pwntools v4.4 & 4.5 beta0 releases: CTF framework and exploit development library
pwntools – CTF toolkit
Pwntools is a CTF framework and exploits the development library. Written in Python, it is designed for rapid prototyping and development and intended to make exploit writing as simple as possible.
There are bits of code everyone has written a million times, and everyone has their own way of doing it. Pwntools aims to provide all of these in a semi-standard way, so that you can stop copy-pasting the same struct.unpack(‘>I’, x) code around and instead use more slightly more legible wrappers like pack or p32 or even p64(…, endian=’big’, sign=True).
Aside from convenience wrappers around mundane functionality, it also provides a very rich set of tubes which wrap all of the IO that you’ll ever perform in a single, unifying interface. Switching from a local exploit to a remote exploit, or local exploit over SSH becomes a one-line change.
Last but not least, it also includes a wide array of exploitation assistance tools for intermediate-to-advanced use cases. These include remote symbol resolution given a memory disclosure primitive (MemLeak and DynELF), ELF parsing and patching (ELF), and ROP gadget discovery and call-chain building (ROP).
Changelog
v4.4
- #1541 Use
context.newlinefor tubes by default - #1602 Fix bytes handling in ssh tubes
- #1606 Fix
asm()anddisasm()for MSP430, S390 - #1616 Fix
cycliccli for 64 bit integers - #1632 Enable usage of Pwntools in jupyter
- #1633 Open a shell if
pwn templatecannot download the remote file - #1644 Enable and support SNI for SSL-wrapped tubes
- #1651 Make
pwn shellcraftfaster - #1654 Docker images (
pwntools/pwntools:stableetc) now use Python3 by default, and includes assemblers for a few common architectures - #1667 Add i386 encoder
ascii_shellcode(Fixed docs in #1693) - Fix syscall instruction lists for SROP on
i386andamd64 - Fix migration to another ROP
- #1673 Add
base=argument toROP.chain()andROP.dump() - #1675 Gdbserver now correctly accepts multiple libraries in
LD_PRELOADandLD_LIBRARY_PATH - #1678 ROPGadget multibr
- #1682 ROPGadget multibr fix
- #1687 Actually import
requestswhen doingfrom pwn import * - #1688 Add
__setattr__and__call__interfaces toROPfor setting registers - #1692 Remove python2 shebangs where appropriate
- #1703 Update libcdb buildid offsets for amd64 and i386
- #1704 Try https://libc.rip/ for libcdb lookup
v4.5 beta0
- #1261 Misc
run_in_new_terminalimprovements (notably gdb terminated by default) - #1695 Allow using GDB Python API
- #1735 Python 3.9 support in safeeval
- #1738 Which function support custom search path
- process also looks now at
env['PATH']to find the path for the executable
- process also looks now at
- #1742 New
baremetalos to debug binaries executed with qemu-system-$(arch) - #1757 update cache directories
- #1758 Remove eval from cli
- #1780 Re-add Python2 to the official Dockerfile
- #1941 Disable all Android tests,
pwnlib.adbis no longer supported in CI - #1811 Remove unnecessary
pwn.toplevel.__all__ - #1827 Support
$XDG_CONFIG_HOMEdir forpwn.conf - #1841 Add colored_traceback
- #1839 run_in_new_terminal now creates a runner script if given a list or tuple
- #1833 Add pwnlib.filesystem module
Install & Use
Copyright (c) 2015 Gallopsled et al.
