Command Line Tools¶
pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.
If these tools do not appear to be installed, make sure that you have added ~/.local/bin
to your $PATH
environment variable.
pwn¶
Pwntools Command-line Interface
usage: pwn [-h]
{asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,libcdb,phd,pwnstrip,scramble,shellcraft,template,unhex,update,version}
...
- -h, --help¶
show this help message and exit
pwn asm¶
Assemble shellcode into bytes
usage: pwn asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context]
[-v AVOID] [-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
[line [line ...]]
- line¶
Lines to assemble. If none are supplied, use stdin
- -h, --help¶
show this help message and exit
- -f {raw,hex,string,elf}, --format {raw,hex,string,elf}¶
Output format (defaults to hex for ttys, otherwise raw)
- -o <file>, --output <file>¶
Output file (defaults to stdout)
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
- -v <avoid>, --avoid <avoid>¶
Encode the shellcode to avoid the listed bytes (provided as hex)
- -n, --newline¶
Encode the shellcode to avoid newlines
- -z, --zero¶
Encode the shellcode to avoid NULL bytes
- -d, --debug¶
Debug the shellcode with GDB
- -e <encoder>, --encoder <encoder>¶
Specific encoder to use
- -i <infile>, --infile <infile>¶
Specify input file
- -r, --run¶
Run output
pwn checksec¶
Check binary security settings
usage: pwn checksec [-h] [--file [elf [elf ...]]] [elf [elf ...]]
- elf¶
Files to check
- -h, --help¶
show this help message and exit
- --file <elf>¶
File to check (for compatibility with checksec.sh)
pwn constgrep¶
Looking up constants from header files.
Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’
usage: pwn constgrep [-h] [-e] [-i] [-m] [-c arch_or_os] regex [constant]
- regex¶
The regex matching constant you want to find
- constant¶
The constant to find
- -h, --help¶
show this help message and exit
- -e, --exact¶
Do an exact match for a constant instead of searching for a regex
- -i, --case-insensitive¶
Search case insensitive
- -m, --mask-mode¶
Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
pwn cyclic¶
Cyclic pattern creator/finder
usage: pwn cyclic [-h] [-a alphabet] [-n length] [-c context]
[-l lookup_value]
[count]
- count¶
Number of characters to print
- -h, --help¶
show this help message and exit
- -a <alphabet>, --alphabet <alphabet>¶
The alphabet to use in the cyclic pattern (defaults to all lower case letters)
- -n <length>, --length <length>¶
Size of the unique subsequences (defaults to 4).
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
- -l <lookup_value>, -o <lookup_value>, --offset <lookup_value>, --lookup <lookup_value>¶
Do a lookup instead printing the alphabet
pwn debug¶
Debug a binary in GDB
usage: pwn debug [-h] [-x GDBSCRIPT] [--pid PID] [-c context]
[--exec EXECUTABLE] [--process PROCESS_NAME]
[--sysroot SYSROOT]
- -h, --help¶
show this help message and exit
- -x <gdbscript>¶
Execute GDB commands from this file.
- --pid <pid>¶
PID to attach to
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
- --exec <executable>¶
File to debug
- --process <process_name>¶
Name of the process to attach to (e.g. “bash”)
- --sysroot <sysroot>¶
GDB sysroot path
pwn disablenx¶
Disable NX for an ELF binary
usage: pwn disablenx [-h] elf [elf ...]
- elf¶
Files to check
- -h, --help¶
show this help message and exit
pwn disasm¶
Disassemble bytes into text format
usage: pwn disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
[hex [hex ...]]
- hex¶
Hex-string to disassemble. If none are supplied, then it uses stdin in non-hex mode.
- -h, --help¶
show this help message and exit
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
- -a <address>, --address <address>¶
Base address
- --color¶
Color output
- --no-color¶
Disable color output
pwn elfdiff¶
Compare two ELF files
usage: pwn elfdiff [-h] a b
- a¶
- b¶
- -h, --help¶
show this help message and exit
pwn elfpatch¶
Patch an ELF file
usage: pwn elfpatch [-h] elf offset bytes
- elf¶
File to patch
- offset¶
Offset to patch in virtual address (hex encoded)
- bytes¶
Bytes to patch (hex encoded)
- -h, --help¶
show this help message and exit
pwn errno¶
Prints out error messages
usage: pwn errno [-h] error
- error¶
Error message or value
- -h, --help¶
show this help message and exit
pwn hex¶
Hex-encodes data provided on the command line or stdin
usage: pwn hex [-h] [data [data ...]]
- data¶
Data to convert into hex
- -h, --help¶
show this help message and exit
pwn libcdb¶
Print various information about a libc binary
usage: pwn libcdb [-h] {lookup,hash,file} ...
- -h, --help¶
show this help message and exit
pwn libcdb file¶
Dump information about a libc binary
usage: pwn libcdb file [-h] [-s [symbols [symbols ...]]] [-o offset]
[--unstrip]
files [files ...]
- files¶
Libc binary to dump
- -h, --help¶
show this help message and exit
- -s <symbols>, --symbols <symbols>¶
List of symbol offsets to dump in addition to the common ones
- -o <offset>, --offset <offset>¶
Display all offsets relative to this symbol
- --unstrip¶
Attempt to unstrip the libc binary inplace with debug symbols from a debuginfod server
pwn libcdb hash¶
Display information of a libc version given an unique hash
usage: pwn libcdb hash [-h] [-t [{id,buildid,md5,sha1,sha256}]]
[--download-libc] [--unstrip] [--no-unstrip]
hash_value [hash_value ...]
- hash_value¶
Hex encoded hash value
- -h, --help¶
show this help message and exit
- -t {id,buildid,md5,sha1,sha256}, --hash_type {id,buildid,md5,sha1,sha256}¶
The type of the provided hash value. Supported hashtypes: id, buildid, md5, sha1, sha256
- --download-libc¶
Attempt to download the matching libc.so
- --unstrip¶
Attempt to unstrip the libc binary with debug symbols from a debuginfod server
- --no-unstrip¶
Do NOT attempt to unstrip the libc binary with debug symbols from a debuginfod server
pwn libcdb lookup¶
Lookup a libc version by function offsets
usage: pwn libcdb lookup [-h] [--download-libc] [--unstrip] [--no-unstrip]
symbol_offset_pairs [symbol_offset_pairs ...]
- symbol_offset_pairs¶
Symbol and offset pairs to lookup matching libc version. Can be any number of pairs to narrow the search. Example: “read 3e0 write 520”
- -h, --help¶
show this help message and exit
- --download-libc¶
Attempt to download the matching libc.so
- --unstrip¶
Attempt to unstrip the libc binary with debug symbols from a debuginfod server
- --no-unstrip¶
Do NOT attempt to unstrip the libc binary with debug symbols from a debuginfod server
pwn phd¶
Pretty hex dump
usage: pwn phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP]
[-c COUNT] [-o OFFSET] [--color [{always,never,auto}]]
[file]
- file¶
File to hexdump. Reads from stdin if missing.
- -h, --help¶
show this help message and exit
- -w <width>, --width <width>¶
Number of bytes per line.
- -l <highlight>, --highlight <highlight>¶
Byte to highlight.
- -s <skip>, --skip <skip>¶
Skip this many initial bytes.
- -c <count>, --count <count>¶
Only show this many bytes.
- -o <offset>, --offset <offset>¶
Addresses in left hand column starts at this address.
- --color {always,never,auto}¶
Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.
pwn pwnstrip¶
Strip binaries for CTF usage
usage: pwn pwnstrip [-h] [-b] [-p FUNCTION] [-o OUTPUT] file
- file¶
- -h, --help¶
show this help message and exit
- -b, --build-id¶
Strip build ID
- -p <function>, --patch <function>¶
Patch function
- -o <output>, --output <output>¶
pwn scramble¶
Shellcode encoder
usage: pwn scramble [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-p]
[-v AVOID] [-n] [-z] [-d]
- -h, --help¶
show this help message and exit
- -f {raw,hex,string,elf}, --format {raw,hex,string,elf}¶
Output format (defaults to hex for ttys, otherwise raw)
- -o <file>, --output <file>¶
Output file (defaults to stdout)
- -c {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}, --context {16,32,64,android,baremetal,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,riscv,sparc,thumb,cris,i386,ia64,m68k,mips,s390,none,avr,arm,vax,little,big,be,eb,le,el}¶
The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘baremetal’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘riscv’, ‘sparc’, ‘thumb’, ‘cris’, ‘i386’, ‘ia64’, ‘m68k’, ‘mips’, ‘s390’, ‘none’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘be’, ‘eb’, ‘le’, ‘el’]
- -p, --alphanumeric¶
Encode the shellcode with an alphanumeric encoder
- -v <avoid>, --avoid <avoid>¶
Encode the shellcode to avoid the listed bytes
- -n, --newline¶
Encode the shellcode to avoid newlines
- -z, --zero¶
Encode the shellcode to avoid NULL bytes
- -d, --debug¶
Debug the shellcode with GDB
pwn shellcraft¶
Microwave shellcode – Easy, fast and delicious
usage: pwn shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a]
[-v AVOID] [-n] [-z] [-r] [--color] [--no-color]
[--syscalls] [--address ADDRESS] [-l] [-s]
[shellcode] [arg [arg ...]]
- shellcode¶
The shellcode you want
- arg¶
Argument to the chosen shellcode
- -h, --help¶
show this help message and exit
- -?, --show¶
Show shellcode documentation
- -o <file>, --out <file>¶
Output file (default: stdout)
- -f {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}, --format {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}¶
Output format (default: hex), choose from {e}lf, {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code, escape{d} hex string
- -d, --debug¶
Debug the shellcode with GDB
- -b, --before¶
Insert a debug trap before the code
- -a, --after¶
Insert a debug trap after the code
- -v <avoid>, --avoid <avoid>¶
Encode the shellcode to avoid the listed bytes
- -n, --newline¶
Encode the shellcode to avoid newlines
- -z, --zero¶
Encode the shellcode to avoid NULL bytes
- -r, --run¶
Run output
- --color¶
Color output
- --no-color¶
Disable color output
- --syscalls¶
List syscalls
- --address <address>¶
Load address
- -l, --list¶
List available shellcodes, optionally provide a filter
- -s, --shared¶
Generated ELF is a shared library
pwn template¶
Generate an exploit template
usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
[--pass PASSWORD] [--path PATH] [--quiet]
[--color {never,always,auto}]
[exe]
- exe¶
Target binary
- -h, --help¶
show this help message and exit
- --host <host>¶
Remote host / SSH server
- --port <port>¶
Remote port / SSH port
- --user <user>¶
SSH Username
- --pass <password>, --password <password>¶
SSH Password
- --path <path>¶
Remote path of file on SSH server
- --quiet¶
Less verbose template comments
- --color {never,always,auto}¶
Print the output in color
pwn unhex¶
Decodes hex-encoded data provided on the command line or via stdin.
usage: pwn unhex [-h] [hex [hex ...]]
- hex¶
Hex bytes to decode
- -h, --help¶
show this help message and exit
pwn update¶
Check for pwntools updates
usage: pwn update [-h] [--install] [--pre]
- -h, --help¶
show this help message and exit
- --install¶
Install the update automatically.
- --pre¶
Check for pre-releases.
pwn version¶
Pwntools version
usage: pwn version [-h]
- -h, --help¶
show this help message and exit