Command Line Tools

pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.

asm

Assemble shellcode into bytes

usage: asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-v AVOID]
               [-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
               [line [line ...]]
line

Lines to assemble. If none are supplied, use stdin

-h, --help

show this help message and exit

-f {raw,hex,string,elf}, --format {raw,hex,string,elf}

Output format (defaults to hex for ttys, otherwise raw)

-o <file>, --output <file>

Output file (defaults to stdout)

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘msp430’, ‘mips64’, ‘sparc’, ‘thumb’, ‘amd64’, ‘alpha’, ‘cris’, ‘mips’, ‘i386’, ‘ia64’, ‘s390’, ‘m68k’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘el’, ‘be’, ‘eb’, ‘le’]

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes (provided as hex; default: 000a)

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-d, --debug

Debug the shellcode with GDB

-e <encoder>, --encoder <encoder>

Specific encoder to use

-i <infile>, --infile <infile>

Specify input file

-r, --run

Run output

checksec

Check binary security settings

usage: checksec [-h] elf [elf ...]
elf

Files to check

-h, --help

show this help message and exit

constgrep

Looking up constants from header files.

Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’

usage: constgrep [-h] [-e constant] [-i] [-m] [-c arch_or_os]
                     [regex] [constant]
regex

The regex matching constant you want to find

constant

The constant to find

-h, --help

show this help message and exit

-e <constant>, --exact <constant>

Do an exact match for a constant instead of searching for a regex

-i, --case-insensitive

Search case insensitive

-m, --mask-mode

Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘msp430’, ‘mips64’, ‘sparc’, ‘thumb’, ‘amd64’, ‘alpha’, ‘cris’, ‘mips’, ‘i386’, ‘ia64’, ‘s390’, ‘m68k’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘el’, ‘be’, ‘eb’, ‘le’]

cyclic

Cyclic pattern creator/finder

usage: cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value]
                  [count]
count

Number of characters to print

-h, --help

show this help message and exit

-a <alphabet>, --alphabet <alphabet>

The alphabet to use in the cyclic pattern (defaults to all lower case letters)

-n <length>, --length <length>

Size of the unique subsequences (defaults to 4).

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘msp430’, ‘mips64’, ‘sparc’, ‘thumb’, ‘amd64’, ‘alpha’, ‘cris’, ‘mips’, ‘i386’, ‘ia64’, ‘s390’, ‘m68k’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘el’, ‘be’, ‘eb’, ‘le’]

-l <lookup_value>, -o <lookup_value>, --offset <lookup_value>, --lookup <lookup_value>

Do a lookup instead printing the alphabet

disasm

Disassemble bytes into text format

usage: disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
                  [hex [hex ...]]
hex

Hex-string to disasemble. If none are supplied, then it uses stdin in non-hex mode.

-h, --help

show this help message and exit

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,msp430,mips64,sparc,thumb,amd64,alpha,cris,mips,i386,ia64,s390,m68k,avr,arm,vax,little,big,el,be,eb,le}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘msp430’, ‘mips64’, ‘sparc’, ‘thumb’, ‘amd64’, ‘alpha’, ‘cris’, ‘mips’, ‘i386’, ‘ia64’, ‘s390’, ‘m68k’, ‘avr’, ‘arm’, ‘vax’, ‘little’, ‘big’, ‘el’, ‘be’, ‘eb’, ‘le’]

-a <address>, --address <address>

Base address

--color

Color output

--no-color

Disable color output

elfdiff

usage: elfdiff [-h] a b
a
b
-h, --help

show this help message and exit

elfpatch

usage: elfpatch [-h] elf offset bytes
elf

File to patch

offset

Offset to patch in virtual address (hex encoded)

bytes

Bytes to patch (hex encoded)

-h, --help

show this help message and exit

hex

Hex-encodes data provided on the command line or via stdin.

usage: hex [-h] [data [data ...]]
data

Data to convert into hex

-h, --help

show this help message and exit

phd

Pwnlib HexDump

usage: phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP]
               [-c COUNT] [-o OFFSET] [--color [{always,never,auto}]]
               [file]
file

File to hexdump. Reads from stdin if missing.

-h, --help

show this help message and exit

-w <width>, --width <width>

Number of bytes per line.

-l <highlight>, --highlight <highlight>

Byte to highlight.

-s <skip>, --skip <skip>

Skip this many initial bytes.

-c <count>, --count <count>

Only show this many bytes.

-o <offset>, --offset <offset>

Addresses in left hand column starts at this address.

--color {always,never,auto}

Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.

shellcraft

Microwave shellcode – Easy, fast and delicious

usage: shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a] [-v AVOID]
                      [-n] [-z] [-r] [--color] [--no-color] [-l] [--syscalls]
                      [--address ADDRESS]
                      [shellcode] [arg [arg ...]]
shellcode

The shellcode you want

arg

Argument to the chosen shellcode

-h, --help

show this help message and exit

-?, --show

Show shellcode documentation

-o <file>, --out <file>

Output file (default: stdout)

-f {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}, --format {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}

Output format (default: hex), choose from {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code

-d, --debug

Debug the shellcode with GDB

-b, --before

Insert a debug trap before the code

-a, --after

Insert a debug trap after the code

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-r, --run

Run output

--color

Color output

--no-color

Disable color output

-l, --list

List all available shellcodes

--syscalls

List syscalls

--address <address>

Load address

unhex

Decodes hex-encoded data provided on the command line or via stdin.

usage: unhex [-h] [hex [hex ...]]
hex

Hex bytes to decode

-h, --help

show this help message and exit