Practical starter toolkit for binary exploitation (pwn) and kernel exploitation (kernel pwn) workflows.
setup.sh: bootstraps local command symlinks into~/.local/binscripts/krun.sh: flexible QEMU launcher for kernel challengesscripts/kfs.sh: unpack/inject/repack helper forrootfs.cpio(.gz)scripts/ksend.py: upload a local exploit binary to a remote shell over TCPscripts/extract-vmlinux: extract uncompressedvmlinuxfrom a kernel imagekexp/: minimal C kernel exploit template + Makefilepwninit/: vendoredpwninitsource (built bysetup.shif Cargo is available)
Minimum tools (depending on what you use):
bash/sh,gcc,makepython3andpwntools(forksend.py)qemu-system-x86_64(forkrun.sh)cpio,gzip,find(forkfs.sh)file,readelf, and decompression tools likegunzip/unxz/unzstd(forextract-vmlinux)cargo(optional, to build localpwninit)pipx(optional, forvmlinux-to-elfinstall in setup)
./setup.shWhat setup.sh does:
- Builds
pwninitin release mode ifcargoexists. - Links built
pwninitto~/.local/bin/pwninit. - Links all files in
./scriptsto~/.local/bin/<script-name>. - Tries to install
vmlinux-to-elfviapipx.
If ~/.local/bin is not in your PATH, add it in your shell config.
To use explib in generated ex.py templates:
pip install -e .# in a challenge directory
pwninitThis usually patches the binary, fetches compatible loader artifacts, and generates a ex.py skeleton.
- Launch VM:
krun.sh --kernel ./bzImage --initrd ./rootfs.cpio.gz --nokaslr- Build exploit template:
cd kexp
make release # builds ./ex
# or: make debug / make static- Inject exploit into initramfs:
kfs.sh inject --archive ./rootfs.cpio.gz --exploit ./kexp/ex --dest /tmp/exploit- Reboot VM and run
/tmp/exploitinside guest.
krun.sh [options]Common options:
--kernel PATH--initrd PATH(--rootfsalias)--mem 256M--nokaslr --nopti --nosmep --nosmap--append "extra kernel cmdline"--no-gdb(disable QEMU gdb stub)
kfs.sh unpack [--archive FILE] [--workdir DIR] [--force]
kfs.sh inject --exploit FILE [--dest /tmp/exploit] [--archive FILE] [--workdir DIR] [--no-repack]
kfs.sh repack [--archive FILE] [--workdir DIR]Defaults:
- archive auto-detect:
./rootfs.cpio.gzthen./initramfs.cpio.gz - workdir:
./.ramfs-work - extracted root:
<workdir>/rootfs
ksend.py <host> <port> <file>It uploads <file> to remote /tmp/exploit using base64 chunks, then sets executable bit.
Note: current implementation expects remote shell prompt to be $ .
extract-vmlinux <kernel-image> > vmlinuxInside kexp/:
make help
make release # ex
make debug # ex_dbg (with utils/hexdump)
make static # static ex
make cleanDefault device path in template is:
#define DEVICE_PATH "/dev/vuln"Adjust it for your target challenge.
- This repository is intentionally minimal and meant to be adapted per challenge.
- You can use scripts directly (
./scripts/...) or via symlinks after running./setup.sh.