pwnlib.tubes — Talking to the World!

The pwnlib is not a big truck! It’s a series of tubes!

This is our library for talking to sockets, processes, ssh connections etc. Our goal is to be able to use the same API for e.g. remote TCP servers, local TTY-programs and programs run over over SSH.

It is organized such that the majority of the functionality is implemented in pwnlib.tubes.tube. The remaining classes should only implement just enough for the class to work and possibly code pertaining only to that specific kind of tube.

pwnlib.tubes.tube — Common Functionality

class pwnlib.tubes.tube.tube[source]

Container of all the tube functions common to sockets, TTYs and SSH connetions.

can_read(*a, **kw)[source]

Alias for can_recv()

can_read_raw(*a, **kw)[source]

Alias for can_recv_raw()

can_recv(timeout = 0) → bool[source]

Returns True, if there is data available within timeout seconds.

Examples

>>> import time
>>> t = tube()
>>> t.can_recv_raw = lambda *a: False
>>> t.can_recv()
False
>>> _=t.unrecv(b'data')
>>> t.can_recv()
True
>>> _=t.recv()
>>> t.can_recv()
False
clean(timeout = 0.05)[source]

Removes all the buffered data from a tube by calling pwnlib.tubes.tube.tube.recv() with a low timeout until it fails.

If timeout is zero, only cached data will be cleared.

Note: If timeout is set to zero, the underlying network is not actually polled; only the internal buffer is cleared.

Returns:All data received

Examples

>>> t = tube()
>>> t.unrecv(b'clean me up')
>>> t.clean(0)
b'clean me up'
>>> len(t.buffer)
0
clean_and_log(timeout = 0.05)[source]

Works exactly as pwnlib.tubes.tube.tube.clean(), but logs received data with pwnlib.self.info().

Returns:All data received

Examples

>>> def recv(n, data=[b'', b'hooray_data']):
...     while data: return data.pop()
>>> t = tube()
>>> t.recv_raw      = recv
>>> t.connected_raw = lambda d: True
>>> t.fileno        = lambda: 1234
>>> with context.local(log_level='info'):
...     data = t.clean_and_log() #doctest: +ELLIPSIS
[DEBUG] Received 0xb bytes:
    b'hooray_data'
>>> data
b'hooray_data'
>>> context.clear()
close()[source]

Closes the tube.

connect_both(other)[source]

Connects the both ends of this tube object with another tube object.

connect_input(other)[source]

Connects the input of this tube to the output of another tube object.

Examples

>>> def p(x): print(x.decode())
>>> def recvone(n, data=[b'data']):
...     while data: return data.pop()
...     raise EOFError
>>> a = tube()
>>> b = tube()
>>> a.recv_raw = recvone
>>> b.send_raw = p
>>> a.connected_raw = lambda d: True
>>> b.connected_raw = lambda d: True
>>> a.shutdown      = lambda d: True
>>> b.shutdown      = lambda d: True
>>> import time
>>> _=(b.connect_input(a), time.sleep(0.1))
data
connect_output(other)[source]

Connects the output of this tube to the input of another tube object.

Examples

>>> def p(x): print(repr(x))
>>> def recvone(n, data=[b'data']):
...     while data: return data.pop()
...     raise EOFError
>>> a = tube()
>>> b = tube()
>>> a.recv_raw = recvone
>>> b.send_raw = p
>>> a.connected_raw = lambda d: True
>>> b.connected_raw = lambda d: True
>>> a.shutdown      = lambda d: True
>>> b.shutdown      = lambda d: True
>>> _=(a.connect_output(b), time.sleep(0.1))
b'data'
connected(direction = 'any') → bool[source]

Returns True if the tube is connected in the specified direction.

Parameters:direction (str) – Can be the string ‘any’, ‘in’, ‘read’, ‘recv’, ‘out’, ‘write’, ‘send’.

Doctest:

>>> def p(x): print(x)
>>> t = tube()
>>> t.connected_raw = p
>>> _=list(map(t.connected, ('any', 'in', 'read', 'recv', 'out', 'write', 'send')))
any
recv
recv
recv
send
send
send
>>> t.connected('bad_value') #doctest: +ELLIPSIS
Traceback (most recent call last):
...
KeyError: "direction must be in ['any', 'in', 'out', 'read', 'recv', 'send', 'write']"
fileno() → int[source]

Returns the file number used for reading.

interactive(prompt = pwnlib.term.text.bold_red('$') + ' ')[source]

Does simultaneous reading and writing to the tube. In principle this just connects the tube to standard in and standard out, but in practice this is much more usable, since we are using pwnlib.term to print a floating prompt.

Thus it only works in while in pwnlib.term.term_mode.

read(*a, **kw)[source]

Alias for recv()

readS(*a, **kw)[source]

Alias for recvS()

read_raw(*a, **kw)[source]

Alias for recv_raw()

readall(*a, **kw)[source]

Alias for recvall()

readallS(*a, **kw)[source]

Alias for recvallS()

readallb(*a, **kw)[source]

Alias for recvallb()

readb(*a, **kw)[source]

Alias for recvb()

readline(*a, **kw)[source]

Alias for recvline()

readlineS(*a, **kw)[source]

Alias for recvlineS()

readline_contains(*a, **kw)[source]

Alias for recvline_contains()

readline_containsS(*a, **kw)[source]

Alias for recvline_containsS()

readline_containsb(*a, **kw)[source]

Alias for recvline_containsb()

readline_endswith(*a, **kw)[source]

Alias for recvline_endswith()

readline_endswithS(*a, **kw)[source]

Alias for recvline_endswithS()

readline_endswithb(*a, **kw)[source]

Alias for recvline_endswithb()

readline_pred(*a, **kw)[source]

Alias for recvline_pred()

readline_regex(*a, **kw)[source]

Alias for recvline_regex()

readline_regexS(*a, **kw)[source]

Alias for recvline_regexS()

readline_regexb(*a, **kw)[source]

Alias for recvline_regexb()

readline_startswith(*a, **kw)[source]

Alias for recvline_startswith()

readline_startswithS(*a, **kw)[source]

Alias for recvline_startswithS()

readline_startswithb(*a, **kw)[source]

Alias for recvline_startswithb()

readlineb(*a, **kw)[source]

Alias for recvlineb()

readlines(*a, **kw)[source]

Alias for recvlines()

readlinesS(*a, **kw)[source]

Alias for recvlinesS()

readlinesb(*a, **kw)[source]

Alias for recvlinesb()

readn(*a, **kw)[source]

Alias for recvn()

readnS(*a, **kw)[source]

Alias for recvnS()

readnb(*a, **kw)[source]

Alias for recvnb()

readpred(*a, **kw)[source]

Alias for recvpred()

readpredS(*a, **kw)[source]

Alias for recvpredS()

readpredb(*a, **kw)[source]

Alias for recvpredb()

readregex(*a, **kw)[source]

Alias for recvregex()

readregexS(*a, **kw)[source]

Alias for recvregexS()

readregexb(*a, **kw)[source]

Alias for recvregexb()

readrepeat(*a, **kw)[source]

Alias for recvrepeat()

readrepeatS(*a, **kw)[source]

Alias for recvrepeatS()

readrepeatb(*a, **kw)[source]

Alias for recvrepeatb()

readuntil(*a, **kw)[source]

Alias for recvuntil()

readuntilS(*a, **kw)[source]

Alias for recvuntilS()

readuntilb(*a, **kw)[source]

Alias for recvuntilb()

recv(numb = 4096, timeout = default) → bytes[source]

Receives up to numb bytes of data from the tube, and returns as soon as any quantity of data is available.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Raises:exceptions.EOFError – The connection is closed
Returns:A bytes object containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> # Fake a data source
>>> t.recv_raw = lambda n: b'Hello, world'
>>> t.recv() == b'Hello, world'
True
>>> t.unrecv(b'Woohoo')
>>> t.recv() == b'Woohoo'
True
>>> with context.local(log_level='debug'):
...    _ = t.recv() # doctest: +ELLIPSIS
[...] Received 0xc bytes:
    b'Hello, world'
recvS(*a, **kw)[source]

Same as recv(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvall() → bytes[source]

Receives data until EOF is reached.

recvallS(*a, **kw)[source]

Same as recvall(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvallb(*a, **kw)[source]

Same as recvall(), but returns a bytearray

recvb(*a, **kw)[source]

Same as recv(), but returns a bytearray

recvline(keepends=True, timeout=default) → bytes[source]

Receive a single line from the tube.

A “line” is any sequence of bytes terminated by the byte sequence set in newline, which defaults to '\n'.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • keepends (bool) – Keep the line ending (True).
  • timeout (int) – Timeout
Returns:

All bytes received over the tube until the first newline '\n' is received. Optionally retains the ending.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'Foo\nBar\r\nBaz\n'
>>> t.recvline()
b'Foo\n'
>>> t.recvline()
b'Bar\r\n'
>>> t.recvline(keepends = False)
b'Baz'
>>> t.newline = b'\r\n'
>>> t.recvline(keepends = False)
b'Foo\nBar'
recvlineS(*a, **kw)[source]

Same as recvline(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvline_contains(items, keepends=False, timeout=pwnlib.timeout.Timeout.default)[source]

Receive lines until one line is found which contains at least one of items.

Parameters:
  • items (str,tuple) – List of strings to search for, or a single string.
  • keepends (bool) – Return lines with newlines if True
  • timeout (int) – Timeout, in seconds

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b"Hello\nWorld\nXylophone\n"
>>> t.recvline_contains(b'r')
b'World'
>>> f = lambda n: b"cat dog bird\napple pear orange\nbicycle car train\n"
>>> t = tube()
>>> t.recv_raw = f
>>> t.recvline_contains(b'pear')
b'apple pear orange'
>>> t = tube()
>>> t.recv_raw = f
>>> t.recvline_contains((b'car', b'train'))
b'bicycle car train'
recvline_containsS(*a, **kw)[source]

Same as recvline_contains(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvline_containsb(*a, **kw)[source]

Same as recvline_contains(), but returns a bytearray

recvline_endswith(delims, keepends=False, timeout=default) → bytes[source]

Keep receiving lines until one is found that starts with one of delims. Returns the last line received.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

See recvline_startswith() for more details.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\nKaboodle\n'
>>> t.recvline_endswith(b'r')
b'Bar'
>>> t.recvline_endswith((b'a',b'b',b'c',b'd',b'e'), True)
b'Kaboodle\n'
>>> t.recvline_endswith(b'oodle')
b'Kaboodle'
recvline_endswithS(*a, **kw)[source]

Same as recvline_endswith(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvline_endswithb(*a, **kw)[source]

Same as recvline_endswith(), but returns a bytearray

recvline_pred(pred, keepends=False) → bytes[source]

Receive data until pred(line) returns a truthy value. Drop all other data.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:pred (callable) – Function to call. Returns the line for which this function returns True.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b"Foo\nBar\nBaz\n"
>>> t.recvline_pred(lambda line: line == b"Bar\n")
b'Bar'
>>> t.recvline_pred(lambda line: line == b"Bar\n", keepends=True)
b'Bar\n'
>>> t.recvline_pred(lambda line: line == b'Nope!', timeout=0.1)
b''
recvline_regex(regex, exact=False, keepends=False, timeout=default) → bytes[source]

Wrapper around recvline_pred(), which will return when a regex matches a line.

By default re.RegexObject.search() is used, but if exact is set to True, then re.RegexObject.match() will be used instead.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

recvline_regexS(*a, **kw)[source]

Same as recvline_regex(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvline_regexb(*a, **kw)[source]

Same as recvline_regex(), but returns a bytearray

recvline_startswith(delims, keepends=False, timeout=default) → bytes[source]

Keep receiving lines until one is found that starts with one of delims. Returns the last line received.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • delims (str,tuple) – List of strings to search for, or string of single characters
  • keepends (bool) – Return lines with newlines if True
  • timeout (int) – Timeout, in seconds
Returns:

The first line received which starts with a delimiter in delims.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b"Hello\nWorld\nXylophone\n"
>>> t.recvline_startswith((b'W',b'X',b'Y',b'Z'))
b'World'
>>> t.recvline_startswith((b'W',b'X',b'Y',b'Z'), True)
b'Xylophone\n'
>>> t.recvline_startswith(b'Wo')
b'World'
recvline_startswithS(*a, **kw)[source]

Same as recvline_startswith(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvline_startswithb(*a, **kw)[source]

Same as recvline_startswith(), but returns a bytearray

recvlineb(*a, **kw)[source]

Same as recvline(), but returns a bytearray

recvlines(numlines, keepends=False, timeout=default) → list of bytes objects[source]

Receive up to numlines lines.

A “line” is any sequence of bytes terminated by the byte sequence set by newline, which defaults to '\n'.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • numlines (int) – Maximum number of lines to receive
  • keepends (bool) – Keep newlines at the end of each line (False).
  • timeout (int) – Maximum timeout
Raises:

exceptions.EOFError – The connection closed before the request could be satisfied

Returns:

A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'\n'
>>> t.recvlines(3)
[b'', b'', b'']
>>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n'
>>> t.recvlines(3)
[b'Foo', b'Bar', b'Baz']
>>> t.recvlines(3, True)
[b'Foo\n', b'Bar\n', b'Baz\n']
recvlinesS(numlines, keepends=False, timeout=default) → str list[source]

This function is identical to recvlines(), but decodes the received bytes into string using context.encoding(). You should use recvlines() whenever possible for better performance.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'\n'
>>> t.recvlinesS(3)
['', '', '']
>>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n'
>>> t.recvlinesS(3)
['Foo', 'Bar', 'Baz']
recvlinesb(numlines, keepends=False, timeout=default) → bytearray list[source]

This function is identical to recvlines(), but returns a bytearray.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'\n'
>>> t.recvlinesb(3)
[bytearray(b''), bytearray(b''), bytearray(b'')]
>>> t.recv_raw = lambda n: b'Foo\nBar\nBaz\n'
>>> t.recvlinesb(3)
[bytearray(b'Foo'), bytearray(b'Bar'), bytearray(b'Baz')]
recvn(numb, timeout = default) → str[source]

Receives exactly n bytes.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Raises:exceptions.EOFError – The connection closed before the request could be satisfied
Returns:A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> data = b'hello world'
>>> t.recv_raw = lambda *a: data
>>> t.recvn(len(data)) == data
True
>>> t.recvn(len(data)+1) == data + data[:1]
True
>>> t.recv_raw = lambda *a: None
>>> # The remaining data is buffered
>>> t.recv() == data[1:]
True
>>> t.recv_raw = lambda *a: time.sleep(0.01) or b'a'
>>> t.recvn(10, timeout=0.05)
b''
>>> t.recvn(10, timeout=0.06) # doctest: +ELLIPSIS
b'aaaaaa...'
recvnS(*a, **kw)[source]

Same as recvn(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvnb(*a, **kw)[source]

Same as recvn(), but returns a bytearray

recvpred(pred, timeout = default) → bytes[source]

Receives one byte at a time from the tube, until pred(all_bytes) evaluates to True.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • pred (callable) – Function to call, with the currently-accumulated data.
  • timeout (int) – Timeout for the operation
Raises:

exceptions.EOFError – The connection is closed

Returns:

A bytes object containing bytes received from the socket, or '' if a timeout occurred while waiting.

recvpredS(*a, **kw)[source]

Same as recvpred(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvpredb(*a, **kw)[source]

Same as recvpred(), but returns a bytearray

recvregex(regex, exact=False, timeout=default) → bytes[source]

Wrapper around recvpred(), which will return when a regex matches the string in the buffer.

By default re.RegexObject.search() is used, but if exact is set to True, then re.RegexObject.match() will be used instead.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

recvregexS(*a, **kw)[source]

Same as recvregex(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvregexb(*a, **kw)[source]

Same as recvregex(), but returns a bytearray

recvrepeat(timeout=default) → bytes[source]

Receives data until a timeout or EOF is reached.

Examples

>>> data = [
... b'd',
... b'', # simulate timeout
... b'c',
... b'b',
... b'a',
... ]
>>> def delayrecv(n, data=data):
...     return data.pop()
>>> t = tube()
>>> t.recv_raw = delayrecv
>>> t.recvrepeat(0.2)
b'abc'
>>> t.recv()
b'd'
recvrepeatS(*a, **kw)[source]

Same as recvrepeat(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvrepeatb(*a, **kw)[source]

Same as recvrepeat(), but returns a bytearray

recvuntil(delims, drop=False, timeout=default) → bytes[source]

Receive data until one of delims is encountered.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • delims (bytes,tuple) – Byte-string of delimiters characters, or list of delimiter byte-strings.
  • drop (bool) – Drop the ending. If True it is removed from the end of the return value.
Raises:

exceptions.EOFError – The connection closed before the request could be satisfied

Returns:

A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b"Hello World!"
>>> t.recvuntil(b' ')
b'Hello '
>>> _=t.clean(0)
>>> # Matches on 'o' in 'Hello'
>>> t.recvuntil((b' ',b'W',b'o',b'r'))
b'Hello'
>>> _=t.clean(0)
>>> # Matches expressly full string
>>> t.recvuntil(b' Wor')
b'Hello Wor'
>>> _=t.clean(0)
>>> # Matches on full string, drops match
>>> t.recvuntil(b' Wor', drop=True)
b'Hello'
>>> # Try with regex special characters
>>> t = tube()
>>> t.recv_raw = lambda n: b"Hello|World"
>>> t.recvuntil(b'|', drop=True)
b'Hello'
recvuntilS(*a, **kw)[source]

Same as recvuntil(), but returns a str, decoding the result using context.encoding. (note that the binary versions are way faster)

recvuntilb(*a, **kw)[source]

Same as recvuntil(), but returns a bytearray

send(data)[source]

Sends data.

If log level DEBUG is enabled, also prints out the data received.

If it is not possible to send anymore because of a closed connection, it raises exceptions.EOFError

Examples

>>> def p(x): print(repr(x))
>>> t = tube()
>>> t.send_raw = p
>>> t.send(b'hello')
b'hello'
sendafter(delim, data, timeout = default) → str[source]

A combination of recvuntil(delim, timeout=timeout) and send(data).

sendline(data)[source]

Shorthand for t.send(data + t.newline).

Examples

>>> def p(x): print(repr(x))
>>> t = tube()
>>> t.send_raw = p
>>> t.sendline(b'hello')
b'hello\n'
>>> t.newline = b'\r\n'
>>> t.sendline(b'hello')
b'hello\r\n'
sendlineafter(delim, data, timeout = default) → str[source]

A combination of recvuntil(delim, timeout=timeout) and sendline(data).

sendlinethen(delim, data, timeout = default) → str[source]

A combination of sendline(data) and recvuntil(delim, timeout=timeout).

sendthen(delim, data, timeout = default) → str[source]

A combination of send(data) and recvuntil(delim, timeout=timeout).

settimeout(timeout)[source]

Set the timeout for receiving operations. If the string “default” is given, then context.timeout will be used. If None is given, then there will be no timeout.

Examples

>>> t = tube()
>>> t.settimeout_raw = lambda t: None
>>> t.settimeout(3)
>>> t.timeout == 3
True
shutdown(direction = "send")[source]

Closes the tube for futher reading or writing depending on direction.

Parameters:direction (str) – Which direction to close; “in”, “read” or “recv” closes the tube in the ingoing direction, “out”, “write” or “send” closes it in the outgoing direction.
Returns:None

Examples

>>> def p(x): print(x)
>>> t = tube()
>>> t.shutdown_raw = p
>>> _=list(map(t.shutdown, ('in', 'read', 'recv', 'out', 'write', 'send')))
recv
recv
recv
send
send
send
>>> t.shutdown('bad_value') #doctest: +ELLIPSIS
Traceback (most recent call last):
...
KeyError: "direction must be in ['in', 'out', 'read', 'recv', 'send', 'write']"
spawn_process(*args, **kwargs)[source]

Spawns a new process having this tube as stdin, stdout and stderr.

Takes the same arguments as subprocess.Popen.

stream()[source]

Receive data until the tube exits, and print it to stdout.

Similar to interactive(), except that no input is sent.

Similar to print(tube.recvall()) except that data is printed as it is received, rather than after all data is received.

Parameters:line_mode (bool) – Whether to receive line-by-line or raw data.
Returns:All data printed.
timeout_change()[source]

Informs the raw layer of the tube that the timeout has changed.

Should not be called directly.

Inherited from Timeout.

unread(*a, **kw)[source]

Alias for unrecv()

unrecv(data)[source]

Puts the specified data back at the beginning of the receive buffer.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: b'hello'
>>> t.recv()
b'hello'
>>> t.recv()
b'hello'
>>> t.unrecv(b'world')
>>> t.recv()
b'world'
>>> t.recv()
b'hello'
wait(timeout=pwnlib.timeout.Timeout.default)[source]

Waits until the tube is closed.

wait_for_close(timeout=pwnlib.timeout.Timeout.default)[source]

Waits until the tube is closed.

write(*a, **kw)[source]

Alias for send()

write_raw(*a, **kw)[source]

Alias for send_raw()

writeafter(*a, **kw)[source]

Alias for sendafter()

writeline(*a, **kw)[source]

Alias for sendline()

writelineafter(*a, **kw)[source]

Alias for sendlineafter()

writelines(*a, **kw)[source]

Alias for sendlines()

writelinethen(*a, **kw)[source]

Alias for sendlinethen()

writethen(*a, **kw)[source]

Alias for sendthen()

newline = '\n'[source]

Delimiter to use for sendline(), recvline(), and related functions.