Command Line Tools¶
pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.
asm¶
Assemble shellcode into bytes
usage: asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-v AVOID]
[-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
[line [line ...]]
-
line¶ Lines to assemble. If none are supplied, use stdin
-
-h,--help¶ show this help message and exit
-
-f{raw,hex,string,elf},--format{raw,hex,string,elf}¶ Output format (defaults to hex for ttys, otherwise raw)
-
-o<file>,--output<file>¶ Output file (defaults to stdout)
-
-c{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le},--context{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-v<avoid>,--avoid<avoid>¶ Encode the shellcode to avoid the listed bytes (provided as hex; default: 000a)
-
-n,--newline¶ Encode the shellcode to avoid newlines
-
-z,--zero¶ Encode the shellcode to avoid NULL bytes
-
-d,--debug¶ Debug the shellcode with GDB
-
-e<encoder>,--encoder<encoder>¶ Specific encoder to use
-
-i<infile>,--infile<infile>¶ Specify input file
-
-r,--run¶ Run output
checksec¶
Check binary security settings
usage: checksec [-h] elf [elf ...]
-
elf¶ Files to check
-
-h,--help¶ show this help message and exit
constgrep¶
Looking up constants from header files.
Example: constgrep -c freebsd -m ^PROT_ ‘3 + 4’
usage: constgrep [-h] [-e constant] [-i] [-m] [-c arch_or_os]
[regex] [constant]
-
regex¶ The regex matching constant you want to find
-
constant¶ The constant to find
-
-h,--help¶ show this help message and exit
-
-e<constant>,--exact<constant>¶ Do an exact match for a constant instead of searching for a regex
-
-i,--case-insensitive¶ Search case insensitive
-
-m,--mask-mode¶ Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
-
-c{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le},--context{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
cyclic¶
Cyclic pattern creator/finder
usage: cyclic [-h] [-a alphabet] [-n length] [-c context] [-l lookup_value]
[count]
-
count¶ Number of characters to print
-
-h,--help¶ show this help message and exit
-
-a<alphabet>,--alphabet<alphabet>¶ The alphabet to use in the cyclic pattern (defaults to all lower case letters)
-
-n<length>,--length<length>¶ Size of the unique subsequences (defaults to 4).
-
-c{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le},--context{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-l<lookup_value>,-o<lookup_value>,--offset<lookup_value>,--lookup<lookup_value>¶ Do a lookup instead printing the alphabet
disasm¶
Disassemble bytes into text format
usage: disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
[hex [hex ...]]
-
hex¶ Hex-string to disasemble. If none are supplied, then it uses stdin in non-hex mode.
-
-h,--help¶ show this help message and exit
-
-c{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le},--context{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,powerpc,sparc64,mips64,msp430,alpha,amd64,thumb,sparc,s390,cris,i386,ia64,mips,m68k,arm,vax,avr,little,big,eb,el,be,le}¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘powerpc’, ‘sparc64’, ‘mips64’, ‘msp430’, ‘alpha’, ‘amd64’, ‘thumb’, ‘sparc’, ‘s390’, ‘cris’, ‘i386’, ‘ia64’, ‘mips’, ‘m68k’, ‘arm’, ‘vax’, ‘avr’, ‘little’, ‘big’, ‘eb’, ‘el’, ‘be’, ‘le’]
-
-a<address>,--address<address>¶ Base address
-
--color¶ Color output
-
--no-color¶ Disable color output
elfpatch¶
usage: elfpatch [-h] elf offset bytes
-
elf¶ File to patch
-
offset¶ Offset to patch in virtual address (hex encoded)
-
bytes¶ Bytes to patch (hex encoded)
-
-h,--help¶ show this help message and exit
hex¶
Hex-encodes data provided on the command line or via stdin.
usage: hex [-h] [data [data ...]]
-
data¶ Data to convert into hex
-
-h,--help¶ show this help message and exit
phd¶
Pwnlib HexDump
usage: phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP]
[-c COUNT] [-o OFFSET] [--color [{always,never,auto}]]
[file]
-
file¶ File to hexdump. Reads from stdin if missing.
-
-h,--help¶ show this help message and exit
-
-w<width>,--width<width>¶ Number of bytes per line.
-
-l<highlight>,--highlight<highlight>¶ Byte to highlight.
-
-s<skip>,--skip<skip>¶ Skip this many initial bytes.
-
-c<count>,--count<count>¶ Only show this many bytes.
-
-o<offset>,--offset<offset>¶ Addresses in left hand column starts at this address.
-
--color{always,never,auto}¶ Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.
shellcraft¶
Microwave shellcode – Easy, fast and delicious
usage: shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a] [-v AVOID]
[-n] [-z] [-r] [--color] [--no-color] [-l] [--syscalls]
[--address ADDRESS]
[shellcode] [arg [arg ...]]
-
shellcode¶ The shellcode you want
-
arg¶ Argument to the chosen shellcode
-
-h,--help¶ show this help message and exit
-
-?,--show¶ Show shellcode documentation
-
-o<file>,--out<file>¶ Output file (default: stdout)
-
-f{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default},--format{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,default}¶ Output format (default: hex), choose from {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code
-
-d,--debug¶ Debug the shellcode with GDB
-
-b,--before¶ Insert a debug trap before the code
-
-a,--after¶ Insert a debug trap after the code
-
-v<avoid>,--avoid<avoid>¶ Encode the shellcode to avoid the listed bytes
-
-n,--newline¶ Encode the shellcode to avoid newlines
-
-z,--zero¶ Encode the shellcode to avoid NULL bytes
-
-r,--run¶ Run output
-
--color¶ Color output
-
--no-color¶ Disable color output
-
-l,--list¶ List all available shellcodes
-
--syscalls¶ List syscalls
-
--address<address>¶ Load address