pwnlib.tubes
— Talking to the World!
The pwnlib is not a big truck! It’s a series of tubes!
This is our library for talking to sockets, processes, ssh connections etc. Our goal is to be able to use the same API for e.g. remote TCP servers, local TTY-programs and programs run over over SSH.
It is organized such that the majority of the functionality is implemented
in pwnlib.tubes.tube
. The remaining classes should only implement
just enough for the class to work and possibly code pertaining only to
that specific kind of tube.
Types of Tubes
pwnlib.tubes.buffer
— buffer implementation for tubespwnlib.tubes.process
— Processesprocess
process.__getattr__()
process.__init__()
process.__on_enoexec()
process.__preexec_fn()
process.__pty_make_controlling_tty()
process._validate()
process.address_mapping()
process.can_recv_raw()
process.close()
process.communicate()
process.connected_raw()
process.elf_mapping()
process.fileno()
process.get_mapping()
process.heap_mapping()
process.kill()
process.leak()
process.lib_size()
process.libc_mapping()
process.libs()
process.maps()
process.musl_mapping()
process.poll()
process.readmem()
process.recv_raw()
process.send_raw()
process.settimeout_raw()
process.shutdown_raw()
process.stack_mapping()
process.vdso_mapping()
process.vvar_mapping()
process.writemem()
process._setuid
process._stop_noticed
process.alarm
process.argv
process.aslr
process.corefile
process.cwd
process.elf
process.env
process.executable
process.libc
process.proc
process.program
process.pty
process.raw
process.stderr
process.stdin
process.stdout
pwnlib.tubes.serialtube
— Serial Portspwnlib.tubes.sock
— Socketspwnlib.tubes.ssh
— SSHssh
ssh.__call__()
ssh.__getattr__()
ssh.__getitem__()
ssh.__init__()
ssh.__repr__()
ssh._init_remote_platform_info()
ssh._libs_remote()
ssh.checksec()
ssh.close()
ssh.connect_remote()
ssh.connected()
ssh.download()
ssh.download_data()
ssh.download_dir()
ssh.download_file()
ssh.get()
ssh.getenv()
ssh.interactive()
ssh.libs()
ssh.listen()
ssh.listen_remote()
ssh.process()
ssh.put()
ssh.read()
ssh.remote()
ssh.run()
ssh.run_to_end()
ssh.set_working_directory()
ssh.shell()
ssh.system()
ssh.unlink()
ssh.upload()
ssh.upload_data()
ssh.upload_dir()
ssh.upload_file()
ssh.which()
ssh.write()
ssh.arch
ssh.aslr
ssh.aslr_ulimit
ssh.bits
ssh.cache
ssh.client
ssh.distro
ssh.host
ssh.ibt
ssh.key
ssh.keyfile
ssh.os
ssh.password
ssh.pid
ssh.port
ssh.raw
ssh.sftp
ssh.user
ssh.user_shstk
ssh.version
ssh_channel
ssh_process
ssh_connecter
ssh_listener
pwnlib.tubes.tube
— Common Functionality
- class pwnlib.tubes.tube.tube[source]
Container of all the tube functions common to sockets, TTYs and SSH connetions.
- __enter__()[source]
Permit use of ‘with’ to control scoping and closing sessions.
Examples
>>> t = tube() >>> def p(x): print(x) >>> t.close = lambda: p("Closed!") >>> with t: pass Closed!
- __exit__(type, value, traceback)[source]
Handles closing for ‘with’ statement
See
__enter__()
- __lshift__(other)[source]
Shorthand for connecting multiple tubes.
See
connect_input()
for more information.Examples
The following are equivalent
tube_a >> tube.b tube_a.connect_input(tube_b)
This is useful when chaining multiple tubes
tube_a >> tube_b >> tube_a tube_a.connect_input(tube_b) tube_b.connect_input(tube_a)
- __ne__(other)[source]
Shorthand for connecting tubes to eachother.
The following are equivalent
a >> b >> a a <> b
See
connect_input()
for more information.
- __rshift__(other)[source]
Inverse of the
<<
operator. See__lshift__()
.See
connect_input()
for more information.
- _fillbuffer(timeout=default)[source]
Fills the internal buffer from the pipe, by calling
recv_raw()
exactly once.- Returns:
The bytes of data received, or
''
if no data was received.
Examples
>>> t = tube() >>> t.recv_raw = lambda *a: b'abc' >>> len(t.buffer) 0 >>> t._fillbuffer() b'abc' >>> len(t.buffer) 3
- _normalize_keepends_drop(keepends, drop, drop_default)[source]
>>> t = tube() >>> t._normalize_keepends_drop(None, None, True) True >>> t._normalize_keepends_drop(None, None, False) False >>> t._normalize_keepends_drop(None, True, True) True >>> t._normalize_keepends_drop(None, True, False) True >>> t._normalize_keepends_drop(True, None, True) False >>> t._normalize_keepends_drop(True, None, False) False >>> t._normalize_keepends_drop(None, False, True) False >>> t._normalize_keepends_drop(None, False, False) False >>> t._normalize_keepends_drop(False, None, True) True >>> t._normalize_keepends_drop(False, None, False) True >>> t._normalize_keepends_drop(False, True, False) Traceback (most recent call last): ... pwnlib.exception.PwnlibException: 'drop' and 'keepends' arguments cannot be used together.
- _recv(numb=4096, timeout=default) str [source]
Receives one chunk of from the internal buffer or from the OS if the buffer is empty.
- can_read(*a, **kw)[source]
Alias for
can_recv()
- can_recv(timeout=0) bool [source]
Returns True, if there is data available within timeout seconds.
Examples
>>> import time >>> t = tube() >>> t.can_recv_raw = lambda *a: False >>> t.can_recv() False >>> _=t.unrecv(b'data') >>> t.can_recv() True >>> _=t.recv() >>> t.can_recv() False
- clean(timeout=0.05)[source]
Removes all the buffered data from a tube by calling
pwnlib.tubes.tube.tube.recv()
with a low timeout until it fails.If
timeout
is zero, only cached data will be cleared.Note: If timeout is set to zero, the underlying network is not actually polled; only the internal buffer is cleared.
- Returns:
All data received
Examples
>>> t = tube() >>> t.unrecv(b'clean me up') >>> t.clean(0) b'clean me up' >>> len(t.buffer) 0
- clean_and_log(timeout=0.05)[source]
Works exactly as
pwnlib.tubes.tube.tube.clean()
, but logs received data withpwnlib.self.info()
.- Returns:
All data received
Examples
>>> def recv(n, data=[b'', b'hooray_data']): ... while data: return data.pop() >>> t = tube() >>> t.recv_raw = recv >>> t.connected_raw = lambda d: True >>> t.fileno = lambda: 1234 >>> with context.local(log_level='info'): ... data = t.clean_and_log() [...] Received 0xb bytes: b'hooray_data' >>> data b'hooray_data' >>> context.clear()
- connect_input(other)[source]
Connects the input of this tube to the output of another tube object.
Examples
>>> def p(x): print(x.decode()) >>> def recvone(n, data=[b'data']): ... while data: return data.pop() ... raise EOFError >>> a = tube() >>> b = tube() >>> a.recv_raw = recvone >>> b.send_raw = p >>> a.connected_raw = lambda d: True >>> b.connected_raw = lambda d: True >>> a.shutdown = lambda d: True >>> b.shutdown = lambda d: True >>> import time >>> _=(b.connect_input(a), time.sleep(0.1)) data
- connect_output(other)[source]
Connects the output of this tube to the input of another tube object.
Examples
>>> def p(x): print(repr(x)) >>> def recvone(n, data=[b'data']): ... while data: return data.pop() ... raise EOFError >>> a = tube() >>> b = tube() >>> a.recv_raw = recvone >>> b.send_raw = p >>> a.connected_raw = lambda d: True >>> b.connected_raw = lambda d: True >>> a.shutdown = lambda d: True >>> b.shutdown = lambda d: True >>> _=(a.connect_output(b), time.sleep(0.1)) b'data'
- connected(direction='any') bool [source]
Returns True if the tube is connected in the specified direction.
- Parameters:
direction (str) – Can be the string ‘any’, ‘in’, ‘read’, ‘recv’, ‘out’, ‘write’, ‘send’.
Doctest:
>>> def p(x): print(x) >>> t = tube() >>> t.connected_raw = p >>> _=list(map(t.connected, ('any', 'in', 'read', 'recv', 'out', 'write', 'send'))) any recv recv recv send send send >>> t.connected('bad_value') Traceback (most recent call last): ... KeyError: "direction must be in ['any', 'in', 'out', 'read', 'recv', 'send', 'write']"
- interactive(prompt=pwnlib.term.text.bold_red('$') + ' ')[source]
Does simultaneous reading and writing to the tube. In principle this just connects the tube to standard in and standard out, but in practice this is much more usable, since we are using
pwnlib.term
to print a floating prompt.Thus it only works while in
pwnlib.term.term_mode
.
- readallS(*a, **kw)[source]
Alias for
recvallS()
- readallb(*a, **kw)[source]
Alias for
recvallb()
- readline(*a, **kw)[source]
Alias for
recvline()
- readlineS(*a, **kw)[source]
Alias for
recvlineS()
- readline_contains(*a, **kw)[source]
Alias for
recvline_contains()
- readline_containsS(*a, **kw)[source]
Alias for
recvline_containsS()
- readline_containsb(*a, **kw)[source]
Alias for
recvline_containsb()
- readline_endswith(*a, **kw)[source]
Alias for
recvline_endswith()
- readline_endswithS(*a, **kw)[source]
Alias for
recvline_endswithS()
- readline_endswithb(*a, **kw)[source]
Alias for
recvline_endswithb()
- readline_pred(*a, **kw)[source]
Alias for
recvline_pred()
- readline_regex(*a, **kw)[source]
Alias for
recvline_regex()
- readline_regexS(*a, **kw)[source]
Alias for
recvline_regexS()
- readline_regexb(*a, **kw)[source]
Alias for
recvline_regexb()
- readline_startswith(*a, **kw)[source]
Alias for
recvline_startswith()
- readline_startswithS(*a, **kw)[source]
Alias for
recvline_startswithS()
- readline_startswithb(*a, **kw)[source]
Alias for
recvline_startswithb()
- readlineb(*a, **kw)[source]
Alias for
recvlineb()
- readlines(*a, **kw)[source]
Alias for
recvlines()
- readlinesS(*a, **kw)[source]
Alias for
recvlinesS()
- readlinesb(*a, **kw)[source]
Alias for
recvlinesb()
- readpred(*a, **kw)[source]
Alias for
recvpred()
- readpredS(*a, **kw)[source]
Alias for
recvpredS()
- readpredb(*a, **kw)[source]
Alias for
recvpredb()
- readregex(*a, **kw)[source]
Alias for
recvregex()
- readregexS(*a, **kw)[source]
Alias for
recvregexS()
- readregexb(*a, **kw)[source]
Alias for
recvregexb()
- readrepeat(*a, **kw)[source]
Alias for
recvrepeat()
- readrepeatS(*a, **kw)[source]
Alias for
recvrepeatS()
- readrepeatb(*a, **kw)[source]
Alias for
recvrepeatb()
- readuntil(*a, **kw)[source]
Alias for
recvuntil()
- readuntilS(*a, **kw)[source]
Alias for
recvuntilS()
- readuntilb(*a, **kw)[source]
Alias for
recvuntilb()
- recv(numb=4096, timeout=default) bytes [source]
Receives up to numb bytes of data from the tube, and returns as soon as any quantity of data is available.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Raises:
exceptions.EOFError – The connection is closed
- Returns:
A bytes object containing bytes received from the socket, or
''
if a timeout occurred while waiting.
Examples
>>> t = tube() >>> # Fake a data source >>> t.recv_raw = lambda n: b'Hello, world' >>> t.recv() == b'Hello, world' True >>> t.unrecv(b'Woohoo') >>> t.recv() == b'Woohoo' True >>> with context.local(log_level='debug'): ... _ = t.recv() [...] Received 0xc bytes: b'Hello, world'
- recvS(*a, **kw)[source]
Same as
recv()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvall(timeout=Timeout.forever) bytes [source]
Receives data until EOF is reached and closes the tube.
- recvallS(*a, **kw)[source]
Same as
recvall()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline(drop=False, timeout=default) bytes [source]
Receive a single line from the tube.
A “line” is any sequence of bytes terminated by the byte sequence set in
newline
, which defaults tob'\n'
.If the connection is closed (
EOFError
) before a newline is received, the buffered data is returned by default and a warning is logged. If the buffer is empty, anEOFError
is raised. This behavior can be changed by settingpwnlib.context.ContextType.throw_eof_on_incomplete_line()
.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty byte string (b''
) is returned.- Parameters:
- Raises:
EOFError – The connection closed before the request could be satisfied and the buffer is empty
- Returns:
All bytes received over the tube until the first newline
'\n'
is received. Optionally retains the ending. If the connection is closed before a newline is received, the remaining data received up to this point is returned.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'Foo\nBar\r\nBaz\n' >>> t.recvline() b'Foo\n' >>> t.recvline() b'Bar\r\n' >>> t.recvline(False) b'Baz' >>> t.newline = b'\r\n' >>> t.recvline(drop=True) b'Foo\nBar' >>> t = tube() >>> def _recv_eof(n): ... if not _recv_eof.throw: ... _recv_eof.throw = True ... return b'real line\ntrailing data' ... raise EOFError >>> _recv_eof.throw = False >>> t.recv_raw = _recv_eof >>> t.recvline() b'real line\n' >>> t.recvline() b'trailing data' >>> t.recvline() Traceback (most recent call last): ... EOFError
- recvlineS(*a, **kw)[source]
Same as
recvline()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline_contains(items, drop=True, timeout=default) bytes [source]
Receive lines until one line is found which contains at least one of items.
- Parameters:
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b"Hello\nWorld\nXylophone\n" >>> t.recvline_contains(b'r') b'World' >>> f = lambda n: b"cat dog bird\napple pear orange\nbicycle car train\n" >>> t = tube() >>> t.recv_raw = f >>> t.recvline_contains(b'pear') b'apple pear orange' >>> t = tube() >>> t.recv_raw = f >>> t.recvline_contains((b'car', b'train')) b'bicycle car train'
- recvline_containsS(*a, **kw)[source]
Same as
recvline_contains()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline_containsb(*a, **kw)[source]
Same as
recvline_contains()
, but returns a bytearray
- recvline_endswith(delims, drop=True, timeout=default) bytes [source]
Keep receiving lines until one is found that ends with one of delims. Returns the last line received.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.See
recvline_startswith()
for more details.Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\nKaboodle\n' >>> t.recvline_endswith(b'r') b'Bar' >>> t.recvline_endswith((b'a',b'b',b'c',b'd',b'e'), drop=False) b'Kaboodle\n' >>> t.recvline_endswith(b'oodle') b'Kaboodle'
- recvline_endswithS(*a, **kw)[source]
Same as
recvline_endswith()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline_endswithb(*a, **kw)[source]
Same as
recvline_endswith()
, but returns a bytearray
- recvline_pred(pred, drop=True, timeout=default) bytes [source]
Receive data until
pred(line)
returns a truthy value. Drop all other data.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Parameters:
pred (callable) – Function to call. Returns the line for which this function returns
True
.drop (bool) – Drop the line ending (
True
).
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b"Foo\nBar\nBaz\n" >>> t.recvline_pred(lambda line: line == b"Bar\n") b'Bar' >>> t.recvline_pred(lambda line: line == b"Bar\n", True) b'Bar\n' >>> t.recvline_pred(lambda line: line == b"Bar\n", drop=False) b'Bar\n' >>> t.recvline_pred(lambda line: line == b'Nope!', timeout=0.1) b''
- recvline_regex(regex, exact=False, drop=True, timeout=default) bytes [source]
Wrapper around
recvline_pred()
, which will return when a regex matches a line.By default
re.RegexObject.search()
is used, but if exact is set to True, thenre.RegexObject.match()
will be used instead.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.
- recvline_regexS(*a, **kw)[source]
Same as
recvline_regex()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline_regexb(*a, **kw)[source]
Same as
recvline_regex()
, but returns a bytearray
- recvline_startswith(delims, drop=True, timeout=default) bytes [source]
Keep receiving lines until one is found that starts with one of delims. Returns the last line received.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Parameters:
- Returns:
The first line received which starts with a delimiter in
delims
.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b"Hello\nWorld\nXylophone\n" >>> t.recvline_startswith((b'W',b'X',b'Y',b'Z')) b'World' >>> t.recvline_startswith((b'W',b'X',b'Y',b'Z'), drop=False) b'Xylophone\n' >>> t.recvline_startswith(b'Wo') b'World'
- recvline_startswithS(*a, **kw)[source]
Same as
recvline_startswith()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvline_startswithb(*a, **kw)[source]
Same as
recvline_startswith()
, but returns a bytearray
- recvlineb(*a, **kw)[source]
Same as
recvline()
, but returns a bytearray
- recvlines(numlines, drop=True, timeout=default) list of bytes objects [source]
Receive up to
numlines
lines.A “line” is any sequence of bytes terminated by the byte sequence set by
newline
, which defaults to'\n'
.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Parameters:
- Raises:
exceptions.EOFError – The connection closed before the request could be satisfied
- Returns:
A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'\n' >>> t.recvlines(3) [b'', b'', b''] >>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n' >>> t.recvlines(3) [b'Foo', b'Bar', b'Baz'] >>> t.recvlines(3, True) [b'Foo\n', b'Bar\n', b'Baz\n'] >>> t.recvlines(3, drop=False) [b'Foo\n', b'Bar\n', b'Baz\n']
- recvlinesS(numlines, drop=True, timeout=default) str list [source]
This function is identical to
recvlines()
, but decodes the received bytes into string usingcontext.encoding()
. You should userecvlines()
whenever possible for better performance.Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'\n' >>> t.recvlinesS(3) ['', '', ''] >>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n' >>> t.recvlinesS(3) ['Foo', 'Bar', 'Baz']
- recvlinesb(numlines, drop=True, timeout=default) bytearray list [source]
This function is identical to
recvlines()
, but returns a bytearray.Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'\n' >>> t.recvlinesb(3) [bytearray(b''), bytearray(b''), bytearray(b'')] >>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n' >>> t.recvlinesb(3) [bytearray(b'Foo'), bytearray(b'Bar'), bytearray(b'Baz')]
- recvn(numb, timeout=default) bytes [source]
Receives exactly n bytes.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Raises:
exceptions.EOFError – The connection closed before the request could be satisfied
- Returns:
A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.
Examples
>>> t = tube() >>> data = b'hello world' >>> t.recv_raw = lambda *a: data >>> t.recvn(len(data)) == data True >>> t.recvn(len(data)+1) == data + data[:1] True >>> t.recv_raw = lambda *a: None >>> # The remaining data is buffered >>> t.recv() == data[1:] True >>> t.recv_raw = lambda *a: time.sleep(0.01) or b'a' >>> t.recvn(10, timeout=0.05) b'' >>> t.recvn(10, timeout=0.06) b'aaaaaa...'
- recvnS(*a, **kw)[source]
Same as
recvn()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvpred(pred, timeout=default) bytes [source]
Receives one byte at a time from the tube, until
pred(all_bytes)
evaluates to True.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Parameters:
pred (callable) – Function to call, with the currently-accumulated data.
timeout (int) – Timeout for the operation
- Raises:
exceptions.EOFError – The connection is closed
- Returns:
A bytes object containing bytes received from the socket, or
''
if a timeout occurred while waiting.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'abbbaccc' >>> pred = lambda p: p.count(b'a') == 2 >>> t.recvpred(pred) b'abbba' >>> pred = lambda p: p.count(b'd') > 0 >>> t.recvpred(pred, timeout=0.05) b''
- recvpredS(*a, **kw)[source]
Same as
recvpred()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvpredb(*a, **kw)[source]
Same as
recvpred()
, but returns a bytearray
- recvregex(regex, exact=False, timeout=default, capture=False) bytes [source]
Wrapper around
recvpred()
, which will return when a regex matches the string in the buffer.Returns all received data up until the regex matched. If capture is set to True, a
re.Match
object is returned instead.By default
re.RegexObject.search()
is used, but if exact is set to True, thenre.RegexObject.match()
will be used instead.If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'The lucky number is 1337 as always\nBla blubb blargh\n' >>> m = t.recvregex(br'number is ([0-9]+) as always\n', capture=True) >>> m.group(1) b'1337' >>> t.recvregex(br'Bla .* blargh\n') b'Bla blubb blargh\n'
- recvregexS(*a, **kw)[source]
Same as
recvregex()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvregexb(*a, **kw)[source]
Same as
recvregex()
, but returns a bytearray
- recvrepeat(timeout=default) bytes [source]
Receives data until a timeout or EOF is reached.
Examples
>>> data = [ ... b'd', ... b'', # simulate timeout ... b'c', ... b'b', ... b'a', ... ] >>> def delayrecv(n, data=data): ... return data.pop() >>> t = tube() >>> t.recv_raw = delayrecv >>> t.recvrepeat(0.2) b'abc' >>> t.recv() b'd'
- recvrepeatS(*a, **kw)[source]
Same as
recvrepeat()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvrepeatb(*a, **kw)[source]
Same as
recvrepeat()
, but returns a bytearray
- recvuntil(delims, drop=False, timeout=default) bytes [source]
Receive data until one of delims is encountered.
If the request is not satisfied before
timeout
seconds pass, all data is buffered and an empty string (''
) is returned.- Parameters:
- Raises:
exceptions.EOFError – The connection closed before the request could be satisfied
- Returns:
A string containing bytes received from the socket, or
''
if a timeout occurred while waiting.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b"Hello World!" >>> t.recvuntil(b' ') b'Hello ' >>> _=t.clean(0) >>> # Matches on 'o' in 'Hello' >>> t.recvuntil((b' ',b'W',b'o',b'r')) b'Hello' >>> _=t.clean(0) >>> # Matches expressly full string >>> t.recvuntil(b' Wor') b'Hello Wor' >>> _=t.clean(0) >>> # Matches on full string, drops match >>> t.recvuntil(b' Wor', drop=True) b'Hello'
>>> # Try with regex special characters >>> t = tube() >>> t.recv_raw = lambda n: b"Hello|World" >>> t.recvuntil(b'|', drop=True) b'Hello'
- recvuntilS(*a, **kw)[source]
Same as
recvuntil()
, but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)
- recvuntilb(*a, **kw)[source]
Same as
recvuntil()
, but returns a bytearray
- send(data)[source]
Sends data.
If log level
DEBUG
is enabled, also prints out the data received.If it is not possible to send anymore because of a closed connection, it raises
exceptions.EOFError
Examples
>>> def p(x): print(repr(x)) >>> t = tube() >>> t.send_raw = p >>> t.send(b'hello') b'hello'
- sendafter(delim, data, timeout=default) str [source]
A combination of
recvuntil(delim, timeout=timeout)
andsend(data)
.
- sendline(data)[source]
Shorthand for
t.send(data + t.newline)
.Examples
>>> def p(x): print(repr(x)) >>> t = tube() >>> t.send_raw = p >>> t.sendline(b'hello') b'hello\n' >>> t.newline = b'\r\n' >>> t.sendline(b'hello') b'hello\r\n'
- sendlineafter(delim, data, timeout=default) str [source]
A combination of
recvuntil(delim, timeout=timeout)
andsendline(data)
.
- sendlinethen(delim, data, timeout=default) str [source]
A combination of
sendline(data)
andrecvuntil(delim, timeout=timeout)
.
- sendthen(delim, data, timeout=default) str [source]
A combination of
send(data)
andrecvuntil(delim, timeout=timeout)
.
- settimeout(timeout)[source]
Set the timeout for receiving operations. If the string “default” is given, then
context.timeout
will be used. If None is given, then there will be no timeout.Examples
>>> t = tube() >>> t.settimeout_raw = lambda t: None >>> t.settimeout(3) >>> t.timeout == 3 True
- shutdown(direction='send')[source]
Closes the tube for futher reading or writing depending on direction.
- Parameters:
direction (str) – Which direction to close; “in”, “read” or “recv” closes the tube in the ingoing direction, “out”, “write” or “send” closes it in the outgoing direction.
- Returns:
None
Examples
>>> def p(x): print(x) >>> t = tube() >>> t.shutdown_raw = p >>> _=list(map(t.shutdown, ('in', 'read', 'recv', 'out', 'write', 'send'))) recv recv recv send send send >>> t.shutdown('bad_value') Traceback (most recent call last): ... KeyError: "direction must be in ['in', 'out', 'read', 'recv', 'send', 'write']"
- spawn_process(*args, **kwargs)[source]
Spawns a new process having this tube as stdin, stdout and stderr.
Takes the same arguments as
subprocess.Popen
.
- stream()[source]
Receive data until the tube exits, and print it to stdout.
Similar to
interactive()
, except that no input is sent.Similar to
print(tube.recvall())
except that data is printed as it is received, rather than after all data is received.- Parameters:
line_mode (bool) – Whether to receive line-by-line or raw data.
- Returns:
All data printed.
- timeout_change()[source]
Should not be called directly. Informs the raw layer of the tube that the timeout has changed.
Inherited from
Timeout
.
- unrecv(data)[source]
Puts the specified data back at the beginning of the receive buffer.
Examples
>>> t = tube() >>> t.recv_raw = lambda n: b'hello' >>> t.recv() b'hello' >>> t.recv() b'hello' >>> t.unrecv(b'world') >>> t.recv() b'world' >>> t.recv() b'hello'
- upload_manually(data, target_path='./payload', prompt=b'$', chunk_size=0x200, chmod_flags='u+x', compression='auto', end_marker='PWNTOOLS_DONE')[source]
Upload a file manually using base64 encoding and compression. This can be used when the tube is connected to a shell.
The file is uploaded in base64-encoded chunks by appending to a file and then decompressing it:
loop: echo <chunk> | base64 -d >> <target_path>.<compression> <compression> -d -f <target_path>.<compression> chmod <chmod_flags> <target_path>
It is assumed that a base64 command is available on the target system. When
compression
isauto
the best compression utility available betweengzip
andxz
is chosen with a fallback to uncompressed upload.- Parameters:
data (bytes) – The data to upload.
target_path (str) – The path to upload the data to.
prompt (bytes) – The shell prompt to wait for.
chunk_size (int) – The size of each chunk to upload.
chmod_flags (str) – The flags to use with chmod.
""
to ignore.compression (str) – The compression to use.
auto
to automatically choose the best compression orgzip
orxz
.end_marker (str) – The marker to use to detect the end of the output. Only used when prompt is not set.
Examples:
>>> l = listen() >>> l.spawn_process('/bin/sh') >>> r = remote('127.0.0.1', l.lport) >>> r.upload_manually(b'some\xca\xfedata\n', prompt=b'', chmod_flags='') >>> r.sendline(b'cat ./payload') >>> r.recvline() b'some\xca\xfedata\n'
>>> r.upload_manually(cyclic(0x1000), target_path='./cyclic_pattern', prompt=b'', chunk_size=0x10, compression='gzip') >>> r.sendline(b'sha256sum ./cyclic_pattern') >>> r.recvlineS(keepends=False).startswith(sha256sumhex(cyclic(0x1000))) True
>>> blob = ELF.from_assembly(shellcraft.echo('Hello world!\n') + shellcraft.exit(0)) >>> r.upload_manually(blob.data, prompt=b'') >>> r.sendline(b'./payload') >>> r.recvline() b'Hello world!\n' >>> r.close() >>> l.close()
- writeafter(*a, **kw)[source]
Alias for
sendafter()
- writeline(*a, **kw)[source]
Alias for
sendline()
- writelineafter(*a, **kw)[source]
Alias for
sendlineafter()
- writelinethen(*a, **kw)[source]
Alias for
sendlinethen()
- writethen(*a, **kw)[source]
Alias for
sendthen()