pwntools

pwntools is a python library that acts as a swiss army knife for pwning.

If you can run the line from pwn import * in a python session you're good to go.

If not then follow the instructions at: https://github.com/Gallopsled/pwntools

Also our pwndocker instructions has pwntools working already.

pwntools basics

• from pwn import * loads the library
• p=process("./yourbinaryhere") will start a new process and store the handler in your variable p
• r=remote("ip:add:he:re",port) will connect to a remove IP and port and give handler (same as above) to variable r
• p.recv() will show the displayed output of the process so far
• p.recvuntil(b">") will return all text until it finds the string b">"
• p.recvrepeat(0.5) will wait half a second and then give all the displayed output
• p.sendline(b"hi there") will send b"hithere\n" to the process as if you typed it
• p.close() shuts down the process
• p64(0x1337) will convert the integer 0x1337 into an 8-byte little-endian string that a 64-bit CPU would interpret as the address 0x1337
• p32(0x1337) same but for 32-bit addresses/integers
• u64(b"\x37\x13\x00\x00\x00\x00\x00\x00") will return the integer 0x1337 from an 8-byte little-endian string for a 64-bit leaked address
• u32(b"\x37\x13\x00\x00") will return the integer 0x1337 from a 4-byte little-endian string for a 32-bit CPU leaked address
• p.pid will return the process ID, useful for debugging with Radare2
• p.interactive() will give you back control of the process as if you were at the keyboard (nice for when you have a shell)

the ELF analyzer

• elf=ELF("./yourbinaryhere") will run the ELF analyzer on your binary and give you a handler in variable elf
• elf.sym.main this holds the default address of main (you can also lookup other symbols)
• elf.plt.printf this has an instruction address where you can call printf (you'll learn more about this stuff later)
• elf.got.printf has the location in memory space where the printf glibc address will be stored
• next(elf.search(b"/bin/sh")) if the elf has the string b"/bin/sh" in it this will give that address
• libc = ELF(elf.libc) will do the same but for the glibc that this binary is using (useful for ret to libc)

Shell Code

• context.arch = "amd64" is a global line to run before you ask for shellcode, it will set the version to 64-bits
• shellcraft.sh() will produce a beautifully formatted shellscript in human-friendly assembly
• asm(shellcraft.sh()) will convert that shellscript into machine-code, 48 bytes of instructions for you to analyze

Debugging your Payload

Here are the steps for debugging your payload:

• START THE PROCESS with pwntools
• copy-paste the PID and from a DIFFERENT command line do: r2 -Ad :pidhere:
• in Radare2 SET A BREAKPOINT just after the fgets/gets/scanf (that is where the program is currently paused) :db @0xwhatever
• in Radare2 CONTINUE the process :dc
• back in PYTHON/PWNTOOLS now send your payload p.sendline(payload)
• back in RADARE2 the breakpoint should now be hit
• in R2 step through the process to see your payload in action
• if you get a shell exit and do it without attaching r2

Demo Scripts

Here is a random pwntools script from a live CTF problem:

Here is a more useful collection of utilities I find myself using often when hacking:

Here are some ROP tools they make available

Here is a heap starter script I use often (when we start to debug with pwndbg rather than r2) Note you'll need to adjust the malloc/free/view utilities for each problem