CTF framework and exploit development library
OTHER License
Bot releases are hidden (Show)
Published by TethysSvensson over 6 years ago
gdb
when LD_PRELOAD
is incorrectBOOTLDR!
imagesrun_in_new_terminal
pwntools-gdb
wrapper script instead of gdb
pwnlib.tubes.server
module, which adds a reusable server
listenerfit()
, allowing dynamic contents to be injected. (This feature is really cool, check out the pull request!)Published by TethysSvensson almost 7 years ago
cyclic
context
now has two additional attributes, cyclic_alphabet
and cyclic_length
, which correspond to the arguments alphabet
and n
to cyclic()
and cyclic_find()
and related routines.alphabet
globally, so that any padding / patterns generated internally to pwntools can be controlled. The specific motivation is blacklisting values in ROP padding.QEMU_LD_PREFIX
used by QEMU user-mode emulation for sysrootspwn template
Coredump.fault_addr
on amd64ftp.debian.org
going downPublished by TethysSvensson almost 7 years ago
Published by TethysSvensson almost 7 years ago
Published by TethysSvensson over 7 years ago
pwnlib.config
module
~/.pwn.conf
pwn checksec
command.pwn debug
command-line utility which automates the process of gdb.attach(process(...))
to spawn GDB
pwn template
command-line utility to simplify the process of bootstrapping a new exploit.
~/.pwn.conf
TERM_PROGRAM
for run_in_new_terminal
Published by TethysSvensson over 7 years ago
setup.py
on ARMMemLeak
STDOUT
, PIPE
, PTY
constants to globals
process(..., stdin=process.PTY)
--> process(..., stdin=PTY)
PR_SET_PTRACER
for all process()
and ssh.process()
instances
adb
modulepacking.fit()
now treats large offsets as cyclic patterns (e.g. 0x61616161
behaves the same as "aaaa"
)ssh.checksec
execve
shellcodeIKCONFIG
configs from Linux kernel images, and extends checksec
to report on any insecure configurations discoveredshellcraft/common
and exposes them via symlinks. Closed #685
shellcraft.arch.os.syscall_function()
still works the sameconnect
syscall, and a TCP connect
helpersh_string
now returns a quoted empty string ''
rather than just an empty stringprocess().corefile
will automatically instantiate a Corefile for the processapport
crash logsGDB
's gcore
scriptROP
class now respects context.bytes
instead of using the hard-coded value of 4
(fixed #879)process
class (uid
, gid
, suid
, sgid
) which are recorded at execution time, based on the file permissionsssh.process()
works internally, and it now returns a more specialized class, ssh_process
.
ssh_process.corefile
for fetching remote corefilesssh_process.ELF
for getting an ELF of the remote executableuid
, gid
, and suid
, and sgid
which are recorded at execution time, based on the file permissionsELF.read
to support contiguous memory reads across non-contiguous file-backed segmentssymlink=
argument to ssh.set_working_directory
, which will automatically symlink all of the files in the "old" working directory into the "new" working directoryPublished by TethysSvensson over 7 years ago
shell=
option to ssh.process()
context.buffer_size
for fine-tuning tube
performance
buffer_fill_size=
argument for all tubesprocess.leak
functioncoredump_filter
of all spawned processes, so that core dumps are more completeadb
(unlink
, mkdir
, makedirs
, isdir
, exists
)Published by TethysSvensson almost 8 years ago
tube.stream()
function, which is like tube.interact()
without a prompt or keyboard input.
cat file
and just prints data as fast as it is received.adb.wait_for_device()
re-use of the same connectionSTDERR
magic argument to make logging go to stderr
instead of stdout
python foo.py STDERR
or PWNLIB_STDERR=1 python foo.py
context.log_console
to log to any file or terminalcyclic()
when provided very large valuesglobals()
-d
option for hex-escaped output for shellcraft
command-line toolROP.call()
with Function
objects from ELF.functions
adb.uptime
and adb.boot_time
cyclic_metasploit
and cyclic_metasploit_find