Notes
Search…
Web PenTesting / Bug Bounty
Exploit Development / BoF
Pwntools
pwn — Toolbox optimized for CTFs pwnlib — Normal python library
Installation:
1
apt-get update
2
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
3
python3 -m pip install --upgrade pip
4
python3 -m pip install --upgrade pwntools
Copied!
Definite example:
1
from pwn import *
2
context(arch = 'i386', os = 'linux')
3
4
r = remote('exploitme.example.com', 31337)
5
# EXPLOIT CODE GOES HERE
6
r.send(asm(shellcraft.sh()))
7
r.interactive()
Copied!
Basics:
from pwn import * - This imports a lot of functionality into the global namespace. You can now assemble, disassemble, pack, unpack, and many other things with a single function.Making Connections
You need to talk to the challenge binary in order to pwn it, right? pwntools makes this stupid simple with its
pwnlib.tubes module.This exposes a standard interface to talk to processes, sockets, serial ports, and all manner of things, along with some nifty helpers for common tasks. For example, remote connections via
pwnlib.tubes.remote
Connecting and recieving info:
1
>>> conn.recvline() # doctest: +ELLIPSIS
2
b'220 ...'
3
>>> conn.send(b'USER anonymous\r\n')
4
>>> conn.recvuntil(b' ', drop=True)
5
b'331'
6
>>> conn.recvline()
7
b'Please specify the password.\r\n'
8
>>> conn.close()
Copied!
Basic listener:
1
>>> l = listen()
2
>>> r = remote('localhost', l.lport)
3
>>> c = l.wait_for_connection()
4
>>> r.send(b'hello')
5
>>> c.recv()
6
b'hello'
Copied!
Interacting with processes is easy thanks to pwnlib.tubes.process.
1
>>> sh = process('/bin/sh')
2
>>> sh.sendline(b'sleep 3; echo hello world;')
3
>>> sh.recvline(timeout=1)
4
b''
5
>>> sh.recvline(timeout=5)
6
b'hello world\n'
7
>>> sh.close()
Copied!
Not only can you interact with processes programmatically, but you can actually interact with processes.
1
>>> sh.interactive() # doctest: +SKIP
2
$ whoami
3
user
Copied!
There’s even an SSH module for when you’ve got to SSH into a box to perform a local/setuid exploit with pwnlib.tubes.ssh. You can quickly spawn processes and grab the output, or spawn a process and interact with it like a process tube.
1
>>> shell = ssh('bandit0', 'bandit.labs.overthewire.org', password='bandit0', port=2220)
2
>>> shell['whoami']
3
b'bandit0'
4
>>> shell.download_file('/etc/motd')
5
>>> sh = shell.run('sh')
6
>>> sh.sendline(b'sleep 3; echo hello world;')
7
>>> sh.recvline(timeout=1)
8
b''
9
>>> sh.recvline(timeout=5)
10
b'hello world\n'
11
>>> shell.close()
Copied!
Packing Integers
A common task for exploit-writing is converting between integers as Python sees them, and their representation as a sequence of bytes. Usually, folks resort to the built-in struct module.
pwntools makes this easier with pwnlib.util.packing. No more remembering unpacking codes, and littering your code with helper routines.
1
>>> import struct
2
>>> p32(0xdeadbeef) == struct.pack('I', 0xdeadbeef)
3
True
4
>>> leet = unhex('37130000')
5
>>> u32(b'abcd') == struct.unpack('I', b'abcd')[0]
6
True
Copied!
The packing/unpacking operations are defined for many common bit-widths.
1
>>> u8(b'A') == 0x41
2
True
Copied!
Misc Tools
Never write another hexdump, thanks to pwnlib.util.fiddling.
Find offsets in your buffer that cause a crash, thanks to pwnlib.cyclic.
1
>>> print(cyclic(20).decode())
2
aaaabaaacaaadaaaeaaa
3
>>> # Assume EIP = 0x62616166 (b'faab' which is pack(0x62616166)) at crash time
4
>>> print(cyclic_find(b'faab'))
5
120
Copied!
ELF Manipulation
1
>>> e = ELF('/bin/cat')
2
>>> print(hex(e.address)) #doctest: +SKIP
3
0x400000
4
>>> print(hex(e.symbols['write'])) #doctest: +SKIP
5
0x401680
6
>>> print(hex(e.got['write'])) #doctest: +SKIP
7
0x60b070
8
>>> print(hex(e.plt['write'])) #doctest: +SKIP
9
0x401680
Copied!
Last modified 1yr ago
Copy link