hacktricks/exploiting/tools/pwntools.md at c2c270feefa9542bc6e6dfc7a03da494d2d8fc78

4.6 KiB

Raw Blame History

Support HackTricks and get benefits!

Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)! Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family) Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com) **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](7af18b62b3/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.** **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**

# PwnTools

pip3 install pwntools

Pwn asm

Get opcodes from line or file.

pwn asm "jmp esp" 
pwn asm -i <filepath>

Can select:

output type (raw,hex,string,elf)
output file context (16,32,64,linux,windows...)
avoid bytes (new lines, null, a list)
select encoder debug shellcode using gdb run the output

Pwn checksec

Checksec script

pwn checksec <executable>

Pwn constgrep

Pwn cyclic

Get a pattern

pwn cyclic 3000
pwn cyclic -l faad

Can select:

The used alphabet (lowercase chars by default)
Length of uniq pattern (default 4)
context (16,32,64,linux,windows...)
Take the offset (-l)

Pwn debug

Attach GDB to a process

pwn debug --exec /bin/bash
pwn debug --pid 1234
pwn debug --process bash

Can select:

By executable, by name or by pid context (16,32,64,linux,windows...)
gdbscript to execute
sysrootpath

Pwn disablenx

Disable nx of a binary

pwn disablenx <filepath>

Pwn disasm

Disas hex opcodes

pwn disasm ffe4

Can select:

context (16,32,64,linux,windows...)
base addres
color(default)/no color

Pwn elfdiff

Print differences between 2 fiels

pwn elfdiff <file1> <file2>

Pwn hex

Get hexadecimal representation

pwn hex hola #Get hex of "hola" ascii

Pwn phd

Get hexdump

pwn phd <file>

Can select:

Number of bytes to show
Number of bytes per line highlight byte
Skip bytes at beginning

Pwn pwnstrip

Pwn scrable

Pwn shellcraft

Get shellcodes

pwn shellcraft -l #List shellcodes 
pwn shellcraft -l amd #Shellcode with amd in the name
pwn shellcraft -f hex amd64.linux.sh #Create in C and run
pwn shellcraft -r amd64.linux.sh #Run to test. Get shell 
pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port

Can select:

shellcode and arguments for the shellcode
Out file
output format
debug (attach dbg to shellcode)
before (debug trap before code)
after
avoid using opcodes (default: not null and new line)
Run the shellcode
Color/no color
list syscalls
list possible shellcodes
Generate ELF as a shared library

Pwn template

Get a python template

pwn template

Can select: host, port, user, pass, path and quiet

Pwn unhex

From hex to string

pwn unhex 686f6c61

Pwn update

To update pwntools

pwn update

Support HackTricks and get benefits!

4.6 KiB Raw Blame History

Pwn asm

Pwn checksec

Pwn constgrep

Pwn cyclic

Pwn debug

Pwn disablenx

Pwn disasm

Pwn elfdiff

Pwn hex

Pwn phd

Pwn pwnstrip

Pwn scrable

Pwn shellcraft

Pwn template

Pwn unhex

Pwn update

4.6 KiB

Raw Blame History