#binary #elf #elf-binary #init #exploit #pwn

bin+lib pwninit

automate starting binary exploit challenges

18 stable releases

3.3.1 Dec 30, 2023
3.3.0 Dec 12, 2022
3.2.0 Feb 15, 2022
3.0.2 Aug 15, 2021
1.2.1 Nov 17, 2019

#311 in Development tools

Download history 122/week @ 2024-03-11 66/week @ 2024-03-18 44/week @ 2024-03-25 137/week @ 2024-04-01 92/week @ 2024-04-08 70/week @ 2024-04-15 62/week @ 2024-04-22 80/week @ 2024-04-29 53/week @ 2024-05-06 80/week @ 2024-05-13 120/week @ 2024-05-20 68/week @ 2024-05-27 105/week @ 2024-06-03 66/week @ 2024-06-10 47/week @ 2024-06-17 28/week @ 2024-06-24

254 downloads per month

MIT license

899 lines

Checks Status Deploy Status


A tool for automating starting binary exploit challenges


  • Set challenge binary to be executable
  • Download a linker (ld-linux.so.*) that can segfaultlessly load the provided libc
  • Download debug symbols and unstrip the libc
  • Patch the binary with patchelf to use the correct RPATH and interpreter for the provided libc
  • Fill in a template pwntools solve script


Short version

Run pwninit

Long version

Run pwninit in a directory with the relevant files and it will detect which ones are the binary, libc, and linker. If the detection is wrong, you can specify the locations with --bin, --libc, and --ld.

Custom solve.py template

If you don't like the default template, you can use your own. Just specify --template-path <path>. Check template.py for the template format. The names of the exe, libc, and ld bindings can be customized with --template-bin-name, --template-libc-name, and --template-ld-name.

Persisting custom solve.py

You can make pwninit load your custom template automatically by adding an alias to your ~/.bashrc.

alias pwninit='pwninit --template-path ~/.config/pwninit-template.py --template-bin-name e'


Arch Linux

Install pwninit or pwninit-bin from the AUR.


You can download statically-linked musl binaries from the releases page.

Using cargo


cargo install pwninit

This places the binary in ~/.cargo/bin.

Note that openssl, liblzma, and pkg-config are required for the build.


$ ls
hunter  libc.so.6  readme

$ pwninit
bin: ./hunter
libc: ./libc.so.6

setting ./hunter executable
fetching linker
unstripping libc
setting ./ld-2.23.so executable
copying ./hunter to ./hunter_patched
running patchelf on ./hunter_patched
writing solve.py stub

$ ls
hunter	hunter_patched	ld-2.23.so  libc.so.6  readme  solve.py


#!/usr/bin/env python3

from pwn import *

exe = ELF("./hunter_patched")
libc = ELF("./libc.so.6")
ld = ELF("./ld-2.23.so")

context.binary = exe

def conn():
    if args.LOCAL:
        r = process([exe.path])
        if args.DEBUG:
        r = remote("addr", 1337)

    return r

def main():
    r = conn()

    # good luck pwning :)


if __name__ == "__main__":


~404K SLoC