Tools / pwntools Payload Builder

pwntools Payload Builder (p32 / p64)

Three operations every binary exploitation challenge needs: pack an address into little-endian bytes, unpack the bytes you saw at crash time, and flat - build a padded payload with arbitrary insertions at known offsets. Output as raw hex or as a Python b'...' literal you can drop straight into your exploit script.

Integer value

WidthEndianness

Hex bytesef be ad de 00 00 00 00

Python literalb'\xef\xbe\xad\xde\x00\x00\x00\x00'

Continuous hexefbeadde00000000

Why little-endian

x86 and x86_64 store multi-byte integers low byte first in memory. When you find a gadget at 0x4011a6, you write it into your buffer as the bytes a6 11 40 00 on x86 (32-bit) or a6 11 40 00 00 00 00 00 on x86_64 (64-bit). Forgetting the byte order is the most common cause of mysteriously wrong-looking RIPs in pwn challenges.

The flat-payload mode is the equivalent of pwntools flat({offset: payload}): it fills a buffer with a filler byte (default A), inserts your payload bytes at the offsets you give, and pads to a final length. Use it to build the canonical ret2win payload - junk to the saved RIP, then the address of the win function.

Need to find the offset first? Use the Cyclic Pattern Generator to send a unique pattern, crash the target, then look up where the corrupted RIP came from. Once you have a payload, view its raw bytes with the Hex Viewer to confirm alignment.

Why little-endian

Challenges that use this tool