pwnlib.util.misc — We could not fit it any other place

pwnlib.util.misc._create_execve_script(argv=None, executable=None, cwd=None, env=None, ignore_environ=None, stdin=0, stdout=1, stderr=2, preexec_fn=None, preexec_args=(), aslr=None, setuid=None, shell=False, log=<pwnlib.log.Logger object>)[source]

Creates a python wrapper script that triggers the syscall execve directly.

  • argv (list) – List of arguments to pass into the process

  • executable (str) – Path to the executable to run. If None, argv[0] is used.

  • cwd (str) – Working directory. If None, uses the working directory specified on cwd or set via set_working_directory().

  • env (dict) – Environment variables to add to the environment.

  • ignore_environ (bool) – Ignore default environment. By default use default environment iff env not specified.

  • stdin (int, str) – If an integer, replace stdin with the numbered file descriptor. If a string, a open a file with the specified path and replace stdin with its file descriptor. May also be one of sys.stdin, sys.stdout, sys.stderr. If None, the file descriptor is closed.

  • stdout (int, str) – See stdin.

  • stderr (int, str) – See stdin.

  • preexec_fn (callable) – Function which is executed on the remote side before execve(). This MUST be a self-contained function – it must perform all of its own imports, and cannot refer to variables outside its scope.

  • preexec_args (object) – Argument passed to preexec_fn. This MUST only consist of native Python objects.

  • aslr (bool) – See pwnlib.tubes.process.process for more information.

  • setuid (bool) – See pwnlib.tubes.process.process for more information.

  • shell (bool) – Pass the command-line arguments to the shell.


A string containing the python script.

pwnlib.util.misc.align(alignment, x) int[source]

Rounds x up to nearest multiple of the alignment.


>>> [align(5, n) for n in range(15)]
[0, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10, 15, 15, 15, 15]
pwnlib.util.misc.align_down(alignment, x) int[source]

Rounds x down to nearest multiple of the alignment.


>>> [align_down(5, n) for n in range(15)]
[0, 0, 0, 0, 0, 5, 5, 5, 5, 5, 10, 10, 10, 10, 10]
pwnlib.util.misc.binary_ip(host) str[source]

Resolve host and return IP as four byte string.


>>> binary_ip("")

Given a tube which is a shell, dealarm it.


Emulates the behavior of mkdir -p.


Parses the output from a run of ‘ldd’ on a binary. Returns a dictionary of {path: address} for each library required by the specified binary.


output (str) – The output to parse


>>> sorted(parse_ldd_output('''
... =>  (0x00007fffbf5fe000)
... => /lib/x86_64-linux-gnu/ (0x00007fe28117f000)
... => /lib/x86_64-linux-gnu/ (0x00007fe280f7b000)
... => /lib/x86_64-linux-gnu/ (0x00007fe280bb4000)
...     /lib64/ (0x00007fe2813dd000)
... ''').keys())
['/lib/x86_64-linux-gnu/', '/lib/x86_64-linux-gnu/', '/lib/x86_64-linux-gnu/', '/lib64/']

A class decorator that defines __str__ methods under Python 2. Under Python 3 it does nothing., count=-1, skip=0) str[source]

Open file, return content.


>>> read('/proc/self/exe')[:4]
pwnlib.util.misc.register_sizes(regs, in_sizes)[source]

Create dictionaries over register sizes and relations

Given a list of lists of overlapping register names (e.g. [‘eax’,’ax’,’al’,’ah’]) and a list of input sizes, it returns the following:

  • all_regs : list of all valid registers

  • sizes[reg] : the size of reg in bits

  • bigger[reg] : list of overlapping registers bigger than reg

  • smaller[reg]: list of overlapping registers smaller than reg

Used in i386/AMD64 shellcode, e.g. the mov-shellcode.


>>> regs = [['eax', 'ax', 'al', 'ah'],['ebx', 'bx', 'bl', 'bh'],
... ['ecx', 'cx', 'cl', 'ch'],
... ['edx', 'dx', 'dl', 'dh'],
... ['edi', 'di'],
... ['esi', 'si'],
... ['ebp', 'bp'],
... ['esp', 'sp'],
... ]
>>> all_regs, sizes, bigger, smaller = register_sizes(regs, [32, 16, 8, 8])
>>> all_regs
['eax', 'ax', 'al', 'ah', 'ebx', 'bx', 'bl', 'bh', 'ecx', 'cx', 'cl', 'ch', 'edx', 'dx', 'dl', 'dh', 'edi', 'di', 'esi', 'si', 'ebp', 'bp', 'esp', 'sp']
>>> pprint(sizes)
{'ah': 8,
 'al': 8,
 'ax': 16,
 'bh': 8,
 'bl': 8,
 'bp': 16,
 'bx': 16,
 'ch': 8,
 'cl': 8,
 'cx': 16,
 'dh': 8,
 'di': 16,
 'dl': 8,
 'dx': 16,
 'eax': 32,
 'ebp': 32,
 'ebx': 32,
 'ecx': 32,
 'edi': 32,
 'edx': 32,
 'esi': 32,
 'esp': 32,
 'si': 16,
 'sp': 16}
>>> pprint(bigger)
{'ah': ['eax', 'ax', 'ah'],
 'al': ['eax', 'ax', 'al'],
 'ax': ['eax', 'ax'],
 'bh': ['ebx', 'bx', 'bh'],
 'bl': ['ebx', 'bx', 'bl'],
 'bp': ['ebp', 'bp'],
 'bx': ['ebx', 'bx'],
 'ch': ['ecx', 'cx', 'ch'],
 'cl': ['ecx', 'cx', 'cl'],
 'cx': ['ecx', 'cx'],
 'dh': ['edx', 'dx', 'dh'],
 'di': ['edi', 'di'],
 'dl': ['edx', 'dx', 'dl'],
 'dx': ['edx', 'dx'],
 'eax': ['eax'],
 'ebp': ['ebp'],
 'ebx': ['ebx'],
 'ecx': ['ecx'],
 'edi': ['edi'],
 'edx': ['edx'],
 'esi': ['esi'],
 'esp': ['esp'],
 'si': ['esi', 'si'],
 'sp': ['esp', 'sp']}
>>> pprint(smaller)
{'ah': [],
 'al': [],
 'ax': ['al', 'ah'],
 'bh': [],
 'bl': [],
 'bp': [],
 'bx': ['bl', 'bh'],
 'ch': [],
 'cl': [],
 'cx': ['cl', 'ch'],
 'dh': [],
 'di': [],
 'dl': [],
 'dx': ['dl', 'dh'],
 'eax': ['ax', 'al', 'ah'],
 'ebp': ['bp'],
 'ebx': ['bx', 'bl', 'bh'],
 'ecx': ['cx', 'cl', 'ch'],
 'edi': ['di'],
 'edx': ['dx', 'dl', 'dh'],
 'esi': ['si'],
 'esp': ['sp'],
 'si': [],
 'sp': []}
pwnlib.util.misc.run_in_new_terminal(command, terminal=None, args=None, kill_at_exit=True, preexec_fn=None) int[source]

Run a command in a new terminal.

When terminal is not set:
  • If context.terminal is set it will be used. If it is an iterable then context.terminal[1:] are default arguments.

  • If a pwntools-terminal command exists in $PATH, it is used

  • If tmux is detected (by the presence of the $TMUX environment variable), a new pane will be opened.

  • If GNU Screen is detected (by the presence of the $STY environment variable), a new screen will be opened.

  • If $TERM_PROGRAM is set, that is used.

  • If X11 is detected (by the presence of the $DISPLAY environment variable), x-terminal-emulator is used.

  • If KDE Konsole is detected (by the presence of the $KONSOLE_VERSION environment variable), a terminal will be split.

  • If WSL (Windows Subsystem for Linux) is detected (by the presence of a wsl.exe binary in the $PATH and /proc/sys/kernel/osrelease containing Microsoft), a new cmd.exe window will be opened.

If kill_at_exit is True, try to close the command/terminal when the current process exits. This may not work for all terminal types.

  • command (str) – The command to run.

  • terminal (str) – Which terminal to use.

  • args (list) – Arguments to pass to the terminal

  • kill_at_exit (bool) – Whether to close the command/terminal on process exit.

  • preexec_fn (callable) – Callable to invoke before exec().


The command is opened with /dev/null for stdin, stdout, stderr.


PID of the new terminal process

pwnlib.util.misc.size(n, abbrev='B', si=False) str[source]

Convert the length of a bytestream to human readable form.

  • n (int,iterable) – The length to convert to human readable form, or an object which can have len() called on it.

  • abbrev (str) – String appended to the size, defaults to 'B'.


>>> size(451)
>>> size(1000)
>>> size(1024)
>>> size(1024, ' bytes')
'1.00K bytes'
>>> size(1024, si = True)
>>> [size(1024 ** n) for n in range(7)]
['1B', '1.00KB', '1.00MB', '1.00GB', '1.00TB', '1.00PB', '1024.00PB']
>>> size([])
>>> size([1,2,3])
pwnlib.util.misc.which(name, flags=os.X_OK, all=False) str or str set[source]

Works as the system command which; searches $PATH for name and returns a full path if found. Tries all of the file extensions in $PATHEXT on Windows too.

If all is True the set of all found locations is returned, else the first occurrence or None is returned.

  • name (str) – The file to search for.

  • all (bool) – Whether to return all locations where name was found.


If all is True the set of all locations where name was found, else the first location or None if not found.


>>> which('sh') 
pwnlib.util.misc.write(path, data=b'', create_dir=False, mode='w')[source]

Create new file or truncate existing to zero length and write data.