pwntools cheatsheet#

Program Interaction#

start a process

p = process("binary")

to attach gdb (note: compatable terminal required, I prefer using tmux)

p = gdb.debug("binary")
p = gdb.debug("binary",alsr=False)

To interact with a remote process

p = remote(ip,port)

Writing and reading data#

p.send(b"hello") -> sends "hello"
p.sendline(b"hello") -> sends "hello\n"

p.recv(100) -> read upto 100 bytes
p.recvline() -> read till a newline(\n) is encountered
p.recvall() -> readall
p.clean(1) -> readall with timeout

p.sendafter(b"some string",payload) -> sends payload after the string is encountered 
p.sendlineafter(b"some string",payload) -> same as sendafter but with newline at end


p.interactive() -> interact manually

Setting context#

important when writing assembly and doing ROP

context.arch = "amd64" -> for x86-64 bit (default is i386)

context.endian -> default is little 

context.log_level = "error" -> only show error logs 

the different log_levels are:
debug for most comprehensive log 
info 
warn 
error for least amount of log

encoding and decoding values#

p8(0x13) -> pack 1 byte, integer to binary string
p16() -> 2 bytes 
p32() -> 4 bytes 
p64() -> 8 bytes 

similarly 

u8() -> unpack, converts to int
u16() 
u32()
u64()

for unusual lengths:
pack() 
unpack()

generating shellcode#

use asm

shellcode = asm("""
mov rax,60
mov rdi,1337
syscall
""")

ELFs and symbols#

elf = ELF("target binary")

elf.plt -> all symbols in plt 
elf.got -> all symbols in got 
elf.sym -> all known symbols 

on a binary with PIE enabled, the offsets need to be set manually

elf.address = base address