Skip to main content
This command is in beta. Exploits are for educational and authorized security research only.

Overview

The /exploit command generates working proof-of-concept exploit code for identified vulnerabilities. It analyzes findings and creates executable exploits in Python, C, or using pwntools.

Syntax

python3 raptor.py agentic --repo <path> --sarif <sarif-file> --no-patches [options]

Parameters

repo
string
required
Absolute path to the code repository
sarif
string
SARIF file from previous scan (optional if scanning first)
no-patches
boolean
Skip patch generation (exploit generation only)
max-findings
integer
Maximum number of exploits to generate

Prerequisites

MANDATORY: Run Feasibility Analysis First

You MUST run exploit feasibility analysis before ANY exploit development.This analysis identifies constraints that make exploitation impossible. Skipping this step wastes hours on approaches that cannot work.
from packages.exploit_feasibility import save_exploit_context, print_exploit_context

# Run analysis and SAVE to persistent file (survives context compaction)
context_file = save_exploit_context('/path/to/target/binary')
print(f"\n[!] Context saved to: {context_file}")
print(f"[!] After context compaction, reload with: print_exploit_context('{context_file}')\n")

# Display the analysis
print(print_exploit_context(context_file))

Why Not Use checksec/readelf?

The feasibility analysis provides information that checksec does NOT:
  • Empirical %n verification (does it actually work on this glibc?)
  • Null byte constraints from input handlers (strcpy can’t write full addresses)
  • ROP gadget quality (are there enough gadgets to build a chain?)
  • Alternative write targets when GOT/hooks are blocked
  • Honest difficulty assessment based on all constraints combined

Context Persistence

The analysis survives context compaction. After long conversations: 
from packages.exploit_feasibility import print_exploit_context, load_exploit_context

# Reload after compaction
print(print_exploit_context('/path/to/binary_exploit_context.json'))

# Or load as dict for programmatic access
ctx = load_exploit_context('/path/to/binary_exploit_context.json')

Workflow

Step 1: Find Vulnerabilities

/scan /path/to/code

Step 2: Run Feasibility Analysis

from packages.exploit_feasibility import save_exploit_context
context_file = save_exploit_context('/path/to/binary')

Step 3: Generate Exploits

/exploit

Mitigation Analysis

The feasibility analysis provides authoritative information about what works:

Check the Verdict

  • Likely exploitable: Clear path to code execution
  • Difficult: Primitives exist but hard to chain
  • Unlikely: No known path with current mitigations

Read the Chain Breaks

These tell you exactly which techniques are blocked:
  • “%n format specifier disabled” → Don’t suggest format string writes
  • “Full RELRO” → Don’t suggest GOT overwrites OR .fini_array overwrites
  • “hooks removed” → Don’t suggest __malloc_hook/__free_hook overwrites

Follow Suggested Paths

  • Check “alternative_targets” for viable write targets
  • Read “what_would_help” for next steps
  • Use “Reality check” for honest assessment
Full RELRO blocks BOTH GOT and .fini_array. Standard linker scripts place them in the same RELRO segment. Don’t waste time on .fini_array writes when Full RELRO is enabled.

Output Structure

When presenting exploitation strategy:
  1. State the verdict from mitigation analysis
  2. List what IS possible (“What you CAN still do”)
  3. List what is NOT possible (chain breaks)
  4. Propose a path using only viable techniques
  5. Always offer next steps (see below)

Always Offer Next Steps

Never just stop after saying exploitation is difficult. The user wants to make a decision about how to proceed.

For “Difficult” Verdict:

  • Try alternative targets from the analysis (verify they’re actually viable)
  • Focus on info leaks only (useful for chaining with other vulns)
  • Run in older environment (Docker with Ubuntu 20.04)
  • Move on to other targets

For “Unlikely” Verdict:

  • Run in older environment (Docker with Ubuntu 20.04/22.04)
  • Look for other vulnerability classes in the binary
  • Focus on DoS/crash demonstration only
  • Move on to other targets

Examples

Generate Exploits for All Findings

python3 raptor.py agentic --repo /path/to/code --no-patches
Generates exploits for all discovered vulnerabilities.

Generate Limited Exploits

python3 raptor.py agentic --repo /path/to/code --no-patches --max-findings 5
Generates exploits for the first 5 findings.

From Existing SARIF

python3 raptor.py agentic --repo /path/to/code --sarif findings.sarif --no-patches
Generates exploits from previous scan results.

Generated Exploit Types

Python Exploits

# exploit-001-sqli.py
import requests

payload = "admin' OR '1'='1-- "
response = requests.post(
    'http://target/login',
    data={'username': payload, 'password': 'x'}
)
print(f"Status: {response.status_code}")

C Exploits

// exploit-002-bof.c
#include <stdio.h>
#include <string.h>

int main() {
    char payload[256];
    memset(payload, 'A', 200);
    // ... overflow logic
}

Pwntools Exploits

# exploit-003-rop.py
from pwn import *

p = process('./vulnerable')
payload = flat([
    b'A' * 72,
    0xdeadbeef  # RIP control
])
p.sendline(payload)

Output Directory

out/agentic_<timestamp>/exploits/
├── exploit-001-sqli.py
├── exploit-002-bof.c
├── exploit-003-rop.py
├── exploit-004-fmt.py
├── README.md
└── feasibility-analysis.json

Use Cases

  • Security research and analysis
  • Proof-of-concept development
  • Vulnerability validation
  • Red team operations
  • Bug bounty submissions
  • Security training and education

/scan

Find vulnerabilities to exploit

/validate

Validate exploitability before generating exploits

/patch

Generate patches instead of exploits

/agentic

Full workflow including exploit generation

Ethical Usage

Exploits are for educational and authorized security research only.
  • Only test systems you own or have written permission to test
  • Follow responsible disclosure practices
  • Comply with applicable laws and regulations
  • Use for defensive security improvements

Notes

  • Does NOT generate patches (use /patch for that)
  • Exploits are saved to out/*/exploits/
  • Nothing is applied to your code
  • All exploits require manual review
  • Run feasibility analysis first (mandatory)
  • Follow mitigation analysis recommendations
  • For authorized testing only

Build docs developers (and LLMs) love

Get started for freeTalk to us