Command Line Tools¶
pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.
asm¶
Assemble shellcode into bytes
usage: asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-v AVOID]
[-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
[line [line ...]]
-
line
¶
Lines to assemble. If none are supplied, use stdin
-
-h
,
--help
¶
show this help message and exit
-
-f
{raw,hex,string,elf}
,
--format
{raw,hex,string,elf}
¶ Output format (defaults to hex for ttys, otherwise raw)
-
-o
<file>
,
--output
<file>
¶ Output file (defaults to stdout)
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes (provided as hex; default: 000a)
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-d
,
--debug
¶
Debug the shellcode with GDB
-
-e
<encoder>
,
--encoder
<encoder>
¶ Specific encoder to use
-
-i
<infile>
,
--infile
<infile>
¶ Specify input file
-
-r
,
--run
¶
Run output
checksec¶
Check binary security settings
usage: checksec [-h] elf [elf ...]
-
elf
¶
Files to check
-
-h
,
--help
¶
show this help message and exit
constgrep¶
Looking up constants from header files.
Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’
usage: constgrep [-h] [-e constant] [-i] [-m] [-c arch_or_os]
[regex] [constant]
-
regex
¶
The regex matching constant you want to find
-
constant
¶
The constant to find
-
-h
,
--help
¶
show this help message and exit
-
-e
<constant>
,
--exact
<constant>
¶ Do an exact match for a constant instead of searching for a regex
-
-i
,
--case-insensitive
¶
Search case insensitive
-
-m
,
--mask-mode
¶
Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
cyclic¶
Cyclic pattern creator/finder
usage: cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value]
[count]
-
count
¶
Number of characters to print
-
-h
,
--help
¶
show this help message and exit
-
-a
<alphabet>
,
--alphabet
<alphabet>
¶ The alphabet to use in the cyclic pattern (defaults to all lower case letters)
-
-n
<length>
,
--length
<length>
¶ Size of the unique subsequences (defaults to 4).
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-l
<lookup_value>
,
-o
<lookup_value>
,
--offset
<lookup_value>
,
--lookup
<lookup_value>
¶ Do a lookup instead printing the alphabet
disasm¶
Disassemble bytes into text format
usage: disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
[hex [hex ...]]
-
hex
¶
Hex-string to disasemble. If none are supplied, then it uses stdin in non-hex mode.
-
-h
,
--help
¶
show this help message and exit
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-a
<address>
,
--address
<address>
¶ Base address
-
--color
¶
Color output
-
--no-color
¶
Disable color output
elfpatch¶
usage: elfpatch [-h] elf offset bytes
-
elf
¶
File to patch
-
offset
¶
Offset to patch in virtual address (hex encoded)
-
bytes
¶
Bytes to patch (hex encoded)
-
-h
,
--help
¶
show this help message and exit
hex¶
Hex-encodes data provided on the command line or via stdin.
usage: hex [-h] [data [data ...]]
-
data
¶
Data to convert into hex
-
-h
,
--help
¶
show this help message and exit
phd¶
Pwnlib HexDump
usage: phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP]
[-c COUNT] [-o OFFSET] [--color [{always,never,auto}]]
[file]
-
file
¶
File to hexdump. Reads from stdin if missing.
-
-h
,
--help
¶
show this help message and exit
-
-w
<width>
,
--width
<width>
¶ Number of bytes per line.
-
-l
<highlight>
,
--highlight
<highlight>
¶ Byte to highlight.
-
-s
<skip>
,
--skip
<skip>
¶ Skip this many initial bytes.
-
-c
<count>
,
--count
<count>
¶ Only show this many bytes.
-
-o
<offset>
,
--offset
<offset>
¶ Addresses in left hand column starts at this address.
-
--color
{always,never,auto}
¶ Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.
shellcraft¶
Microwave shellcode – Easy, fast and delicious
usage: shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a] [-v AVOID]
[-n] [-z] [-r] [--color] [--no-color] [-l] [--syscalls]
[--address ADDRESS]
[shellcode] [arg [arg ...]]
-
shellcode
¶
The shellcode you want
-
arg
¶
Argument to the chosen shellcode
-
-h
,
--help
¶
show this help message and exit
-
-
?
,
--show
¶
Show shellcode documentation
-
-o
<file>
,
--out
<file>
¶ Output file (default: stdout)
-
-f
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}
,
--format
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}
¶ Output format (default: hex), choose from {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code
-
-d
,
--debug
¶
Debug the shellcode with GDB
-
-b
,
--before
¶
Insert a debug trap before the code
-
-a
,
--after
¶
Insert a debug trap after the code
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-r
,
--run
¶
Run output
-
--color
¶
Color output
-
--no-color
¶
Disable color output
-
-l
,
--list
¶
List all available shellcodes
-
--syscalls
¶
List syscalls
-
--address
<address>
¶ Load address