legitimately signed but vulnerable drivers, then exploit IOCTL write‑what‑where to disable security features or gain kernel R/W.

Code Execution

• Put unsigned code into the kernel via signed code
  • Modify kernel objects and structures
  • Pretend to be a driver
  • Don't upset Patch Guard

Environment Setup

• Check out Windows Kernel Exploitation for a detailed guide on setting up a kernel debugging environment

Modern Exploitation

• Check out Modern Samples for real-world examples
• For EDR evasion techniques, see EDR

Memory‑Safe Language Exploits (Rust / Go / Swift)

• unsafe blocks: Vec::from_raw_parts, std::ptr::copy_nonoverlapping, and mem::transmute misuse.
• FFI boundary bugs when calling into C libraries (size mismatch, lifetime errors).
• UB‑triggered out‑of‑bounds in WASM runtimes compiled from Rust.

Browser Exploitation

• V8 TurboFan / Ignition JIT type‑confusion patterns and inline‑cache poisoning.
• Sandbox escapes via Mojo/IPC race conditions and shared‑memory UAFs.
• Site‑Isolation info‑leak techniques to defeat renderer‑process ASLR.

Hypervisor & Container Exploitation

• VMware Vmxnet3, Hyper‑V enlightened IOMMU bugs, and QEMU vhost‑user integer overflows.
• runC / CRI‑O escape using malformed seccomp filters or WASM shims.
• Windows VBS disable paths through registry or vulnerable driver injection.

Mobile Exploitation (iOS / Android)

• iOS Pointer Authentication Code (PAC) bypass using JOP chains and ptrauth_sign_unauthenticated.
• ARM Memory Tagging Extension (MTE) "sloppy‑tag" brute force and speculative TikTag leaks raise bypass reliability to ≈ 95 % on Android 14+; prepare a fallback ROP/JOP chain.
• Binder and ION heap UAF primitives for privilege escalation.

Apple Silicon (M1/M2/M3/M4) Exploitation

Modern Apple Silicon devices introduce unique security features and attack surfaces requiring specialized techniques.

Hardware Security Features

• Pointer Authentication Code (PAC)

  • PACIA/PACIB instructions create cryptographic signatures for return addresses and function pointers
  • Bypass techniques: JOP chains using AUTIA/AUTIB gadgets, ptrauth_sign_unauthenticated abuse, speculative PAC oracle attacks
  • Key management via APIAKey and APIBKey in system registers

• Memory Tagging Extension (MTE)

  • 4‑bit tags in upper address bits provide spatial and temporal memory safety
  • Tag‑and‑sync bypass: craft adjacent allocations with predictable tag patterns
  • Speculative tag leaks: use micro‑architectural side‑channels to read tag values

• Hypervisor.framework Exploitation

  • Type‑1 hypervisor running at EL2 with guest VMs at EL1
  • Attack surface: virtio device emulation, memory mapping hypercalls, interrupt injection
  • Guest‑to‑host escape: corrupt VTCR_EL2 stage‑2 translation tables or abuse SMCCC interface

macOS‑Specific Attack Vectors

• XPC Service Exploitation

  • Mach message parsing vulnerabilities in system services
  • Privilege escalation: target com.apple.security.syspolicy or com.apple.windowserver for TCC bypass
  • Race conditions: exploit concurrent XPC message handling in multi‑threaded services

• Kernel Extension Loading

  • System Integrity Protection (SIP) and Kernel Integrity Protection (KIP) bypass
  • Technique: abuse signed third‑party kexts with write‑what‑where primitives
  • Post‑exploitation: disable SMEP/SMAP via SCTLR_EL1 manipulation

• iOS/iPadOS Kernel Exploitation

  • Zone allocator corruption via IOSurface or AGXAccelerator drivers
  • Technique: heap feng‑shui with predictable allocation patterns in kalloc.16 or kalloc.32 zones
  • Sandbox escape: corrupt task port to gain host_special_port access

Debugging & Analysis Setup

# Enable SIP bypass for kernel debugging (requires physical access)
csrutil disable --without kext --without debug

# LLDB kernel debugging setup
sudo nvram boot-args="debug=0x141 kext-dev-mode=1 amfi_get_out_of_my_way=1"

# PAC analysis with jtool2/iOS App Store extraction
jtool2 -d __TEXT.__text binary | grep -E "(PACIA|PACIB|AUTIA|AUTIB)"

# MTE tag analysis (requires iOS 16+ device with checkra1n/palera1n jailbreak)
ldid -S entitlements.plist target_binary  # Add get-task-allow for debugging

Mitigation Matrix (Apple Silicon)

Micro‑architectural & Speculative‑Execution Attacks

• Latest side‑channels: Retbleed, Downfall, Zenbleed, Inception (SRSO), SQUIP.
• Info‑leak primitives to derandomize ASLR or read kernel memory from user space.
• Mitigations: IBPB, IBRS, and fine‑grained hardware fences.

eBPF & I/O Ring Kernel Primitives

• Craft verifier‑confusion jumps to obtain out‑of‑bounds read/write in eBPF JIT.
• Use Windows I/O Ring urb‑array double fetch to write kernel pointers.
• Post‑exploitation: pivot from arbitrary write to token‑stealing or privilege escalation.

Firmware & UEFI Exploitation

• DXE driver relocation overflows and SMM call‑gate confusion for persistence.
• Exploiting capsule updates to downgrade firmware protections.
• Detecting and disabling Secure Boot from within UEFI runtime services.