Reference

https://github.com/Gallopsled/pwntools

http://docs.pwntools.com/en/latest/

https://github.com/Gallopsled/pwntools-tutorial#readme

Install

sudo apt update
sudo apt install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools

Command Line Tools

http://docs.pwntools.com/en/latest/commandline.html

• checkseec
• cyclic

Usage

1. Tubes

Tubes are effectively I/O wrappers for most types of I/O you'll need to perform: Local processes, Remote TCP or UDP connections, Processes running on a remote server over SSH, Serial port I/O.

• Basic IO
  1. Receiving data: recv(n), recline(), recvuntil(delim), recvregex(pattern), recvrepeat(timeout), clean()
  2. Sending data: send(data), send line(line)
  3. Manipulating integers: pack(int), unpack()
• Processes
  1. process()
  2. process(['sh', '-c', 'echo $MYENV'], env={"MYENV": "MYVAL"})
• Interactive shells, io.interactive()
• Networking
  1. remote(host, port, fam, typ, ssl, sock, ssl_context, ssl_args, sni, ...)
  2. listen(port, bindaddr, fam, typ, ...)
listen(8888).wait_for_connection()
• Secure shell
  1. ssh(user, host, port, password, ...)
  2. ssh(...).process(...)
• Serial ports, serialtube('/dev/ttyUSB0', baudrate=115200)

2. Utility

• Packing and unpacking integers: The main pack and unpack functions are aware of the global settings in context such as endian, bits, and sign. You can also specify them explitily in the function call.
  1. pack(n, endian='big', bits, sign)
  2. unpack(s), u16(s)
• File IO
  1. write(filename, data)
  2. read(filename, len)
• Hashing and encoding
  1. Base64: b64e(s), b64d(s)
  2. Hashes: md5sumhex(s.encode('utf-8')), md5filehex(filename), sha1sumhex(s.encode('utf-8'))
  3. URL encoding: urlencode(s)
  4. Hex encoding: enhex(s), unhex(s)
  5. Bit manipulation: bits(c), bits(0b1010), unbits(list)
  6. Hex dumping: print(hexdump(read('/dev/urandom', 32)))
• Pattern generation: a very handy way to find offsets without needing to do math.
  1. cyclic(512)
  2. cyclic_find(s or hex)

3. Bytes vs. Strings

• x = b'abc'
• flat(x): This function takes an arbitrary number of arbitrarily nested lists, tuples and dictionaries. It will then find every string and number inside those and flatten them out.

4. Context

The context object is a global, thread-aware object which contains various settins used by pwntools. Context settings are as follow:

• arch: The target architecture. The first time this is set, it automatically sets the default context.bits and context.endian to the most likely values. e.g. i386(defualt), aarch64, arm, amd64.

• bits: How many bits make up a word in the target binary, e.g. 32 or 64.

• binary: Absorb settings from an ELF file.

• endian: little(defualt), big

• log_file: File to send all of the logging output into.

• log_level: Verbosity of logs. Valid values are integers (lower is more verbose), and string values like "debug", "info", and "error".

• sign: Sets the default signed-ness of integer packing / unpacking. Default is "unsigned".

• terminal: Preferred terminal program to open new windows with. By default, uses x-terminal-emulator or tmux.

• timeout: Default timeout for tube operations.

• update: context.update(arch='mips', bits=64, endian='big')

5. ELFs

https://pwntools.readthedocs.io/en/latest/elf.html

• Loading ELF files: ELF(path)
• Using Symbols: EFL files have symbols, contained in a dict {name: data}.
  • ELF.symbols: lists all known symbols.
  • ELF.got: contains GOT entries.
  • ELF.plt: contains PLT entries.
  • ELF.functions: contains functions (requires DWARF symbols). elf.functions['list_all_jobs'].address
• Changing the base address: adjust for ASLR. elf.address = 0x12340000
• Reading ELF files:
  • elf.read(x, 4)
  • elf.write(x, 4)
  • elf.pack(x), elf.unpack(x)
  • elf.disasm(addr, 12)

6. Assembly

7. Debugging

8. ROP

9. Logging

10. Leaking Remote Memory