Logo
Published on

Arsenal Assembly: My Exploit Development Toolkit

Authors

Arsenal Assembly: My Exploit Development Toolkit

After years of building up my security research environment, I've settled on a toolkit that balances power with usability. Getting overwhelmed by the vast number of available tools is easy when you're starting out - most are command-line beasts with countless flags and options. Over time, I've learned that while different tools might accomplish the same task, some just do it better or more efficiently than others. The key is understanding how they work together.

My Tool Philosophy: Multi-Layered and Purposeful

When I first started diving into offensive security, the sheer number of available tools was overwhelming. But I've found that most tools solve specific problems, and building an effective toolkit is about understanding how different categories of tools complement each other.

exploit-dev-tools

Here's how I organize my approach:

tool_categories

Let me walk through each category and explain my specific choices.

Foundation Setup: Getting the Basics Right

Before diving into specialized tools, I always start with a solid development foundation:

sudo apt update && sudo apt full-upgrade -y
sudo apt install build-essential git curl wget python3-pip python3-venv -y
mkdir -p $HOME/tools
echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

This gives me the basic development tools, version control, and Python environment management that everything else builds on.

Core Analysis Platform: Why I Choose Binary Ninja

Binary Ninja serves as my primary disassembler and code analysis platform. While IDA Pro and Ghidra are solid alternatives, Binary Ninja strikes the right balance of power, usability, and extensibility for my work.

What Makes Binary Ninja Special

Multi-level IL (Intermediate Language): Binary Ninja's unique IL system translates assembly into progressively higher-level representations, making complex code much easier to understand.

Graph View: The visual representation of program flow makes logic and relationships obvious in ways that linear disassembly can't match.

Type System: Being able to define and propagate data types throughout a binary brings structure to raw memory operations.

API and Plugin Ecosystem: I can automate repetitive tasks and extend functionality exactly how I need it.

My Binary Ninja Setup

I run the commercial version (the free version is too limited for serious work):

  • Download from https://binary.ninja
  • Extract to ~/tools/binaryninja
  • Configure licensing during first run

Alternative Disassemblers I Keep Available

While Binary Ninja is my primary tool, I maintain alternatives for specific situations:

IDA Free (Industry-standard disassembler):

Download from https://hex-rays.com/ida-free/ (requires registration and free serial key) Free version of the professional IDA Pro with excellent disassembly capabilities.

# Download IDA Free from Hex-Rays website first
cd $HOME/tools
# Download idafree_linux.run from https://hex-rays.com/ida-free/
chmod +x idafree_linux.run
./idafree_linux.run

Ghidra (Free NSA-developed tool):

sudo apt install ghidra -y

**Radare2 + Cutter** (scriptable, open source):
```bash
sudo apt install radare2 -y
sudo snap install cutter --classic

Dynamic Analysis: Debugging and Runtime Tools

Static analysis gives you the blueprint, but dynamic analysis lets you watch the machine work. My debugging setup centers around GDB with modern extensions.

debugger_ecosystem

GDB Enhancement: Pwndbg

⚠️ Important: Pick only ONE GDB enhancement - they conflict with each other.

I use Pwndbg for its modern interface and exploit-specific features:

git clone https://github.com/pwndbg/pwndbg.git
cd pwndbg
./setup.sh

Alternatives I've used:

  • GEF: More modular and script-friendly
  • PEDA: Lightweight and stable

Process Monitoring Tools

Beyond debuggers, I need visibility into system behavior:

sudo apt install strace ltrace -y
  • strace: Tracks system calls during execution
  • ltrace: Tracks library function calls

These are invaluable for understanding what programs actually do versus what they appear to do.

Static Analysis Utilities: Quick Binary Intelligence

Beyond my main disassembler, specialized tools provide rapid insight into binary structure:

Essential Binary Analysis Tools

sudo apt install binutils coreutils -y

This provides fundamental tools:

  • objdump: Disassembly and header examination
  • readelf: ELF header and section analysis
  • strings: Extract human-readable text
  • file: Identify file type and architecture
  • hexdump: Raw hex representation

Security-Focused Analysis

sudo apt install checksec -y

checksec reveals binary hardening features (RELRO, PIE, NX, stack canaries) - critical information for exploit development.

Specialized Tools

sudo apt install binwalk patchelf upx-ucl -y
sudo apt install pev -y  # PE analysis tools
  • binwalk: Find embedded files in firmware
  • patchelf: Modify ELF binaries for exploitation
  • upx: Handle UPX-packed executables
  • pev: Windows PE file analysis

Exploitation Frameworks: From Vulnerability to Exploit

Once I've found vulnerabilities, these frameworks help build and deliver payloads.

Pwntools: My Primary Exploit Framework

Pwntools is the backbone of my exploit development workflow:

cd $HOME/tools
mkdir pwntools && cd pwntools
python3 -m venv venv
source venv/bin/activate
pip install --upgrade pip
pip install pwntools
echo "alias pwntools='$HOME/tools/pwntools/venv/bin/python'" >> ~/.bashrc
source ~/.bashrc

Here's why pwntools is essential:

# Example: Pwntools simplifying exploit development
from pwn import *

# Set up binary and context
context.binary = "./vulnerable_program"
p = process("./vulnerable_program")

# Create cyclic pattern to find offset
payload = cyclic(500)
p.sendline(payload)
p.wait()
core = p.corefile
rsp = core.rsp
pattern_offset = cyclic_find(core.read(rsp, 4))

# Build actual exploit
p = process("./vulnerable_program")
payload = flat(
    b"A" * pattern_offset,
    p64(address_of_win_function)
)
p.sendline(payload)
p.interactive()

ROP Chain Development

For Return-Oriented Programming, I maintain both ROPgadget and Ropper:

# ROPgadget
cd $HOME/tools
mkdir ROPGadget && cd ROPGadget
python3 -m venv venv
source venv/bin/activate
pip install ROPGadget
echo "alias ropgadget='$HOME/tools/ROPGadget/venv/bin/ROPgadget'" >> ~/.bashrc

# Ropper (alternative)
cd $HOME/tools
mkdir ropper && cd ropper  
python3 -m venv venv
source venv/bin/activate
pip install ropper
echo "alias ropper='$HOME/tools/ropper/venv/bin/ropper'" >> ~/.bashrc

Quick Exploitation Helpers

cd $HOME/tools
mkdir one_gadget && cd one_gadget
python3 -m venv venv
source venv/bin/activate
pip install one_gadget
echo "alias one_gadget='$HOME/tools/one_gadget/venv/bin/one_gadget'" >> ~/.bashrc

one_gadget finds execve gadgets in libc - extremely useful for certain exploitation scenarios.

Fuzzing Tools: Automated Vulnerability Discovery

Fuzzing complements manual analysis by automatically discovering vulnerabilities through massive input testing.

Coverage-Guided Fuzzing: AFL

sudo apt install afl -y

AFL pioneered coverage-guided fuzzing and remains highly effective for file-parsing vulnerabilities.

Performance-Focused: Honggfuzz

cd $HOME/tools
git clone https://github.com/google/honggfuzz.git
cd honggfuzz
sudo apt install binutils-dev libunwind-dev libblocksruntime-dev libcapstone-dev clang -y
make && sudo make install

General-Purpose: Radamsa

cd $HOME/tools
git clone https://gitlab.com/akihe/radamsa.git
cd radamsa
make && sudo make install

Network Analysis: Protocol and Communication

For network-based exploits and protocol analysis:

Packet Analysis

sudo apt install wireshark -y
sudo apt install netcat-traditional proxychains4 -y
  • Wireshark: The definitive packet analysis tool
  • Netcat: Network Swiss Army knife
  • Proxychains: Route tools through proxies

Web Application Testing

cd $HOME/tools
wget https://portswigger.net/burp/releases/download?product=community&version=latest&type=Linux -O burpsuite.sh
chmod +x burpsuite.sh
./burpsuite.sh

Burp Suite Community provides essential web application security testing capabilities.

My Analysis Workflow: How Tools Work Together

The real power comes from understanding how these tools complement each other:

basic_workflow_pipeline

This iterative process between static and dynamic analysis is fundamental to effective vulnerability research.

exploit-dev-tools

Binary Ninja Deep Dive: My Configuration

Since Binary Ninja is central to my workflow, here's how I've configured it for exploit development:

Key Analysis Approaches

Graph vs Linear View: I start with graph view to understand program structure, then switch to linear view for detailed function analysis.

IL Levels: I work primarily between MLIL and LLIL, using HLIL for high-level understanding but dropping to lower levels for precision.

Essential Plugins

Community plugins that enhance my exploit development workflow:

  • RopView: ROP gadget discovery and analysis
  • Kaitai UI Plugin: Binary format parsing
  • Dependency Analyzer: Function relationship visualization
  • Snippet UI Plugin: Reusable analysis patterns

Learning Progression: Building Your Toolkit

Don't try to master everything at once. Here's how I recommend building expertise:

exploit-dev-tools

Phase 1: Foundation Tools

  • Binary Ninja (or preferred disassembler)
  • GDB with chosen extension (Pwndbg/GEF/PEDA)
  • Basic utilities (strings, file, objdump)

Phase 2: Development Tools

  • Pwntools for exploit development
  • Process monitoring (strace, ltrace)
  • ROPgadget for advanced techniques

Phase 3: Specialized Tools

  • Fuzzing frameworks
  • Advanced exploitation tools
  • Network analysis capabilities

Add tools when you understand their purpose and feel limited by your current capabilities. Master the fundamentals before expanding to specialized utilities.

The Tool Evolution

My toolkit has evolved significantly over the years. Early on, I tried to use every tool I heard about. Now I focus on a smaller set of tools I know well, with specialized additions when specific projects demand them.

The key insight: understanding when and why to use specific tools matters more than collecting every available option. Deep knowledge of a focused toolkit beats superficial familiarity with hundreds of tools.

Compiler and Assembly Tools

Don't forget the basics for building test programs and custom exploits:

sudo apt install gcc g++ nasm make -y

These enable compiling shellcode, building vulnerable test programs, and creating custom exploits.

Until Next Time

This toolkit has evolved through years of security research and practical application. The specific tools matter less than understanding how different categories of tools work together to enable effective vulnerability research.

The installation process might look intimidating, but remember you don't need everything immediately. Start with foundation tools, get comfortable with them, then gradually expand as your skills and needs grow.

Which tools are you most curious about? Got favorite configurations or utilities I haven't mentioned? Drop your thoughts in the comments or reach out on X - I'm always interested in learning about other researchers' toolkits and workflows.

Happy hunting,

persona
Discuss on TwitterView on GitHub