Share
## https://sploitus.com/exploit?id=6065899C-FAB9-52EE-898D-07466D8A90A9
```
_ _ ____
/ \ _ _| |_ ___ | _ \__ ___ __
/ _ \| | | | __/ _ \| |_) \ \ /\ / / '_ \
/ ___ \ |_| | || (_) | __/ \ V V /| | | |
/_/ \_\__,_|\__\___/|_| \_/\_/ |_| |_|
Autonomous CTF Pwn Solver
```
**AutoPwn** is a fully autonomous binary exploitation engine for CTF pwn challenges. Give it an ELF binary, and it will analyze vulnerabilities, craft exploits, and pop a shell -- no human interaction required.
> 66 / 112 challenges solved (58.9%) across mixed CTF datasets, fully automated.
---
## Features
- **Zero-click exploitation** -- point it at a binary, get a shell
- **6-phase analysis pipeline** -- static recon, white-box analysis, dynamic probing, path synthesis, exploit execution, and agent-guided retry
- **30+ exploit strategies** -- stack, heap, format string, shellcode, ROP, SROP, ret2libc, ret2csu, ret2dlresolve, and more
- **Adaptive agent loop** -- 11 observer-rule pairs detect patterns and retry with refined strategies when initial attempts fail
- **Bundled libc-database** -- automatic libc identification and offset resolution
- **Local and remote targets** -- works on local binaries and remote `host:port` services
## Quick Start
```bash
# Clone
git clone https://github.com/Lx-autopwn/AutoPwn.git
cd AutoPwn
# Install everything (Kali / Debian / Ubuntu)
chmod +x setup.sh && ./setup.sh
# Pwn
autopwn ./challenge
```
Or install manually:
```bash
pip install -e . # core (pwntools + ROPgadget)
pip install -e '.[full]' # + angr white-box engine
```
## Pipeline
AutoPwn processes each binary through six phases:
| Phase | Name | What it does |
|-------|------|--------------|
| 0 | **Load** | Parse ELF, resolve libc |
| 1 | **Recon** | checksec, strings, gadgets, GOT/PLT, seccomp rules |
| 2 | **White-box** | Decompile, CFG, taint analysis, vulnerability detection (requires angr) |
| 3 | **Dynamic** | Interaction probing, overflow offset, canary detection, heap tracing |
| 4 | **Synthesize** | Rank candidate exploit paths, build execution plan |
| 5 | **Exploit** | Execute strategies in priority order until shell is obtained |
| 6 | **Agent** | Observer-rule feedback loop retries with refined strategies |
## Exploit Strategies
Stack (9)
| Strategy | Description |
|----------|-------------|
| Ret2Win | Jump to win/flag function |
| Ret2Libc | Leak libc + system("/bin/sh") |
| Ret2Shellcode | Jump to injected shellcode |
| Ret2Syscall | execve via syscall gadgets |
| Ret2CSU | Universal ROP via __libc_csu_init |
| Ret2DlResolve | Forge relocation entries |
| SROP | Sigreturn-oriented programming |
| StackPivot | Migrate stack to controlled buffer |
| PartialOverwrite | Overwrite partial return address |
Heap (11)
| Strategy | Description |
|----------|-------------|
| TcachePoison | Tcache fd poisoning |
| TcacheSafe | Safe-linking bypass |
| FastbinDup | Fastbin double-free |
| HouseOfForce | Top chunk size overwrite |
| HouseOfSpirit | Fake chunk on stack |
| HouseOfEinherjar | Null byte off-by-one |
| HouseOfOrange | Unsorted bin attack |
| HouseOfApple | Wide data vtable hijack |
| UnsortedBin | Unsorted bin link corruption |
| LargeBin | Large bin attack |
| HeapBackdoor | Direct backdoor via heap menu |
Format String (1)
| Strategy | Description |
|----------|-------------|
| FmtString | Arbitrary read/write via format string |
Shellcode & Sandbox (5)
| Strategy | Description |
|----------|-------------|
| ShellcodeInject | Direct shellcode injection |
| MprotectShellcode | mprotect + shellcode |
| ORW | Open-Read-Write chain |
| ORWSendfile | sendfile-based exfiltration |
| SideChannel | Bit-by-bit flag leak |
Advanced (5)
| Strategy | Description |
|----------|-------------|
| CanaryBypass | Canary leak + overflow |
| GOTHijack | GOT overwrite to win |
| WriteWhatWhereGOT | Arbitrary write targeting GOT |
| FSOP | File stream oriented programming |
| CmdInject | Command injection in input handlers |
## Usage
```
autopwn [options]
positional arguments:
binary Path to target ELF binary
options:
-l, --libc LIBC Path to libc.so.6
-r, --remote HOST:PORT Remote target
-a, --analyze-only Analyze only, do not exploit
--glibc VERSION Specify glibc version (e.g., 2.31)
--strategy NAME Force a specific exploit strategy
--gen-script Generate standalone exploit script
--blackbox Skip white-box analysis
--no-agent Disable agent feedback loop
--max-rounds N Max agent retry rounds (default: 15)
--batch Non-interactive batch mode
-v, -vv Verbosity (info / debug)
--version Show version
```
### Examples
```bash
# Basic local exploit
autopwn ./vuln_binary
# Specify libc
autopwn ./vuln_binary -l ./libc.so.6
# Remote target
autopwn ./vuln_binary -r pwn.ctf.example:9999
# Analysis only (no exploit attempt)
autopwn ./vuln_binary -a
# Force specific strategy
autopwn ./vuln_binary --strategy ret2libc
# Fast mode (no angr, no agent)
autopwn ./vuln_binary --blackbox --no-agent
```
## Architecture
```
autopwn/
cli.py # CLI entry point
context.py # Shared analysis context
engine/
engine.py # 6-phase pipeline orchestrator
analysis/ # Static + dynamic analysis modules
exploit/
stack/ # 9 stack strategies
heap/ # 11 heap strategies
fmt/ # Format string exploits
shellcode/ # Shellcode + sandbox bypass
advanced/ # GOT hijack, FSOP, canary bypass
agent/
agent.py # PwnAgent retry loop
observer.py # 11 pattern observers
rules/ # 11 corrective rules
dynamic/ # Runtime interaction, menu detection
gadget/ # ROP gadget management
libc/ # libc resolution + one_gadget
libc-database/ # Bundled libc offset database
```
## Benchmark
Tested on 112 mixed CTF pwn challenges (beginner to intermediate):
| Metric | Value |
|--------|-------|
| Total solved | 66 / 112 (58.9%) |
| Stack exploits | Ret2Win, Ret2Libc, Ret2Shellcode, Ret2Syscall, ... |
| Heap exploits | Tcache, Fastbin, House-of-* family |
| Format string | Arbitrary read/write |
| Agent recoveries | +5 challenges rescued by observer-rule feedback |
### What it handles well
- Standard stack buffer overflows (with and without canary/PIE/NX)
- ret2libc with automatic libc leak + identification
- Format string read/write primitives
- Basic shellcode injection
- Simple menu-driven heap challenges
### Current limitations
- Complex heap exploitation (multi-step house-of-* techniques)
- Heavy reverse engineering requirements (encrypted input, custom encodings)
- C++ vtable exploitation
- Multi-stage interactions requiring domain-specific logic
- Challenges requiring brute force or timing attacks
## Requirements
- **OS**: Linux (Kali / Debian / Ubuntu recommended)
- **Python**: >= 3.11
- **Core**: pwntools, ROPgadget, GDB
- **Recommended**: angr (white-box analysis), one_gadget, seccomp-tools, radare2
## License
[MIT](LICENSE)