Pwntools Cheat Sheet

from pwn import *

# Runtime variables
context.arch = "amd64"
context.os = "linux"
context.binary = "./example" # Set executable file
context.log_level = 'debug' # Enable logging

# Runtime variables (Update)
context.update(arch="amd64", os="linux")
context.update(arch="i386", os="linux")

# Logging
log.info("Start pwning...")
log.success("Pwned!")

# Load executable
exe = ELF("./example")

# Libc
libc = exe.libc
sh_addr = next(libc.search(b"/bin/sh"))

# Start process
conn = process("./example") # local file
conn = process(exe.path) # also we can specify the executable path
conn = remote("10.0.0.1", "1337") # remote connection

# Receive data
conn.recv()
conn.recvline() # receive until newline
conn.recvuntil(b"result:") # receive until given keyword
conn.recvline_startswith(b"Your password is") # receive line which starts with specific word.
conn.recvall() # receive until EOF
conn.recvrepeat(2000) # receive repeatedly until timeout(e.g. 2000) or EOF.

# Send data
conn.sendline(b"hello")
conn.sendlineafter(b">>", b"hello")


# Print received lines
print(conn.recvall().decode())

# Print the target text (e.g. retrieve the text after the "Password: " in the line)
conn.recvuntil(b"Password: ")
# decode(): Make a binary string to a string
# strip(): Remove '\n' at the end of text by strip() function
retrieved_password = conn.recvline().decode().strip()
print(retrieved_password)

# Payloads & Send
payload = b"A" * 48
payload = b"A" * 0x30
payload += p64(exe.got['puts']) # the function address in GOT
payload += p64(exe.plt['puts']) # the function address in PLT
payload += p64(exe.symbols['example_variable']) # variable address
payload += p64(exe.bss()) # BSS section address
conn.sendline(payload)

# Misc
conn.clean() # remove all buffered data

# After sending payloads
conn.interactive() # spawn interactive shell

Copied!