CTF framework and exploit development library
OTHER License
Bot releases are visible (Hide)
Published by TethysSvensson almost 8 years ago
Multiple bug fixes.
adb.uninstall
typossh.process
argument preexec_fn
remote()
when connections failedadb.partitions
, which accidentally shelled out to the adb
binaryCore.segments
when a segment has no nameadb.wait_for_device()
$HOME
directory is not writableNone
in MemLeak
Published by TethysSvensson almost 8 years ago
phd
.run_in_terminal
function, since it did not work properly in all cases.pushstr_array
.pwn
entry point.
asm
, disasm
, checksec
, etc scriptspwn
command (e.g. pwn asm nop
).process
object has a new, optional argument alarm
for setting a SIGALRM
timeout for processes.DynELF
has a new attribute, heap
, which leaks the current brk
address (heap base). This is useful for finding heap allocations with dlmalloc-derived allocators like those used by Glibc.sh_string
was rewritten to emit more compact and compatible strings
tubes
module and the default subprocess
moduleadb
module now directly talks to the adb
server process via a new module, adb.protocol
adb
adb
server vs. clientadb
install
- Installs an APKuninstall
- Uninstalls a packagepackages
- Lists installed packagesshellcraft.sh
on all platforms to provide argv[0]
and set argc==1
/bin/sh
which does not behave well with argc==0
or argv[0]==NULL
.connect()
alias for remote()
io=connect('google.com', 80)
tcp(...)
and udp(...)
aliasesssh.read()
and ssh.write()
aiasesAdbDevice
objects exposed via e.g. adb.devices()
now offer scoped access to all adb
module properties
map(lambda d: d.process(['id']).recvall(), adb.devices())
Published by TethysSvensson almost 8 years ago
Fixed a bug in MemLeak.struct
(PR: #768).
Published by TethysSvensson about 8 years ago
A number of smaller bugfixes and documentation tweaks.
Published by TethysSvensson about 8 years ago
Published by TethysSvensson about 8 years ago
Published by TethysSvensson about 8 years ago
A small bugfix release. There were a lot of references to the master
-branch, however after 3.0.0 we use the names stable
, beta
and dev
for our branches.
Published by TethysSvensson about 8 years ago
Published by TethysSvensson about 8 years ago
This was a large release (1305 commits since 2.2.0) with a lot of bugfixes and changes. The Binjitsu project, a fork of Pwntools, was merged back into Pwntools. As such, its features are now available here.
As always, the best source of information on specific features is the comprehensive docs at https://pwntools.readthedocs.org.
This list of changes is non-complete, but covers all of the significant changes which were appropriately documented.
Android support via a new adb
module, context.device
, context.adb_host
, and context.adb_port
.
asm.make_elf
and asm.make_elf_from_assembly
.asm
and shellcraft
command-line tools support flags for the new shellcode encodersasm
and shellcraft
command-line tools support --debug
flag for automatically launching GDB on the resultshellcraft
moduleshellcraft
moduleshellcraft
module
shellcraft.<arch>.gettimeofday
shellcraft.i386.linux.
)shellcraft.<arch>.linux.loader
context.aslr
which controls ASLR on launched processes. This works with both process()
and ssh.process()
, and can be specified per-process with the aslr=
keyword argument.context.binary
which automatically sets all context
variables from an ELF file.context.device
, context.adb
, context.adb_port
, and context.adb_host
for connecting to Android devices.context.kernel
setting for SigReturn-Oriented-Programming (SROP).context.log_file
setting for sending logs to a file. This can be set with the LOG_FILE
magic command-line option.context.noptrace
setting for disabling actions which require ptrace
support. This is useful for turning all gdb.debug
and gdb.attach
options into no-ops, and can be set via the NOPTRACE
magic command-line option.context.proxy
which hooks all connections and sends them to a SOCKS4/SOCKS5. This can be set via the PROXY
magic command-line option.context.randomize
to control randommization of settings like XOR keys and register ordering (default off).context.termianl
for setting how to launch commands in a new terminal.DynELF().libc
property which attempt to find the remote libc and download the ELF from LibcDB.DynELF().stack
property which leaks the __environ
pointer from libc, making it easy to leak stack addresses.MemLeak.String
and MemLeak.NoNewlines
and other related helpers for handling special leakers which cannot e.g. handle newlines in the leaked addresses and which leak a C string (e.g. auto-append a '\x00'
).MemLeak.compare
to avoid leaking an entire field if we can tell from a partial leak that it does not match what we are searching for.pwnlib.encoders
module for assembled-shellcode encoders/decodersCore
object which can parse core-files, in order to extract / search for memory contents, and extract register states (e.g. Core('./corefile').eax
).fmtstr
module for assisting with Format String exploitationcontext.os=='android'
gdb.debug_assembly()
and gdb.debug_shellcode()
pwnlib.rop.srop
SigreturnFrame()
objectsprocess()
has many new options, check out the documentation
aslr
controls ASLRsetuid
can disable the effect of setuid, allowing core dumps (useful for extracting crash state via the new Core()
object)raw
argumentstdout
and stderr
are now PTYs by default
stdin
can be set to a PTY also via setting stdin=process.PTY
ssh
objects now have a ssh.process()
method which avoids the need to handle shell expansion via the old ssh.run()
methoddownload
and upload
methods auto-detect whether the target is a file or directory and acts accordinglylisten()
method alias for listen_remote()
remote()
method alias for connect_remote()
fit()
method to combine the functionality of flat()
with the functionality of cyclic()
negative()
method to negate the value of an integer via two's complement, with respect to the current integer size (context.bytes
).xor_key()
method to generate an XOR key which avoids undesirable bytes over a given input.bruteforce()
implementation, mbruteforce()
.dealarm_shell()
helper to remove the effects of alarm()
after you've popped a shell.Published by br0ns almost 10 years ago
Published by TethysSvensson about 10 years ago