Command Line Tools

pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.

If these tools do not appear to be installed, make sure that you have added ~/.local/bin to your $PATH environment variable.

pwn

Pwntools Command-line Interface

usage: pwn [-h]
           {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,libcdb,phd,pwnstrip,scramble,shellcraft,template,unhex,update,version}
           ...
-h, --help

show this help message and exit

pwn asm

Assemble shellcode into bytes

usage: pwn asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context]
               [-v AVOID] [-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
               [line ...]
line

Lines to assemble. If none are supplied, use stdin

-h, --help

show this help message and exit

-f {raw,hex,string,elf}, --format {raw,hex,string,elf}

Output format (defaults to hex for ttys, otherwise raw)

-o <file>, --output <file>

Output file (defaults to stdout)

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes (provided as hex)

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-d, --debug

Debug the shellcode with GDB

-e <encoder>, --encoder <encoder>

Specific encoder to use

-i <infile>, --infile <infile>

Specify input file

-r, --run

Run output

pwn checksec

Check binary security settings

usage: pwn checksec [-h] [--file [elf ...]] [elf ...]
elf

Files to check

-h, --help

show this help message and exit

--file <elf>

File to check (for compatibility with checksec.sh)

pwn constgrep

Looking up constants from header files.

Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’

usage: pwn constgrep [-h] [-e] [-i] [-m] [-c arch_or_os] regex [constant]
regex

The regex matching constant you want to find

constant

The constant to find

-h, --help

show this help message and exit

-e, --exact

Do an exact match for a constant instead of searching for a regex

-i, --case-insensitive

Search case insensitive

-m, --mask-mode

Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

pwn cyclic

Cyclic pattern creator/finder

usage: pwn cyclic [-h] [-a alphabet] [-n length] [-c context]
                  [-l lookup_value]
                  [count]
count

Number of characters to print

-h, --help

show this help message and exit

-a <alphabet>, --alphabet <alphabet>

The alphabet to use in the cyclic pattern (defaults to all lower case letters)

-n <length>, --length <length>

Size of the unique subsequences (defaults to 4).

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

-l <lookup_value>, -o <lookup_value>, --offset <lookup_value>, --lookup <lookup_value>

Do a lookup instead printing the alphabet

pwn debug

Debug a binary in GDB

usage: pwn debug [-h] [-x GDBSCRIPT] [--pid PID] [-c context]
                 [--exec EXECUTABLE] [--process PROCESS_NAME]
                 [--sysroot SYSROOT]
-h, --help

show this help message and exit

-x <gdbscript>

Execute GDB commands from this file.

--pid <pid>

PID to attach to

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

--exec <executable>

File to debug

--process <process_name>

Name of the process to attach to (e.g. “bash”)

--sysroot <sysroot>

GDB sysroot path

pwn disablenx

Disable NX for an ELF binary

usage: pwn disablenx [-h] elf [elf ...]
elf

Files to check

-h, --help

show this help message and exit

pwn disasm

Disassemble bytes into text format

usage: pwn disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
                  [hex ...]
hex

Hex-string to disassemble. If none are supplied, then it uses stdin in non-hex mode.

-h, --help

show this help message and exit

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

-a <address>, --address <address>

Base address

--color

Color output

--no-color

Disable color output

pwn elfdiff

Compare two ELF files

usage: pwn elfdiff [-h] a b
a
b
-h, --help

show this help message and exit

pwn elfpatch

Patch an ELF file

usage: pwn elfpatch [-h] elf offset bytes
elf

File to patch

offset

Offset to patch in virtual address (hex encoded)

bytes

Bytes to patch (hex encoded)

-h, --help

show this help message and exit

pwn errno

Prints out error messages

usage: pwn errno [-h] error
error

Error message or value

-h, --help

show this help message and exit

pwn hex

Hex-encodes data provided on the command line or stdin

usage: pwn hex [-h] [-p prefix] [-s separator] [data ...]
data

Data to convert into hex

-h, --help

show this help message and exit

-p <prefix>, --prefix <prefix>

Insert a prefix before each byte

-s <separator>, --separator <separator>

Add a separator between each byte

pwn libcdb

Print various information about a libc binary

usage: pwn libcdb [-h] {lookup,hash,file} ...
-h, --help

show this help message and exit

pwn libcdb file

Dump information about a libc binary

usage: pwn libcdb file [-h] [-s [symbols ...]] [-o offset] [--unstrip]
                       files [files ...]
files

Libc binary to dump

-h, --help

show this help message and exit

-s <symbols>, --symbols <symbols>

List of symbol offsets to dump in addition to the common ones

-o <offset>, --offset <offset>

Display all offsets relative to this symbol

--unstrip

Attempt to unstrip the libc binary inplace with debug symbols from a debuginfod server

pwn libcdb hash

Display information of a libc version given an unique hash

usage: pwn libcdb hash [-h] [-t [{id,buildid,md5,sha1,sha256}]]
                       [--download-libc] [--unstrip] [--no-unstrip]
                       hash_value [hash_value ...]
hash_value

Hex encoded hash value

-h, --help

show this help message and exit

-t {id,buildid,md5,sha1,sha256}, --hash_type {id,buildid,md5,sha1,sha256}

The type of the provided hash value. Supported hashtypes: id, buildid, md5, sha1, sha256

--download-libc

Attempt to download the matching libc.so

--unstrip

Attempt to unstrip the libc binary with debug symbols from a debuginfod server

--no-unstrip

Do NOT attempt to unstrip the libc binary with debug symbols from a debuginfod server

pwn libcdb lookup

Lookup a libc version by function offsets

usage: pwn libcdb lookup [-h] [--download-libc] [--unstrip] [--no-unstrip]
                         symbol_offset_pairs [symbol_offset_pairs ...]
symbol_offset_pairs

Symbol and offset pairs to lookup matching libc version. Can be any number of pairs to narrow the search. Example: “read 3e0 write 520”

-h, --help

show this help message and exit

--download-libc

Attempt to download the matching libc.so

--unstrip

Attempt to unstrip the libc binary with debug symbols from a debuginfod server

--no-unstrip

Do NOT attempt to unstrip the libc binary with debug symbols from a debuginfod server

pwn phd

Pretty hex dump

usage: pwn phd [-h] [-w WIDTH] [-l [HIGHLIGHT ...]] [-s SKIP] [-c COUNT]
               [-o OFFSET] [--color [{always,never,auto}]]
               [file]
file

File to hexdump. Reads from stdin if missing.

-h, --help

show this help message and exit

-w <width>, --width <width>

Number of bytes per line.

-l <highlight>, --highlight <highlight>

Byte to highlight.

-s <skip>, --skip <skip>

Skip this many initial bytes.

-c <count>, --count <count>

Only show this many bytes.

-o <offset>, --offset <offset>

Addresses in left hand column starts at this address.

--color {always,never,auto}

Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.

pwn pwnstrip

Strip binaries for CTF usage

usage: pwn pwnstrip [-h] [-b] [-p FUNCTION] [-o OUTPUT] file
file
-h, --help

show this help message and exit

-b, --build-id

Strip build ID

-p <function>, --patch <function>

Patch function

-o <output>, --output <output>

pwn scramble

Shellcode encoder

usage: pwn scramble [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-p]
                    [-v AVOID] [-n] [-z] [-d]
-h, --help

show this help message and exit

-f {raw,hex,string,elf}, --format {raw,hex,string,elf}

Output format (defaults to hex for ttys, otherwise raw)

-o <file>, --output <file>

Output file (defaults to stdout)

-c {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,baremetal,freebsd,windows,android,darwin,linux,cgc,powerpc64,aarch64,powerpc,riscv32,riscv64,sparc64,mips64,msp430,alpha,amd64,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘baremetal’, ‘freebsd’, ‘windows’, ‘android’, ‘darwin’, ‘linux’, ‘cgc’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘riscv32’, ‘riscv64’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]

-p, --alphanumeric

Encode the shellcode with an alphanumeric encoder

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-d, --debug

Debug the shellcode with GDB

pwn shellcraft

Microwave shellcode – Easy, fast and delicious

usage: pwn shellcraft [-h] [-?] [-o file] [-f format] [-d] [--delim DELIM]
                      [-b] [-a] [-v AVOID] [-n] [-z] [-r] [--color]
                      [--no-color] [--syscalls] [--address ADDRESS] [-l] [-s]
                      [shellcode ...]
shellcode

The shellcodes you want. shellcode [args …] [+ shellcode [args …]]

-h, --help

show this help message and exit

-?, --show

Show shellcode documentation

-o <file>, --out <file>

Output file (default: stdout)

-f {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}, --format {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}

Output format (default: hex), choose from {e}lf, {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code, escape{d} hex string

-d, --debug

Debug the shellcode with GDB

--delim <delim>

Set the delimiter between multilple shellcodes

-b, --before

Insert a debug trap before the code

-a, --after

Insert a debug trap after the code

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-r, --run

Run output

--color

Color output

--no-color

Disable color output

--syscalls

List syscalls

--address <address>

Load address

-l, --list

List available shellcodes, optionally provide a filter

-s, --shared

Generated ELF is a shared library

pwn template

Generate an exploit template. If no arguments are given, the current directory is searched for an executable binary and libc. If only one binary is found, it is assumed to be the challenge binary.

usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
                    [--pass PASSWORD] [--libc LIBC] [--path PATH] [--quiet]
                    [--color {never,always,auto}] [--template TEMPLATE]
                    [--no-auto]
                    [exe]
exe

Target binary. If not given, the current directory is searched for an executable binary.

-h, --help

show this help message and exit

--host <host>

Remote host / SSH server

--port <port>

Remote port / SSH port

--user <user>

SSH Username

--pass <password>, --password <password>

SSH Password

--libc <libc>

Path to libc binary to use. If not given, the current directory is searched for a libc binary.

--path <path>

Remote path of file on SSH server

--quiet

Less verbose template comments

--color {never,always,auto}

Print the output in color

--template <template>

Path to a custom template. Tries to use ‘~/.config/pwntools/templates/pwnup.mako’, if it exists. Check ‘pwnlib/data/templates/pwnup.mako’ for the default template shipped with pwntools.

--no-auto

Do not automatically detect missing binaries

pwn unhex

Decodes hex-encoded data provided on the command line or via stdin.

usage: pwn unhex [-h] [hex ...]
hex

Hex bytes to decode

-h, --help

show this help message and exit

pwn update

Check for pwntools updates

usage: pwn update [-h] [--install] [--pre]
-h, --help

show this help message and exit

--install

Install the update automatically.

--pre

Check for pre-releases.

pwn version

Pwntools version

usage: pwn version [-h]
-h, --help

show this help message and exit