asm – (Dis)assembler¶

This module contains functions to assemble and disassemble code for a given target platform. By default the keystone engine assembler will be used if it is available. If it’s not available (or if the WANT_KEYSTONE environment variable is set and it’s not 1, YES or TRUE (case insensitive)), pwnypack falls back to using the nasm assembler for nasm syntax on X86 or GNU as for any other supported syntax / architecture. Disassembly is performed by ndisasm on x86 for nasm syntax. capstone is used for any other supported syntax / architecture.

Currently, the only supported architectures are x86 (both 32 and 64 bits variants) and arm (both 32 and 64 bits variants).

class pwnypack.asm.AsmSyntax[source]¶

Bases: enum.IntEnum

This enumeration is used to specify the assembler syntax.

att = None¶

AT&T assembler syntax

intel = None¶

Intel assembler syntax

nasm = None¶

Netwide assembler syntax

pwnypack.asm.asm(code, addr=0, syntax=None, target=None, gnu_binutils_prefix=None)[source]¶

Assemble statements into machine readable code.

Parameters:	code (str) – The statements to assemble. addr (int) – The memory address where the code will run. syntax (AsmSyntax) – The input assembler syntax for x86. Defaults to nasm, ignored on other platforms. target (Target) – The target architecture. The global target is used if this argument is None. gnu_binutils_prefix (str) – When the syntax is AT&T, gnu binutils’ as and ld will be used. By default, it selects arm-*-as/ld for 32bit ARM targets, aarch64-*-as/ld for 64 bit ARM targets, i386-*-as/ld for 32bit X86 targets and amd64-*-as/ld for 64bit X86 targets (all for various flavors of *. This option allows you to pick a different toolchain. The prefix should always end with a ‘-‘ (or be empty).
Returns:	The assembled machine code.
Return type:	bytes
Raises:	SyntaxError – If the assembler statements are invalid. NotImplementedError – In an unsupported target platform is specified.

Example

>>> from pwny import *
>>> asm('''
...     pop rdi
...     ret
... ''', target=Target(arch=Target.Arch.x86, bits=64))
b'_\xc3'

pwnypack.asm.disasm(code, addr=0, syntax=None, target=None)[source]¶

Disassemble machine readable code into human readable statements.

Parameters:	code (bytes) – The machine code that is to be disassembled. addr (int) – The memory address of the code (used for relative references). syntax (AsmSyntax) – The output assembler syntax. This defaults to nasm on x86 architectures, AT&T on all other architectures. target (Target) – The architecture for which the code was written. The global target is used if this argument is None.
Returns:	The disassembled machine code.
Return type:	list of str
Raises:	NotImplementedError – In an unsupported target platform is specified. RuntimeError – If ndisasm encounters an error.

Example

>>> from pwny import *
>>> disasm(b'_\xc3', target=Target(arch=Target.Arch.x86, bits=64))
['pop rdi', 'ret']

bytecode – Python bytecode manipulation¶

The bytecode module lets you manipulate python bytecode in a version-independent way. To facilitate this, this module provides a couple of function to disassemble and assemble python bytecode into a high-level representation and some functions to manipulate those structures.

The python version independent function take a py_internals parameter which represents the specifics of bytecode on that particular version of python. The pwnypack.py_internals module provides these internal specifics for various python versions.

Examples

Disassemble a very simple function, change an opcode and reassemble it:

>>> from pwny import *
>>> import six
>>> def foo(a):
>>>     return a - 1
...
>>> print(foo, six.get_function_code(foo).co_code, foo(5))
<function foo at 0x10590ba60> b'|d
S' 4
>>> ops = bc.disassemble(foo)
>>> print(ops)
[LOAD_FAST 0, LOAD_CONST 1, BINARY_SUBTRACT, RETURN_VALUE]
>>> ops[2].name = 'BINARY_ADD'
>>> print(ops)
[LOAD_FAST 0, LOAD_CONST 1, BINARY_ADD, RETURN_VALUE]
>>> bar = bc.rebuild_func_from_ops(foo, ops, co_name='bar')
>>> print(bar, six.get_function_code(bar).co_code, bar(5))
<function bar at 0x10590bb70> b'|d
S' 6

class pwnypack.bytecode.AnnotatedOp(code_obj, name, arg)[source]¶

An annotated opcode description. Instances of this class are generated by CodeObject.disassemble() if you set its annotate argument to True.

It contains more descriptive information about the instruction but cannot be translated back into a bytecode operation at the moment.

This class uses the code object’s reference to the python internals of the python version that it originated from and the properties of the code object to decode as much information as possible.

Parameters:	code_obj (CodeObject) – The code object this opcode belongs to. name (str) – The mnemonic of the opcode. arg (int) – The integer argument to the opcode (or None).

code = None¶

The numeric opcode.

code_obj = None¶

A reference to the CodeObject it belongs to.

has_arg = None¶

Whether this opcode has an argument.

has_compare = None¶

Whether this opcode’s argument is a compare operation.

has_const = None¶

Whether this opcode’s argument is a reference to a constant.

has_free = None¶

Whether this opcode’s argument is a reference to a free or cell var (for closures and nested functions).

has_local = None¶

Whether this opcode’s argument is a reference to a local.

has_name = None¶

Whether this opcode’s argument is a reference to the names table.

name = None¶

The name of the operation.

class pwnypack.bytecode.Block(label=None)[source]¶

A group of python bytecode ops. Produced by blocks_from_ops().

Parameters:	label (Label) – The label of this block. Will be None for the first block.

label = None¶

The label the block represents.

next = None¶

A pointer to the next block.

ops = None¶

The opcodes contained within this block.

class pwnypack.bytecode.Op(name, arg=None)[source]¶

Bases: object

Describes a single bytecode operation.

Parameters:	name (str) – The name of the opcode. arg – The argument of the opcode. Should be None for opcodes without arguments, should be a Label for opcodes that define a jump, should be an int otherwise.

arg = None¶

The opcode’s argument (or None).

name = None¶

The name of the opcode.

class pwnypack.bytecode.Label[source]¶

Bases: object

Used to define a label in a series of opcodes.

pwnypack.bytecode.disassemble(code, origin=None)[source]¶

Disassemble python bytecode into a series of Op and Label instances.

Parameters:	code (bytes) – The bytecode (a code object’s co_code property). You can also provide a function. origin (dict) – The opcode specification of the python version that generated code. If you provide None, the specs for the currently running python version will be used.
Returns:	A list of opcodes and labels.
Return type:	list

pwnypack.bytecode.assemble(ops, target=None)[source]¶

Assemble a set of Op and Label instance back into bytecode.

Parameters:	ops (list) – A list of opcodes and labels (as returned by disassemble()). target – The opcode specification of the targeted python version. If this is None the specification of the currently running python version will be used.
Returns:	The assembled bytecode.
Return type:	bytes

pwnypack.bytecode.blocks_from_ops(ops)[source]¶

Group a list of Op and Label instances by label.

Everytime a label is found, a new Block is created. The resulting blocks are returned as a dictionary to easily access the target block of a jump operation. The keys of this dictionary will be the labels, the values will be the Block instances. The initial block can be accessed by getting the None item from the dictionary.

Parameters:	ops (list) – The list of Op and Label instances (as returned by disassemble().
Returns:	The resulting dictionary of blocks grouped by label.
Return type:	dict

pwnypack.bytecode.calculate_max_stack_depth(ops, target=None)[source]¶

Calculate the maximum stack depth (and required stack size) from a series of Op and Label instances. This is required when you manipulate the opcodes in such a way that the stack layout might change and you want to re-create a working function from it.

This is a fairly literal re-implementation of python’s stackdepth and stackdepth_walk.

Parameters:	ops (list) – A list of opcodes and labels (as returned by disassemble()). target – The opcode specification of the targeted python version. If this is None the specification of the currently running python version will be used.
Returns:	The calculated maximum stack depth.
Return type:	int

class pwnypack.bytecode.CodeObject(co_argcount, co_kwonlyargcount, co_nlocals, co_stacksize, co_flags, co_code, co_consts, co_names, co_varnames, co_filename, co_name, co_firstlineno, co_lnotab, co_freevars, co_cellvars, origin=None)[source]¶

Bases: object

Represents a python code object in a cross python version way. It contains all the properties that exist on code objects on Python 3 (even when run on Python 2).

Parameters:

co_argcount – number of arguments (not including , * or keyword only args) co_kwonlyargcount – The keyword-only argument count of this code. co_nlocals – number of local variables co_stacksize – virtual machine stack space required co_flags – bitmap: 1=optimized | 2=newlocals | 4=*arg | 8=**arg co_code – string of raw compiled bytecode co_consts – tuple of constants used in the bytecode co_names – tuple of names of local variables co_varnames – tuple of names of arguments and local variables co_filename – name of file in which this code object was created co_name – name with which this code object was defined co_firstlineno – number of first line in Python source code co_lnotab – encoded mapping of line numbers to bytecode indices co_freevars – tuple of names of closure variables co_cellvars – tuple containing the names of local variables that are referenced by nested functions origin (dict) – The opcode specification of the python version that generated the code. If you provide None, the specs for the currently running python version will be used.

annotate_op(op)[source]¶

Takes a bytecode operation (Op) and annotates it using the data contained in this code object.

Parameters:	op (Op) – An Op instance.
Returns:	An annotated bytecode operation.
Return type:	AnnotatedOp

assemble(ops, target=None)[source]¶

Assemble a series of operations and labels into bytecode, analyse its stack usage and replace the bytecode and stack size of this code object. Can also (optionally) change the target python version.

Parameters:	ops (list) – The opcodes (and labels) to assemble into bytecode. target – The opcode specification of the targeted python version. If this is None the specification of the currently running python version will be used.
Returns:	A reference to this CodeObject.
Return type:	CodeObject

disassemble(annotate=False, blocks=False)[source]¶

Disassemble the bytecode of this code object into a series of opcodes and labels. Can also annotate the opcodes and group the opcodes into blocks based on the labels.

Parameters:	annotate (bool) – Whether to annotate the operations. blocks (bool) – Whether to group the operations into blocks.
Returns:	A list of Op (or AnnotatedOp) instances and labels.
Return type:	list

classmethod from_code(code, co_argcount=BORROW, co_kwonlyargcount=BORROW, co_nlocals=BORROW, co_stacksize=BORROW, co_flags=BORROW, co_code=BORROW, co_consts=BORROW, co_names=BORROW, co_varnames=BORROW, co_filename=BORROW, co_name=BORROW, co_firstlineno=BORROW, co_lnotab=BORROW, co_freevars=BORROW, co_cellvars=BORROW)[source]¶

Create a new instance from an existing code object. The originating internals of the instance will be that of the running python version.

Any properties explicitly specified will be overridden on the new instance.

Parameters:	code (types.CodeType) – The code object to get the properties of. .. – The properties to override.
Returns:	A new CodeObject instance.
Return type:	CodeObject

classmethod from_function(f, *args, **kwargs)[source]¶

Create a new instance from a function. Gets the code object from the function and passes it and any other specified parameters to from_code().

Parameters:	f (function) – The function to get the code object from.
Returns:	A new CodeObject instance.
Return type:	CodeObject

to_code()[source]¶

Convert this instance back into a native python code object. This only works if the internals of the code object are compatible with those of the running python version.

Returns:	The native python code object.
Return type:	types.CodeType

to_function()[source]¶

Convert this CodeObject back into a python function. This only works if the internals of the code object are compatible with those of the running python version.

Returns:	The newly created python function.
Return type:	function

codec – Data transformation¶

This module contains functions that allow you to manipulate, encode or decode strings and byte sequences.

pwnypack.codec.xor(key, data)[source]¶

Perform cyclical exclusive or operations on data.

The key can be a an integer (0 <= key < 256) or a byte sequence. If the key is smaller than the provided data, the key will be repeated.

Parameters:	key (int or bytes) – The key to xor data with. data (bytes) – The data to perform the xor operation on.
Returns:	The result of the exclusive or operation.
Return type:	bytes

Examples

>>> from pwny import *
>>> xor(5, b'ABCD')
b'DGFA'
>>> xor(5, b'DGFA')
b'ABCD'
>>> xor(b'pwny', b'ABCDEFGHIJKLMNOPQRSTUVWXYZ')
b'15-=51)19=%5=9!)!%=-%!9!)-'
>>> xor(b'pwny', b'15-=51)19=%5=9!)!%=-%!9!)-')
b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'

pwnypack.codec.find_xor_mask(data, alphabet=None, max_depth=3, min_depth=0, iv=None)[source]¶

Produce a series of bytestrings that when XORed together end up being equal to data and only contain characters from the giving alphabet. The initial state (or previous state) can be given as iv.

Parameters:

data (bytes) – The data to recreate as a series of XOR operations. alphabet (bytes) – The bytestring containing the allowed characters for the XOR values. If None, all characters except NUL bytes, carriage returns and newlines will be allowed. max_depth (int) – The maximum depth to look for a solution. min_depth (int) – The minimum depth to look for a solution. iv (bytes) – Initialization vector. If None, it will be assumed the operation starts at an all zero string.

Returns:

A list of bytestrings that, when XOR’ed with iv (or just eachother if iv` is not providede) will be the same as ``data.

Examples

Produce a series of strings that when XORed together will result in the string ‘pwnypack’ using only ASCII characters in the range 65 to 96:

>>> from pwny import *
>>> find_xor_mask('pwnypack', alphabet=''.join(chr(c) for c in range(65, 97)))
[b'````````', b'AAAAABAA', b'QVOXQCBJ']
>>> xor(xor(b'````````', b'AAAAABAA'), b'QVOXQCBJ')
'pwnypack'

pwnypack.codec.rot13(d)¶

Rotate all characters in the alphabets A-Z and a-z by 13 positions in the alphabet. This is a caesar() shift of 13 along the fixed alphabets A-Z and a-z.

Parameters:	d (str) – The string to the apply the cipher to.
Returns:	The string with the rot13 cipher applied.
Return type:	str

Examples

>>> rot13('whax')
'junk'
>>> rot13('junk')
'whax'

pwnypack.codec.caesar(shift, data, shift_ranges=('az', 'AZ'))[source]¶

Apply a caesar cipher to a string.

The caesar cipher is a substition cipher where each letter in the given alphabet is replaced by a letter some fixed number down the alphabet.

If shift is 1, A will become B, B will become C, etc...

You can define the alphabets that will be shift by specifying one or more shift ranges. The characters will than be shifted within the given ranges.

Parameters:	shift (int) – The shift to apply. data (str) – The string to apply the cipher to. shift_ranges (list of str) – Which alphabets to shift.
Returns:	The string with the caesar cipher applied.
Return type:	str

Examples

>>> caesar(16, 'Pwnypack')
'Fmdofqsa'
>>> caesar(-16, 'Fmdofqsa')
'Pwnypack'
>>> caesar(16, 'PWNYpack', shift_ranges=('AZ',))
'FMDOpack'
>>> caesar(16, 'PWNYpack', shift_ranges=('Az',))
'`g^iFqsA'

pwnypack.codec.enhex(d, separator='')[source]¶

Convert bytes to their hexadecimal representation, optionally joined by a given separator.

Parameters:	d (bytes) – The data to convert to hexadecimal representation. separator (str) – The separator to insert between hexadecimal tuples.
Returns:	The hexadecimal representation of d.
Return type:	str

Examples

>>> from pwny import *
>>> enhex(b'pwnypack')
'70776e797061636b'
>>> enhex(b'pwnypack', separator=' ')
'70 77 6e 79 70 61 63 6b'

pwnypack.codec.dehex(d)¶

Convert a hexadecimal representation of a byte sequence to bytes. All non-hexadecimal characters will be removed from the input.

Parameters:	d (str) – The string of hexadecimal tuples.
Returns:	The byte sequence represented by d.
Return type:	bytes

Examples

>>> from pwny import *
>>> dehex('70776e797061636b')
b'pwnypack'
>>> dhex('70 77 6e 79 70 61 63 6b')
b'pwnypack'

pwnypack.codec.enb64(d)¶

Convert bytes to their base64 representation.

Parameters:	d (bytes) – The data to convert to its base64 representation.
Returns:	The base64 representation of d.
Return type:	str

Example

>>> from pwny import *
>>> enb64(b'pwnypack')
'cHdueXBhY2s='

pwnypack.codec.deb64(d)¶

Convert a base64 representation back to its original bytes.

Parameters:	d (str) – The base64 representation to decode.
Returns:	The bytes represented by d.
Return type:	bytes

Example

>>> from pwny import *
>>> deb64('cHdueXBhY2s=')
b'pwnypack'

pwnypack.codec.enurlform(q)[source]¶

Convert a dictionary to a URL encoded query string.

Parameters:	q (dict) – The query to encode.
Returns:	The urlencoded representation of q.
Return type:	str

Example

>>> from pwny import *
>>> enurlform({'foo': 'bar', 'baz': ['quux', 'corge']})
'foo=bar&baz=quux&baz=corge'

pwnypack.codec.deurlform(d)[source]¶

Convert a URL encoded query string to a dictionary.

Parameters:	d (str) – The URL encoded query string.
Returns:	A dictionary containing each key and all its values as a list.
Return type:	dict

Example

>>> from pwny import *
>>> deurlform('foo=bar&baz=quux&baz=corge')
{'foo': ['bar'], 'baz': ['quux', 'corge']}

pwnypack.codec.enurlquote(v, plus=False)[source]¶

Percent encode a string for use in an URL.

Parameters:	v (str) – The value to percent encode. plus (bool) – Use a plus symbol for spaces, otherwise use %20.
Returns:	The percent encoded string.
Return type:	str

Example

>>> from pwny import *
>>> enurlquote('Foo Bar/Baz', True)
'Foo+Bar/Baz

pwnypack.codec.deurlquote(d, plus=False)[source]¶

Decode a percent encoded string.

Parameters:	d (str) – The percent encoded value to decode. plus (bool) – Parse a plus symbol as a space.
Returns:	The decoded version of the percent encoded of d.
Return type:	str

Example

>>> from pwny import *
>>> deurlquote('Foo+Bar/Baz')
'Foo Bar/Baz'

pwnypack.codec.frequency(v)¶

Perform a frequency analysis on a byte sequence or string.

Parameters:	d (bytes or str) – The sequence to analyse.
Returns:	A dictionary of unique elements in d and how often the occur.
Return type:	dict

Example

>>> frequency('pwnypack')
{'a': 1, 'c': 1, 'k': 1, 'n': 1, 'p': 2, 'w': 1, 'y': 1}

elf – ELF file parsing¶

This module contains a parser for, and methods to extract information from ELF files.

class pwnypack.elf.ELF(f=None)[source]¶

Bases: pwnypack.target.Target

A parser for ELF files. Upon parsing the ELF headers, it will not only fill the ELF specific fields but will also populate the inherited arch, bits and endian properties based on the values it encounters.

Parameters:	f (str, file or None) – The (path to) the ELF file to parse.

Example

>>> from pwny import *
>>> e = ELF('my-executable')
>>> print(e.machine)
>>> print(e.program_headers)
>>> print(e.section_headers)
>>> print(e.symbols)

class DynamicSectionEntry(type_id, value)[source]¶

Bases: object

Contains information about the entry in the .dynamic section.

Parameters:	type_id (int) – The type id of the .dynamic section entry. value (int) – The value of the .dynamic section entry.

class Flags[source]¶

Bases: enum.IntEnum

Flags when type is flags.

bind_now = None¶

Non-lazy binding required.

origin = None¶

$ORIGIN processing is required.

static_tls = None¶

Object uses static thread local storage.

symbolic = None¶

Symbol resolution is required.

textrel = None¶

Text relocations exist.

class ELF.DynamicSectionEntry.Flags_1[source]¶

Bases: enum.IntEnum

Flags when type is flags_1.

confalt = None¶

Object is a configuration alternative.

direct = None¶

Direct bindings are enabled.

dispreldne = None¶

Displacement relocation has been completed.

disprelpnd = None¶

Displacement relocation is pending.

edited = None¶

Object has been modified since it was built.

endfiltee = None¶

Filtee terminates filter’s search.

global_ = None¶

Unused.

globaudit = None¶

Global auditing is enabled.

group = None¶

Object is a member of a group.

ignmuldef = None¶

Reserved for internal use.

initfirst = None¶

Objects’ initialization occurs first.

interpose = None¶

Object is an interposer.

loadfltr = None¶

Make sure filtees are loaded immediately.

nodeflib = None¶

Ignore the default library search path.

nodelete = None¶

Object cannot be removed from a process.

nodirect = None¶

Object contains non-direct bindings.

nodump = None¶

Object cannot be dumped.

nohdr = None¶

Reserved for internal use.

noksyms = None¶

Reserved for internal use.

noopen = None¶

Object cannot be used with dlopen.

noreloc = None¶

Reserved for internal use.

now = None¶

Perform complete relocation processing.

origin = None¶

$ORIGIN processing is required.

singleton = None¶

Singleton symbols exist.

symintpose = None¶

Individual symbol interposers exist.

class ELF.DynamicSectionEntry.Posflags_1[source]¶

Bases: enum.IntEnum

Flags when type is ELF.DynamicSectionEntry.Type.posflags_1.

groupperm = None¶

Identify group dependency.

lazyload = None¶

Identify lazily loaded dependency.

class ELF.DynamicSectionEntry.Type[source]¶

Bases: enum.IntEnum

Describes the dynamic section entry type.

audit = None¶

String table offset defining an audit library.

auxiliary = None¶

String table offset that names an auxiliary file.

bind_now = None¶

All relocations must be performed before code is executed.

checksum = None¶

A checksum of selected sections of the object.

config = None¶

String table offset to the path of the configuration file.

debug = None¶

Used for debugging.

depaudit = None¶

String table offset defining an audit library.

fini = None¶

The address of the termination function.

fini_array = None¶

Address of array of termination functions.

fini_arraysz = None¶

The size of the termination function array.

flags = None¶

Flags for this object.

flags_1 = None¶

Object-specific flags.

gnu_hash = None¶

Address of the GNU hash section.

hash = None¶

Address of symbol hash table within SYMTAB.

init = None¶

The address of the initialization function.

init_array = None¶

Address of array of initialization functions.

init_arraysz = None¶

The size of the initialization function array.

jmprel = None¶

Address of relocation entries that are only associated with the PLT.

max_postags = None¶

Number of dynamic array tags.

moveent = None¶

Size of move table entries.

movesz = None¶

Total size of move table.

movetab = None¶

Address of the move table.

needed = None¶

String table offset of the name of a needed dependency.

null = None¶

Marks the end of the dynamic section.

pltgot = None¶

Address of PLT/GOT.

pltpad = None¶

Address of the padding of the PLT.

pltpadsz = None¶

Size of padding of the PLT.

pltrel = None¶

Type of relocation entry in the PLT table. Either rel or rela.

pltrelsz = None¶

Total size of the relocation entries in the PLT.

posflags_1 = None¶

State flags applied to next dynamic section entry.

preinit_array = None¶

Address of array of pre-initialization functions.

preinit_arraysz = None¶

Size of pre-initialization function array.

rel = None¶

Similar to rela but with implicit addends.

rela = None¶

Address of the relocation table.

relacount = None¶

Relative relocation count.

relaent = None¶

The size a relocation table entry.

relasz = None¶

The size of the relocation table.

relcount = None¶

Relative relocation count.

relent = None¶

Size of a rel relocation section entry.

relsz = None¶

Size of the rel relocation section.

rpath = None¶

String table offset of a library search path.

runpath = None¶

String table offset of a library search path.

soname = None¶

String table offset for the name of the shared object.

sparc_register = None¶

STT_SPARC_REGISTER symbol index within the symbol table.

strsz = None¶

The size of the string table.

strtab = None¶

Address of the string table.

sunw_auxiliary = None¶

String table offset for one or more per-symbol, auxiliary filtees.

sunw_cap = None¶

Address of the capabilities section.

sunw_capchain = None¶

Address of the array of capability family indices.

sunw_capchainent = None¶

Size of the capability family index entry size.

sunw_capchainsz = None¶

The size of the capability family index array.

sunw_capinfo = None¶

Address of capability requirement symbol association table.

sunw_filter = None¶

String table offset for one or more per-symbol, standard filtee

sunw_ldmach = None¶

Machine architecture of the link-editor that produced this binary.

sunw_rtldinf = None¶

Reserved for internal use by the runtime-linker.

sunw_sortent = None¶

Size of symbol sort entries.

sunw_strpad = None¶

Size of dynamic string table padding.

sunw_symsort = None¶

Address of symbol sort section.

sunw_symsortsz = None¶

Size of symbol sort section.

sunw_symsz = None¶

Combined size of regular and local symbol table.

sunw_symtab = None¶

Address of symbol table for local function symbols.

sunw_tlssort = None¶

Address of thread local symbol sort section.

sunw_tlssortsz = None¶

Size of thread local symbol sort section.

symbolic = None¶

Object contains symbolic bindings.

syment = None¶

The size of a symbol table entry.

syminent = None¶

Size of a sumbol info table entry.

syminfo = None¶

Address of the symbol info table.

syminsz = None¶

Size of the symbol info table.

symtab = None¶

Address of the symbol table.

textrel = None¶

One or more relocation entries resides in a read-only segement.

unknown = None¶

Unknown dynamic section entry type, check type_id.

used = None¶

Same as needed.

verdef = None¶

Address of the version definition table.

verdefnum = None¶

Number of entries in the version definition table.

verneed = None¶

Address of the version dependency table.

verneednum = None¶

Number of entries in the version dependency table.

ELF.DynamicSectionEntry.type = None¶

The resolved type of this entry (one of Type).

ELF.DynamicSectionEntry.type_id = None¶

The numerical type of this entry.

ELF.DynamicSectionEntry.value = None¶

The value of this entry.

class ELF.Machine[source]¶

Bases: enum.IntEnum

The target machine architecture.

aarch64 = None¶

64-bit Advanced RISC Machines ARM

alpha = None¶

Digital Alpha

arc = None¶

Argonaut RISC Core, Argonaut Technologies Inc.

arc_a5 = None¶

ARC Cores Tangent-A5

arca = None¶

Arca RISC Microprocessor

arm = None¶

Advanced RISC Machines ARM

avr = None¶

Atmel AVR 8-bit microcontroller

blackfin = None¶

Analog Devices Blackfin (DSP) processor

coldfire = None¶

Motorola ColdFire

cr = None¶

National Semiconductor CompactRISC microprocessor

cris = None¶

Axis Communications 32-bit embedded processor

d10v = None¶

Mitsubishi D10V

d30v = None¶

Mitsubishi D30V

f2mc16 = None¶

Fujitsu F2MC16

firepath = None¶

Element 14 64-bit DSP Processor

fr20 = None¶

Fujitsu FR20

fr30 = None¶

Fujitsu FR30

fx66 = None¶

Siemens FX66 microcontroller

h8_300 = None¶

Hitachi H8/300

h8_300h = None¶

Hitachi H8/300H

h8_500 = None¶

Hitachi H8/500

h8s = None¶

Hitachi H8S

huany = None¶

Harvard University machine-independent object files

i386 = None¶

Intel 80386

i860 = None¶

Intel 80860

i960 = None¶

Intel 80960

ia64 = None¶

Intel IA-64 processor architecture

ip2k = None¶

Ubicom IP2xxx microcontroller family

javelin = None¶

Infineon Technologies 32-bit embedded processor

m32 = None¶

AT&T WE 32100

m32r = None¶

Mitsubishi M32R

m68hc05 = None¶

Motorola MC68HC05 Microcontroller

m68hc08 = None¶

Motorola MC68HC08 Microcontroller

m68hc11 = None¶

Motorola MC68HC11 Microcontroller

m68hc12 = None¶

Motorola M68HC12

m68hc16 = None¶

Motorola MC68HC16 Microcontroller

m68k = None¶

Motorola 68000

m88k = None¶

Motorola 88000

max = None¶

MAX Processor

me16 = None¶

Toyota ME16 processor

mips = None¶

MIPS I Architecture

mips_rs3_le = None¶

MIPS RS3000 Little-endian

mipsx = None¶

Stanford MIPS-X

mma = None¶

Fujitsu MMA Multimedia Accelerator

mmix = None¶

Donald Knuth’s educational 64-bit processor

mn10200 = None¶

Matsushita MN10200

mn10300 = None¶

Matsushita MN10300

msp430 = None¶

Texas Instruments embedded microcontroller msp430

ncpu = None¶

Sony nCPU embedded RISC processor

ndr1 = None¶

Denso NDR1 microprocessor

none = None¶

No machine

ns32k = None¶

National Semiconductor 32000 series

openrisc = None¶

OpenRISC 32-bit embedded processor

parisc = None¶

Hewlett-Packard PA-RISC

pcp = None¶

Siemens PCP

pdp10 = None¶

Digital Equipment Corp. PDP-10

pdp11 = None¶

Digital Equipment Corp. PDP-11

pdsp = None¶

Sony DSP Processor

pj = None¶

picoJava

ppc = None¶

PowerPC

ppc64 = None¶

64-bit PowerPC

prism = None¶

SiTera Prism

rce = None¶

Motorola RCE

rh32 = None¶

TRW RH-32

s370 = None¶

IBM System/370 Processor

s390 = None¶

IBM System/390 Processor

se_c33 = None¶

S1C33 Family of Seiko Epson processors

sep = None¶

Sharp embedded microprocessor

snp1k = None¶

Trebia SNP 1000 processor

sparc = None¶

SPARC

sparc32plus = None¶

Enhanced instruction set SPARC

sparcv9 = None¶

SPARC Version 9

st100 = None¶

STMicroelectronics ST100 processor

st19 = None¶

STMicroelectronics ST19 8-bit microcontroller

st200 = None¶

STMicroelectronics ST200 microcontroller

st7 = None¶

STMicroelectronics ST7 8-bit microcontroller

st9plus = None¶

STMicroelectronics ST9+ 8/16 bit microcontroller

starcore = None¶

Motorola Star*Core processor

superh = None¶

Hitachi SuperH

svx = None¶

Silicon Graphics SVx

tinyj = None¶

Advanced Logic Corp. TinyJ embedded processor family

tmm_gpp = None¶

Thompson Multimedia General Purpose Processor

tpc = None¶

Tenor Network TPC processor

tricore = None¶

Siemens TriCore embedded processor

unicore = None¶

Microprocessor series from PKU-Unity Ltd. and MPRC of Peking University

unknown = None¶

Unknown architecture

v800 = None¶

NEC V800

v850 = None¶

NEC v850

vax = None¶

Digital VAX

videocore = None¶

Alphamosaic VideoCore processor

vpp550 = None¶

Fujitsu VPP500

x86_64 = None¶

AMD x86-64 architecture

xtensa = None¶

Tensilica Xtensa Architecture

zsp = None¶

LSI Logic 16-bit DSP Processor

class ELF.OSABI[source]¶

Bases: enum.IntEnum

Describes the OS- or ABI-specific ELF extensions used by this file.

aix = None¶

AIX ABI

arch = None¶

Architecture specific ABI

arm = None¶

ARM ABI

aros = None¶

Amiga Research OS

freebsd = None¶

FreeBSD ABI

hp_ux = None¶

HP-UX ABI

irix = None¶

IRIX ABI

linux = None¶

Linux ABI

modesto = None¶

Novell Modesto

netbsd = None¶

NetBSD ABI

nsk = None¶

Hewlett-Packard Non-Stop Kernel

openbsd = None¶

OpenBSD ABI

openvms = None¶

OpenVMS ABI

solaris = None¶

Solaris ABI

system_v = None¶

SystemV ABI / No extensions

tru64 = None¶

Compaq TRU64 Unix

unknown = None¶

Unknown ABI

class ELF.ProgramHeader(elf, data)[source]¶

Bases: object

Describes how the loader will load a part of a file. Called by the ELF class.

Parameters:	elf (ELF) – The ELF instance owning this program header. data – The content of the program header entry.

class Flags[source]¶

Bases: enum.IntEnum

The individual flags that make up ELF.ProgramHeader.flags.

r = None¶

Segment is readable

w = None¶

Segment is writable

x = None¶

Segment is executable

class ELF.ProgramHeader.Type[source]¶

Bases: enum.IntEnum

The segment type.

dynamic = None¶

The element contains dynamic linking information

gnu_eh_frame = None¶

This element contains the exception handler unwind information

gnu_relro = None¶

This element contains the readonly relocations

gnu_stack = None¶

This element describes the access right of the stack

interp = None¶

The element contains the path of the interpreter

load = None¶

The element contains a loadable segment

note = None¶

The element contains auxiliary information

null = None¶

The element is unused

phdr = None¶

This element contains the program header table itself

shlib = None¶

This element type is reserved

unknown = None¶

Unknown type, check type_id for exact type

ELF.ProgramHeader.align = None¶

The alignment of the segment.

ELF.ProgramHeader.filesz = None¶

The size of the segment in the file.

ELF.ProgramHeader.flags = None¶

The flags for the segment (OR’ed values of Flags).

ELF.ProgramHeader.memsz = None¶

The size of the segment in memory.

ELF.ProgramHeader.offset = None¶

Where in the file the segment is located.

ELF.ProgramHeader.paddr = None¶

The physical address at which the segment is loaded.

ELF.ProgramHeader.type = None¶

The type of the segment (Type).

ELF.ProgramHeader.type_id = None¶

The numerical type describing the segment.

ELF.ProgramHeader.vaddr = None¶

The virtual address at which the segment is loaded.

class ELF.SectionHeader(elf, data)[source]¶

Bases: object

Describes a section of an ELF file. Called by the ELF class.

Parameters:	elf (ELF) – The ELF instance owning this section header. data – The content of the section header entry.

class Flags[source]¶

Bases: enum.IntEnum

alloc = None¶

Section occupies memory during execution

exclude = None¶

Exclude section from linking

execinstr = None¶

Section contains executable code

group = None¶

Section is member of a group

info_link = None¶

Section’s info field contains SHT index

link_order = None¶

Preserve section order after combining

maskos = None¶

Mask for OS specific flags

maskproc = None¶

Mask for processor specific flags

merge = None¶

Section might be merged

ordered = None¶

Treat sh_link, sh_info specially

os_nonconforming = None¶

Non-standard OS-specific handling required

strings = None¶

Section contains NUL terminated strings

tls = None¶

Section holds thread-local data

write = None¶

Section is writable

class ELF.SectionHeader.Type[source]¶

Bases: enum.IntEnum

Describes the section’s type

checksum = None¶

Checksum for DSO content

dynamic = None¶

Dynamic linking information

dynsym = None¶

Minimal symbol table for dynamic linking

fini_array = None¶

Array of termination functions

gnu_attributes = None¶

GNU extension – Object attributes

gnu_hash = None¶

GNU extension – GNU-style hash section

gnu_liblist = None¶

GNU extension – Pre-link library list

gnu_object_only = None¶

GNU extension

gnu_verdef = None¶

GNU extension – Version definition section

gnu_verneed = None¶

GNU extension – Version requirements section

gnu_versym = None¶

GNU extension – Version symbol table

group = None¶

Section group

hash = None¶

Symbol hash table

init_array = None¶

Array of initialisation functions

nobits = None¶

Occupies no file space, initialised to 0

note = None¶

Vendor or system specific notes

null = None¶

Inactive section header

num = None¶

Number of defined types

preinit_array = None¶

Array of initialisation functions

progbits = None¶

Program defined information

rel = None¶

Relocation entries without explicit addends

rela = None¶

Relocation entries with explicit addends

strtab = None¶

String table

sunw_comdat = None¶

SUN extension

sunw_move = None¶

SUN extension – Additional information for partially initialized data.

sunw_syminfo = None¶

SUN extension – Extra symbol information.

symtab = None¶

Full symbol table

symtab_shndx = None¶

Extended symbol section mapping table

unknown = None¶

Unknown section type

ELF.SectionHeader.addr = None¶

The memory address at which this section will be loaded

ELF.SectionHeader.addralign = None¶

Address alignment constraint

ELF.SectionHeader.content¶

The contents of this section.

ELF.SectionHeader.elf = None¶

The instance of ELF this symbol belongs to

ELF.SectionHeader.entsize = None¶

Size of the entries in this section

ELF.SectionHeader.flags = None¶

The flags for this section, see Flags

ELF.SectionHeader.info = None¶

Holds section type dependant extra information

ELF.SectionHeader.link = None¶

Holds a section type dependant section header table index link

ELF.SectionHeader.name = None¶

The name of this section

ELF.SectionHeader.name_index = None¶

The index into the string table for this section’s name

ELF.SectionHeader.offset = None¶

The offset in the file where this section resides

ELF.SectionHeader.size = None¶

The size of this section in the file

ELF.SectionHeader.type = None¶

The type of this section (one of Type

ELF.SectionHeader.type_id = None¶

The numeric identifier of the section type

class ELF.Symbol(elf, data, strs)[source]¶

Bases: object

Contains information about symbols. Called by the ELF class.

Parameters:	elf (ELF) – The ELF instance owning this symbol. data – The content of the symbol definition. strs – The content of the string section associated with the symbol table.

class Binding[source]¶

Bases: enum.IntEnum

Describes a symbol’s binding.

global_ = None¶

Global symbol

local = None¶

Local symbol

weak = None¶

Weak symbol

class ELF.Symbol.SpecialSection[source]¶

Bases: enum.IntEnum

Special section types.

abs = None¶

Symbol has an absolute value that will not change because of relocation

common = None¶

Symbol labels a common block that has not yet been allocated.

undef = None¶

Symbol is undefined and will be resolved by the runtime linker

class ELF.Symbol.Type[source]¶

Bases: enum.IntEnum

Describes the symbol’s type.

common = None¶

The symbol labels an uninitialized common block

file = None¶

Contains the name of the source file

func = None¶

Symbol is a function or contains other executable code

notype = None¶

Symbol has no type

object = None¶

Symbol is an object

section = None¶

Symbol is associated with a section

tls = None¶

The symbol specifies a Thread-Local Storage entity

unknown = None¶

Symbol has an unknown type

class ELF.Symbol.Visibility[source]¶

Bases: enum.IntEnum

Describes the symbol’s visibility.

default = None¶

Global and weak symbols are visible, local symbols are hidden

hidden = None¶

Symbol is invisible to other components

internal = None¶

Symbol is an internal symbol

protected = None¶

Symbol is visible but not preemptable

ELF.Symbol.content¶

The contents of a symbol.

Raises:	TypeError – If the symbol isn’t defined until runtime.

ELF.Symbol.elf = None¶

The instance of ELF this symbol belongs to

ELF.Symbol.info = None¶

Describes the symbol’s type and binding (see type and

ELF.Symbol.name = None¶

The resolved name of this symbol

ELF.Symbol.name_index = None¶

The index of the symbol’s name in the string table

ELF.Symbol.other = None¶

Specifies the symbol’s visibility

ELF.Symbol.shndx = None¶

The section in which this symbol is defined (or one of the SpecialSection types)

ELF.Symbol.size = None¶

The size of the symbol

ELF.Symbol.type = None¶

The resolved type of this symbol (one of Type)

ELF.Symbol.type_id = None¶

The numerical type of this symbol

ELF.Symbol.value = None¶

The value of the symbol (type dependent)

ELF.Symbol.visibility = None¶

The visibility of this symbol (one of Visibility)

class ELF.Type[source]¶

Bases: enum.IntEnum

Describes the object type.

core = None¶

Core file

executable = None¶

Executable file

none = None¶

No file type

os = None¶

OS specific

proc = None¶

Processor specific

relocatable = None¶

Relocatable file

shared = None¶

Shared object file

unknown = None¶

Unknown object type

ELF.abi_version = None¶

The specific ABI version of the OS / ABI.

ELF.dynamic_section_entries¶

A list of entries in the .dynamic section.

ELF.entry = None¶

The entry point address.

ELF.f = None¶

The ELF file.

ELF.flags = None¶

The flags. Currently, no flags are defined.

ELF.get_dynamic_section_entry(index)[source]¶

Get a specific .dynamic section entry by index.

Parameters:	symbol (int) – The index of the .dynamic section entry to return.
Returns:	The .dynamic section entry.
Return type:	ELF.DynamicSectionEntry
Raises:	KeyError – The requested entry does not exist.

ELF.get_program_header(index)[source]¶

Return a specific program header by its index.

Parameters:	index (int) – The program header index.
Returns:	The program header.
Return type:	ProgramHeader
Raises:	KeyError – The specified index does not exist.

ELF.get_section_header(section)[source]¶

Get a specific section header by index or name.

Parameters:	section (int or str) – The index or name of the section header to return.
Returns:	The section header.
Return type:	SectionHeader
Raises:	KeyError – The requested section header does not exist.

ELF.get_symbol(symbol)[source]¶

Get a specific symbol by index or name.

Parameters:	symbol (int or str) – The index or name of the symbol to return.
Returns:	The symbol.
Return type:	ELF.Symbol
Raises:	KeyError – The requested symbol does not exist.

ELF.hsize = None¶

The size of the header.

ELF.machine = None¶

The machine architecture (one of ELF.Machine).

ELF.osabi = None¶

The OSABI (one of ELF.OSABI).

ELF.parse_file(f)[source]¶

Parse an ELF file and fill the class’ properties.

Parameters:	f (file or str) – The (path to) the ELF file to read.

ELF.phentsize = None¶

The size of a program header.

ELF.phnum = None¶

The number of program headers.

ELF.phoff = None¶

The offset of the first program header in the file.

ELF.program_headers¶

A list of all program headers.

ELF.section_headers¶

Return the list of section headers.

ELF.shentsize = None¶

The size of a section header.

ELF.shnum = None¶

The number of section headers.

ELF.shoff = None¶

The offset of the first section header in the file.

ELF.shstrndx = None¶

The index of the section containing the section names.

ELF.symbols¶

Return a list of all symbols.

ELF.type = None¶

The object type (one of ELF.Type).

flow – Communication¶

The Flow module lets you connect to processes or network services using a unified API. It is primarily designed for synchronous communication flows.

It is based around the central Flow class which uses a Channel to connect to a process. The Flow class then uses the primitives exposed by the Channel to provide a high level API for reading/receiving and writing/sending data.

Examples

>>> from pwny import *
>>> f = Flow.connect_tcp('ced.pwned.systems', 80)
>>> f.writelines([
...     b'GET / HTTP/1.0',
...     b'Host: ced.pwned.systems',
...     b'',
... ])
>>> line = f.readline().strip()
>>> print(line == b'HTTP/1.0 200 OK')
True
>>> f.until(b'\r\n\r\n')
>>> f.read_eof(echo=True)
... lots of html ...

>>> from pwny import *
>>> f = Flow.execute('cat')
>>> f.writeline(b'hello')
>>> f.readline(echo=True)

class pwnypack.flow.ProcessChannel(executable, argument..., redirect_stderr=False)[source]¶

Bases: object

This channel type allows controlling processes. It uses python’s subprocess.Popen class to execute a process and allows you to communicate with it.

Parameters:	executable (str) – The executable to start. argument... (list of str) – The arguments to pass to the executable. redirect_stderr (bool) – Whether to also capture the output of stderr.

close()[source]¶

Wait for the subprocess to exit.

fileno()[source]¶

Return the file descriptor number for the stdout channel of this process.

kill()[source]¶

Terminate the subprocess.

read(n)[source]¶

Read n bytes from the subprocess’ output channel.

Parameters:	n (int) – The number of bytes to read.
Returns:	n bytes of output.
Return type:	bytes
Raises:	EOFError – If the process exited.

write(data)[source]¶

Write n bytes to the subprocess’ input channel.

Parameters:	data (bytes) – The data to write.
Raises:	EOFError – If the process exited.

class pwnypack.flow.SocketChannel(sock)[source]¶

Bases: object

This channel type allows controlling sockets.

Parameters:	socket (socket.socket) – The (already connected) socket to control.

close()[source]¶

Close the socket gracefully.

fileno()[source]¶

Return the file descriptor number for the socket.

kill()[source]¶

Shut down the socket immediately.

read(n)[source]¶

Receive n bytes from the socket.

Parameters:	n (int) – The number of bytes to read.
Returns:	n bytes read from the socket.
Return type:	bytes
Raises:	EOFError – If the socket was closed.

write(data)[source]¶

Send n bytes to socket.

Parameters:	data (bytes) – The data to send.
Raises:	EOFError – If the socket was closed.

class pwnypack.flow.TCPClientSocketChannel(host, port)[source]¶

Bases: pwnypack.flow.SocketChannel

Convenience subclass of SocketChannel that allows you to connect to a TCP hostname / port pair easily.

Parameters:	host (str) – The hostname or IP address to connect to. port (int) – The port number to connect to.

class pwnypack.flow.Flow(channel, echo=False)[source]¶

Bases: object

The core class of Flow. Takes a channel and exposes synchronous utility functions for communications.

Usually, you’ll use the convenience classmethods connect_tcp() or execute() instead of manually creating the constructor directly.

Parameters:	channel (Channel) – A channel. echo (bool) – Whether or not to echo all input / output.

close()[source]¶

Gracefully close the channel.

static connect_ssh(*args, **kwargs)[source]¶

Create a new connected SSHClient instance. All arguments are passed to SSHClient.connect().

classmethod connect_tcp(host, port, echo=False)[source]¶

Set up a TCPClientSocketChannel and create a Flow instance for it.

Parameters:	host (str) – The hostname or IP address to connect to. port (int) – The port number to connect to. echo (bool) – Whether to echo read/written data to stdout by default.
Returns:	A Flow instance initialised with the TCP socket channel.
Return type:	Flow

classmethod execute(executable, *arguments, **kwargs)[source]¶

execute(executable, argument..., redirect_stderr=False, echo=False):

Set up a ProcessChannel and create a Flow instance for it.

Parameters:	executable (str) – The executable to start. argument... (list of str) – The arguments to pass to the executable. redirect_stderr (bool) – Whether to also capture the output of stderr. echo (bool) – Whether to echo read/written data to stdout by default.
Returns:	A Flow instance initialised with the process channel.
Return type:	Flow

classmethod execute_ssh(command, arguments..., pty=False, echo=False)[source]¶

Execute command on a remote server. It first calls Flow.connect_ssh() using all positional and keyword arguments, then calls SSHClient.execute() with the command and pty / echo options.

Parameters:	command (str) – The command to execute on the remote server. arguments... – The options for the SSH connection. pty (bool) – Request a pseudo-terminal from the server. echo (bool) – Whether to echo read/written data to stdout by default.
Returns:	A Flow instance initialised with the SSH channel.
Return type:	Flow

interact()[source]¶

Interact with the socket. This will send all keyboard input to the socket and input from the socket to the console until an EOF occurs.

classmethod invoke_ssh_shell(*args, **kwargs)[source]¶

invoke_ssh(arguments..., pty=False, echo=False)

Star a new shell on a remote server. It first calls Flow.connect_ssh() using all positional and keyword arguments, then calls SSHClient.invoke_shell() with the pty / echo options.

Parameters:	arguments... – The options for the SSH connection. pty (bool) – Request a pseudo-terminal from the server. echo (bool) – Whether to echo read/written data to stdout by default.
Returns:	A Flow instance initialised with the SSH channel.
Return type:	Flow

kill()[source]¶

Terminate the channel immediately.

classmethod listen_tcp(host='', port=0, echo=False)[source]¶

Set up a TCPServerSocketChannel and create a Flow instance for it.

Parameters:	host (str) – The hostname or IP address to bind to. port (int) – The port number to listen on. echo (bool) – Whether to echo read/written data to stdout by default.
Returns:	A Flow instance initialised with the TCP socket channel.
Return type:	Flow

read(n, echo=None)[source]¶

Read n bytes from the channel.

Parameters:	n (int) – The number of bytes to read from the channel. echo (bool) – Whether to write the read data to stdout.
Returns:	n bytes of data.
Return type:	bytes
Raises:	EOFError – If the channel was closed.

read_eof(echo=None)[source]¶

Read until the channel is closed.

Parameters:	echo (bool) – Whether to write the read data to stdout.
Returns:	The read data.
Return type:	bytes

read_until(s, echo=None)[source]¶

Read until a certain string is encountered..

Parameters:	s (bytes) – The string to wait for. echo (bool) – Whether to write the read data to stdout.
Returns:	The data up to and including s.
Return type:	bytes
Raises:	EOFError – If the channel was closed.

readline(echo=None)[source]¶

Read 1 line from channel.

Parameters:	echo (bool) – Whether to write the read data to stdout.
Returns:	The read line which includes new line character.
Return type:	bytes
Raises:	EOFError – If the channel was closed before a line was read.

readlines(n, echo=None)[source]¶

Read n lines from channel.

Parameters:	n (int) – The number of lines to read. echo (bool) – Whether to write the read data to stdout.
Returns:	n lines which include new line characters.
Return type:	list of bytes
Raises:	EOFError – If the channel was closed before n lines were read.

until(s, echo=None)¶

Alias of read_until().

write(data, echo=None)[source]¶

Write data to channel.

Parameters:	data (bytes) – The data to write to the channel. echo (bool) – Whether to echo the written data to stdout.
Raises:	EOFError – If the channel was closed before all data was sent.

writeline(line=b'', sep=b'\n', echo=None)[source]¶

Write a byte sequences to the channel and terminate it with carriage return and line feed.

Parameters:	line (bytes) – The line to send. sep (bytes) – The separator to use after each line. echo (bool) – Whether to echo the written data to stdout.
Raises:	EOFError – If the channel was closed before all data was sent.

writelines(lines, sep=b'\n', echo=None)[source]¶

Write a list of byte sequences to the channel and terminate them with a separator (line feed).

Parameters:	lines (list of bytes) – The lines to send. sep (bytes) – The separator to use after each line. echo (bool) – Whether to echo the written data to stdout.
Raises:	EOFError – If the channel was closed before all data was sent.

fmtstring – Format strings¶

The fmtstring module allows you to build format strings that can be used to exploit format string bugs (printf(buf);).

pwnypack.fmtstring.fmtstring(offset, writes, written=0, max_width=2, target=None)[source]¶

Build a format string that writes given data to given locations. Can be used easily create format strings to exploit format string bugs.

writes is a list of 2- or 3-item tuples. Each tuple represents a memory write starting with an absolute address, then the data to write as an integer and finally the width (1, 2, 4 or 8) of the write.

fmtstring() will break up the writes and try to optimise the order to minimise the amount of dummy output generated.

Parameters:	offset (int) – The parameter offset where the format string start. writes (list) – A list of 2 or 3 item tuples. written (int) – How many bytes have already been written before the built format string starts. max_width (int) – The maximum width of the writes (1, 2 or 4). target (pwnypack.target.Target) – The target architecture.
Returns:	The format string that will execute the specified memory writes.
Return type:	bytes

Example

The following example will (on a 32bit architecture) build a format string that write 0xc0debabe to the address 0xdeadbeef and the byte 0x90 to 0xdeadbeef + 4 assuming that the input buffer is located at offset 3 on the stack.

>>> from pwny import *
>>> fmtstring(3, [(0xdeadbeef, 0xc0debabe), (0xdeadbeef + 4, 0x90, 1)])

marshal – Python marshal loader¶

This module contains functions to load and unserialize data (including .pyc files) serialized using the marshal module on most version of python.

pwnypack.marshal.marshal_load(fp, origin=None)[source]¶

Unserialize data serialized with marshal.dump(). This function works across python versions. Marshalled code objects are returned as instances of CodeObject.

Parameters:	fp (file) – A file or file-like object that contains the serialized data. origin (dict) – The opcode specification of the python version that generated the data. If you provide None, the specs for the currently running python version will be used.
Returns:	The unserialized data.

pwnypack.marshal.marshal_loads(data, origin=None)[source]¶

Load data serialized with marshal.dump() from a bytestring.

Parameters:	data (bytes) – The marshalled data. origin (dict) – The opcode specification of the python version that generated the data. If you provide None, the specs for the currently running python version will be used.
Returns:	The unserialized data.

pwnypack.marshal.pyc_load(fp)[source]¶

Load a .pyc file from a file-like object.

Parameters:	fp (file) – The file-like object to read.
Returns:	The parsed representation of the .pyc file.
Return type:	PycFile

pwnypack.marshal.pyc_loads(data)[source]¶

Load a .pyc file from a bytestring.

Parameters:	data (bytes) – The content of the .pyc file.
Returns:	The parsed representation of the .pyc file.
Return type:	PycFile

packing – Data (un)packing¶

pwnypack.packing.pack(fmt, v1, v2, ..., endian=None, target=None)[source]¶

Return a string containing the values v1, v2, ... packed according to the given format. The actual packing is performed by struct.pack but the byte order will be set according to the given endian, target or byte order of the global target.

Parameters:	fmt (str) – The format string. v1,v2,... – The values to pack. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.
Returns:	The provided values packed according to the format.
Return type:	bytes

pwnypack.packing.unpack(fmt, data, endian=None, target=None)[source]¶

Unpack the string (presumably packed by pack(fmt, ...)) according to the given format. The actual unpacking is performed by struct.unpack but the byte order will be set according to the given endian, target or byte order of the global target.

Parameters:	fmt (str) – The format string. data (bytes) – The data to unpack. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.
Returns:	The unpacked values according to the format.
Return type:	list

pwnypack.packing.pack_size(fmt, endian=None, target=None)[source]¶

pwnypack.packing.P(value, bits=None, endian=None, target=None)[source]¶

Pack an unsigned pointer for a given target.

Parameters:	value (int) – The value to pack. bits (Bits) – Override the default word size. If None it will look at the word size of target. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.

pwnypack.packing.p(value, bits=None, endian=None, target=None)[source]¶

Pack a signed pointer for a given target.

Parameters:	value (int) – The value to pack. bits (pwnypack.target.Target.Bits) – Override the default word size. If None it will look at the word size of target. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.

pwnypack.packing.U(data, bits=None, endian=None, target=None)[source]¶

Unpack an unsigned pointer for a given target.

Parameters:	data (bytes) – The data to unpack. bits (pwnypack.target.Target.Bits) – Override the default word size. If None it will look at the word size of target. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.
Returns:	The pointer value.
Return type:	int

pwnypack.packing.u(data, bits=None, endian=None, target=None)[source]¶

Unpack a signed pointer for a given target.

Parameters:	data (bytes) – The data to unpack. bits (pwnypack.target.Target.Bits) – Override the default word size. If None it will look at the word size of target. endian (Endian) – Override the default byte order. If None, it will look at the byte order of the target argument. target (Target) – Override the default byte order. If None, it will look at the byte order of the global target.
Returns:	The pointer value.
Return type:	int

pwnypack.packing.p8(value, endian=None, target=None)¶

Pack signed 8 bit integer. Alias for pack('b', ...).

pwnypack.packing.P8(value, endian=None, target=None)¶

Pack unsigned 8 bit integer. Alias for pack('B', ...).

pwnypack.packing.u8(data, endian=None, target=None)¶

Unpack signed 8 bit integer. Alias for unpack('b', ...).

pwnypack.packing.U8(data, endian=None, target=None)¶

Unpack unsigned 8 bit integer. Alias for unpack('B', ...).

pwnypack.packing.p16(value, endian=None, target=None)¶

Pack signed 16 bit integer. Alias for pack('h', ...).

pwnypack.packing.P16(value, endian=None, target=None)¶

Pack unsigned 16 bit integer. Alias for pack('H', ...).

pwnypack.packing.u16(data, endian=None, target=None)¶

Unpack signed 16 bit integer. Alias for unpack('h', ...).

pwnypack.packing.U16(data, endian=None, target=None)¶

Unpack unsigned 16 bit integer. Alias for unpack('H', ...).

pwnypack.packing.p32(value, endian=None, target=None)¶

Pack signed 32 bit integer. Alias for pack('l', ...).

pwnypack.packing.P32(value, endian=None, target=None)¶

Pack unsigned 32 bit integer. Alias for pack('L', ...).

pwnypack.packing.u32(data, endian=None, target=None)¶

Unpack signed 32 bit integer. Alias for unpack('l', ...).

pwnypack.packing.U32(data, endian=None, target=None)¶

Unpack unsigned 32 bit integer. Alias for unpack('L', ...).

pwnypack.packing.p64(value, endian=None, target=None)¶

Pack signed 64 bit integer. Alias for pack('q', ...).

pwnypack.packing.P64(value, endian=None, target=None)¶

Pack unsigned 64 bit integer. Alias for pack('Q', ...).

pwnypack.packing.u64(data, endian=None, target=None)¶

Unpack signed 64 bit integer. Alias for unpack('q', ...).

pwnypack.packing.U64(data, endian=None, target=None)¶

Unpack unsigned 64 bit integer. Alias for unpack('Q', ...).

php – PHP related functions¶

pwnypack.php.php_serialize(value)[source]¶

Serialize a value for use with PHP’s deserialize() function. This function can serialize bytes, strings, integers, floats, booleans, None, lists, dicts and custom objects implementing __php__().

Parameters:	value – The value to serialize.
Returns:	The serialized form of value ready to be unserialized by PHP.
Return type:	bytes

Example

>>> from pwny import *
>>> php_serialize([b'foo', u'bar', 42, 2.5, True, None, {'a': 'b'}])
b'a:7:{i:0;s:3:"foo";i:1;s:3:"bar";i:2;i:42;i:3;d:2.5;i:4;b:1;i:5;N;i:6;a:1:{s:1:"a";s:1:"b";}}'

class pwnypack.php.PhpObject(class_name, properties=None)[source]¶

Bases: object

Helper class to represent PHP objects for serialization using php_serialize().

Instances of this class act like a dictionary of properties that should be set on the deserialized PHP instance. You can prefix the property names with 'public ', 'protected ' or 'private ' to ensure the correct instance variables are set.

Parameters:	class_name (str) – The name of the PHP class to use when deserializing. properties (dict) – The properties to deserialize in this instance.

Example

>>> from pwny import *
>>> o = PhpObject('Foo\Bar', {'protected fg': '#000000'})
>>> php_serialize(o)
b'O:7:"Foo\Bar":1:{s:5:"\x00*\x00fg";s:7:"#000000";}'

pickle – Pickle tools¶

pwnypack.pickle.pickle_invoke(func, *args, target=None, protocol=None)[source]¶

Create a byte sequence which when unpickled calls a callable with given arguments.

Note

The function has to be importable using the same name on the system that unpickles this invocation.

Parameters:	func (callable) – The function to call or class to instantiate. args (tuple) – The arguments to call the callable with. target – The internals description of the targeted python version. If this is None the specification of the currently running python version will be used. protocol – The pickle protocol version to use (use None for default).
Returns:	The data that when unpickled calls func(*args).
Return type:	bytes

Example

>>> from pwny import *
>>> import pickle
>>> def hello(arg):
...     print('Hello, %s!' % arg)
...
>>> pickle.loads(pickle_invoke(hello, 'world'))
Hello, world!

pwnypack.pickle.pickle_func(func, *args, target=None, protocol=None, b64encode=None)[source]¶

Encode a function in such a way that when it’s unpickled, the function is reconstructed and called with the given arguments.

Note

Compatibility between python versions is not guaranteed. Depending on the target python version, the opcodes of the provided function are transcribed to try to maintain compatibility. If an opcode is emitted which is not supported by the target python version, a KeyError will be raised.

Constructs that are known to be problematic:

• Python 2.6 and 2.7/3.0 use very different, incompatible opcodes for conditional jumps (if, while, etc). Serializing those is not always possible between python 2.6 and 2.7/3.0.
• Exception handling uses different, incompatible opcodes between python 2 and 3.
• Python 2 and python 3 handle nested functions very differently: the same opcode is used in a different way and leads to a crash. Avoid nesting functions if you want to pickle across python functions.

Parameters:	func (callable) – The function to serialize and call when unpickled. args (tuple) – The arguments to call the callable with. target – The internals description of the targeted python version. If this is None the specification of the currently running python version will be used. protocol (int) – The pickle protocol version to use. b64encode (bool) – Whether to base64 certain code object fields. Required when you prepare a pickle for python 3 on python 2. If it’s None it defaults to False unless pickling from python 2 to python 3.
Returns:	The data that when unpickled calls func(*args).
Return type:	bytes

Example

>>> from pwny import *
>>> import pickle
>>> def hello(arg):
...     print('Hello, %s!' % arg)
...
>>> p = pickle_func(hello, 'world')
>>> del hello
>>> pickle.loads(p)
Hello, world!

py_internals – Python internals¶

This module provides a dictionary that describes the internals of carious python versions. It is used in various parts of pwnypack ( pwnypack.bytecode and pwnypack.pickle).

Please note that this module is automatically generated by the build_py_internals.py script.

pwnypack.py_internals.get_py_internals(version=None, default=None)[source]¶

Given a version specification. It can be any dict which is returned verbatim, an index into PY_INTERNALS or None.

Parameters:	version – The python version to return the internals of. default – The python version that will be looked up if version is None.
Returns:	The python internals for the requested version.
Return type:	dict

pwnypack.py_internals.PY_26 = {...}¶

This dictionary describes the internals of CPython 2.6.

pwnypack.py_internals.PY_27 = {...}¶

This dictionary describes the internals of CPython 2.7.

pwnypack.py_internals.PY_30 = {...}¶

This dictionary describes the internals of CPython 3.0.

pwnypack.py_internals.PY_31 = {...}¶

This dictionary describes the internals of CPython 3.1.

pwnypack.py_internals.PY_32 = {...}¶

This dictionary describes the internals of CPython 3.2.

pwnypack.py_internals.PY_33 = {...}¶

This dictionary describes the internals of CPython 3.3.

pwnypack.py_internals.PY_34 = {...}¶

This dictionary describes the internals of CPython 3.4.

pwnypack.py_internals.PY_35 = {...}¶

This dictionary describes the internals of CPython 3.5.

pwnypack.py_internals.PY_INTERNALS = {26: PY_26, 27: PY_27, 30: PY_30, 31: PY_31, 32: PY_32, 33: PY_33, 34: PY_34, 35: PY_35}¶

This dictionary describes the internals of various python versions.

rop – ROP gadgets¶

The ROP module contains a function to find gadgets in ELF binaries that can be used to create ROP chains.

pwnypack.rop.find_gadget(elf, gadget, align=1, unique=True)[source]¶

Find a ROP gadget in a the executable sections of an ELF executable or library. The ROP gadget can be either a set of bytes for an exact match or a (bytes) regular expression. Once it finds gadgets, it uses the capstone engine to verify if the gadget consists of valid instructions and doesn’t contain any call or jump instructions.

Parameters:	elf (ELF) – The ELF instance to find a gadget in. gadget (bytes or regexp) – The gadget to find. align (int) – Make sure the gadget starts at a multiple of this number unique (bool) – If true, only unique gadgets are returned.
Returns:	A dictionary containing a description of the found gadget. Contains the following fields: section: The section the gadget was found in. offset: The offset inside the segment the gadget was found at. addr: The virtual memory address the gadget will be located at. gadget: The machine code of the found gadget. asm: A list of disassembled instructions.
Return type:	dict

shellcode – Shellcode generator¶

This module contains functions to generate shellcode.

Note:

The intended audience for this documentation is the user. Implementation details are left out where possible.

The idea is that you provide a shellcode generator environment with a highlevel declarative representation of the shellcode your want to assemble and the environment fills in the specifics.

The generic environments target X86, X86_64, ARM, ARM Thumb, ARM Thumb Mixed and AArch64 on the Linux OS. No restrictions are made on what kind of bytes end up in the binary output. If you use buffers, the code segment will need to be writable if you use the Mutable variants. The Stack variants require an initialized stack that is large enough to hold all the allocated data and buffers.

X86:

• LinuxX86Mutable
• LinuxX86Stack

X86_64:

• LinuxX86_64Mutable
• LinuxX86_64Stack

ARM:

• LinuxARMMutable
• LinuxARMStack

ARM Thumb:

• LinuxARMThumbMutable
• LinuxARMThumbStack

ARM with modeswitch to Thumb mode:

• LinuxARMThumbMixed
• LinuxARMThumbStack

AArch64:

• LinuxAArch64Mutable
• LinuxAArch64Stack

Specialized classes are also provided for X86 and X86_64. The MutableNullSafe and StackNullSafe variants attempt to generate binary output that does not contain NUL bytes, carriage returns and line feeds.

X86:

• LinuxX86MutableNullSafe
• LinuxX86StackNullSafe

X86_64:

• LinuxX86_64MutableNullSafe
• LinuxX86_64StackNullSafe

Each shellcode environment defines a set of registers that are available on the architecture and a set of system calls. These are available as properties of the respective environment.

The environment also provides a way to allocate strings and buffers. If you call alloc_data() with a bytestring (str on python 2, bytes on python 3) it will be allocated verbatim and an Offset is returned. If alloc_data() is called with a unicode string (unicode on python 2, str on python 3) it will be converted to a latin1 based bytestring and terminated with a NUL byte (\0).

alloc_buffer() can be used to allocate an uninitialized block of memory. It will not be embedded in the shellcode.

There are two ways to use these shellcode environments:

• Declaratively.
• Imperatively.