from pwn import *¶
The most common way that you’ll see pwntools used is
>>> from pwn import *
Which imports a bazillion things into the global namespace to make your life easier.
This is a quick list of most of the objects and routines imported, in rough order of importance and frequency of use.
- Responsible for most of the pwntools convenience settings
- Set context.log_level = ‘debug’ when troubleshooting your exploit
- Scope-aware, so you can disable logging for a subsection of code via pwnlib.context.ContextType.local
- remote, listen, ssh, process
- Super convenient wrappers around all of the common functionality for CTF challenges
- Connect to anything, anywhere, and it works the way you want it to
- Helpers for common tasks like recvline, recvuntil, clean, etc.
- Interact directly with the application via .interactive()
- p32 and u32
- Useful functions to make sure you never have to remember if '>' means signed or unsigned for struct.pack, and no more ugly  index at the end.
- Set signed and endian in sane manners (also these can be set once on context and not bothered with again)
- Most common sizes are pre-defined (u8, u64, etc), and pwnlib.util.packing.pack() lets you define your own.
- Make your output pretty!
- cyclic and cyclic_func
- Utilities for generating strings such that you can find the offset of any given substring given only N (usually 4) bytes. This is super useful for straight buffer overflows. Instead of looking at 0x41414141, you could know that 0x61616171 means you control EIP at offset 64 in your buffer.
- Library of shellcode ready to go
- asm(shellcraft.sh()) gives you a shell
- Templating library for reusability of shellcode fragments
- ELF binary manipulation tools, including symbol lookup, virtual memory to file offset helpers, and the ability to modify and save binaries back to disk
- Dynamically resolve functions given only a pointer to any loaded module, and a function which can leak data at any address
- Automatically generate ROP chains using a DSL to describe what you want to do, rather than raw addresses
- gdb.debug and gdb.attach
- Launch a binary under GDB and pop up a new terminal to interact with it. Automates setting breakpoints and makes iteration on exploits MUCH faster.
- Alternately, attach to a running process given a PID, pwnlib.tubes object, or even just a socket that’s connected to it
Dictionary contining all-caps command-line arguments for quick access
Run via python foo.py REMOTE=1 and args['REMOTE'] == '1'.
- Can also control logging verbosity and terminal fancyness
- randoms, rol, ror, xor, bits
- Useful utilities for generating random data from a given alphabet, or simplifying math operations that usually require masking off with 0xffffffff or calling ord and chr an ugly number of times
- Routines for querying about network interfaces
- Routines for querying about processes
- It’s the new getch
- Functions for safely evalutaing python code without nasty side-effects.
These are all pretty self explanatory, but are useful to have in the global namespace.
- read and write
- enhex and unhex
- align and align_down
- urlencode and urldecode
Additionally, all of the following modules are auto-imported for you. You were going to do it anyway.