from pwn import *
¶
The most common way that you’ll see pwntools used is
>>> from pwn import *
Which imports a bazillion things into the global namespace to make your life easier.
This is a quick list of most of the objects and routines imported, in rough order of importance and frequency of use.
pwnlib.context
Responsible for most of the pwntools convenience settings
Set context.log_level = ‘debug’ when troubleshooting your exploit
Scope-aware, so you can disable logging for a subsection of code via
ContextType.local()
remote
,listen
,ssh
,process
Super convenient wrappers around all of the common functionality for CTF challenges
Connect to anything, anywhere, and it works the way you want it to
Helpers for common tasks like
recvline
,recvuntil
,clean
, etc.Interact directly with the application via
.interactive()
p32
andu32
Useful functions to make sure you never have to remember if
'>'
means signed or unsigned forstruct.pack
, and no more ugly[0]
index at the end.Set
signed
andendian
in sane manners (also these can be set once oncontext
and not bothered with again)Most common sizes are pre-defined (
u8
,u64
, etc), andpwnlib.util.packing.pack()
lets you define your own.
log
Make your output pretty!
cyclic
andcyclic_func
Utilities for generating strings such that you can find the offset of any given substring given only N (usually 4) bytes. This is super useful for straight buffer overflows. Instead of looking at 0x41414141, you could know that 0x61616171 means you control EIP at offset 64 in your buffer.
asm
anddisasm
Quickly turn assembly into some bytes, or vice-versa, without mucking about
Supports any architecture for which you have a binutils installed
Over 20 different architectures have pre-built binaries at ppa:pwntools/binutils.
shellcraft
Library of shellcode ready to go
asm(shellcraft.sh())
gives you a shellTemplating library for reusability of shellcode fragments
ELF
ELF binary manipulation tools, including symbol lookup, virtual memory to file offset helpers, and the ability to modify and save binaries back to disk
DynELF
Dynamically resolve functions given only a pointer to any loaded module, and a function which can leak data at any address
ROP
pwnlib.rop
Automatically generate ROP chains using a DSL to describe what you want to do, rather than raw addresses
gdb.debug
andgdb.attach
Launch a binary under GDB and pop up a new terminal to interact with it. Automates setting breakpoints and makes iteration on exploits MUCH faster.
Alternately, attach to a running process given a PID,
pwnlib.tubes
object, or even just a socket that’s connected to it
args
Dictionary containing all-caps command-line arguments for quick access
Run via
python foo.py REMOTE=1
andargs['REMOTE'] == '1'
.- Can also control logging verbosity and terminal fanciness
NOTERM
SILENT
DEBUG
randoms
,rol
,ror
,xor
,bits
Useful utilities for generating random data from a given alphabet, or simplifying math operations that usually require masking off with 0xffffffff or calling ord and chr an ugly number of times
net
Routines for querying about network interfaces
proc
Routines for querying about processes
pause
It’s the new
getch
safeeval
Functions for safely evaluating python code without nasty side-effects.
These are all pretty self explanatory, but are useful to have in the global namespace.
hexdump
read
andwrite
enhex
andunhex
more
group
align
andalign_down
urlencode
andurldecode
which
wget
Additionally, all of the following modules are auto-imported for you. You were going to do it anyway.
os
sys
time
requests
re
random