from pwn import *¶
The most common way that you’ll see pwntools used is
>>> from pwn import *
Which imports a bazillion things into the global namespace to make your life easier.
This is a quick list of most of the objects and routines imported, in rough order of importance and frequency of use.
- Responsible for most of the pwntools convenience settings
- Set context.log_level = ‘debug’ when troubleshooting your exploit
- Scope-aware, so you can disable logging for a subsection of code via
- Super convenient wrappers around all of the common functionality for CTF challenges
- Connect to anything, anywhere, and it works the way you want it to
- Helpers for common tasks like
- Interact directly with the application via
- Useful functions to make sure you never have to remember if
'>'means signed or unsigned for
struct.pack, and no more ugly
index at the end.
endianin sane manners (also these can be set once on
contextand not bothered with again)
- Most common sizes are pre-defined (
u64, etc), and
pwnlib.util.packing.pack()lets you define your own.
- Make your output pretty!
- Utilities for generating strings such that you can find the offset of any given substring given only N (usually 4) bytes. This is super useful for straight buffer overflows. Instead of looking at 0x41414141, you could know that 0x61616171 means you control EIP at offset 64 in your buffer.
- Quickly turn assembly into some bytes, or vice-versa, without mucking about
- Supports any architecture for which you have a binutils installed
- Over 20 different architectures have pre-built binaries at ppa:pwntools/binutils.
- Library of shellcode ready to go
asm(shellcraft.sh())gives you a shell
- Templating library for reusability of shellcode fragments
- ELF binary manipulation tools, including symbol lookup, virtual memory to file offset helpers, and the ability to modify and save binaries back to disk
- Dynamically resolve functions given only a pointer to any loaded module, and a function which can leak data at any address
- Automatically generate ROP chains using a DSL to describe what you want to do, rather than raw addresses
- Launch a binary under GDB and pop up a new terminal to interact with it. Automates setting breakpoints and makes iteration on exploits MUCH faster.
- Alternately, attach to a running process given a PID,
pwnlib.tubesobject, or even just a socket that’s connected to it
- Dictionary containing all-caps command-line arguments for quick access
- Run via
python foo.py REMOTE=1and
args['REMOTE'] == '1'.
- Can also control logging verbosity and terminal fanciness
- Useful utilities for generating random data from a given alphabet, or simplifying math operations that usually require masking off with 0xffffffff or calling ord and chr an ugly number of times
- Routines for querying about network interfaces
- Routines for querying about processes
- It’s the new
- It’s the new
- Functions for safely evaluating python code without nasty side-effects.
These are all pretty self explanatory, but are useful to have in the global namespace.
Additionally, all of the following modules are auto-imported for you. You were going to do it anyway.