命令行工具¶
pwntools 也提供了大量有用的命令行工具, 它们用作某些内部功能的包装
pwn¶
Pwntools Command-line Interface
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
-h
,
--help
¶
show this help message and exit
pwn asm¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
line
¶
需要被汇编的代码, 如果没有提供这个参数, 就会从标准输入流中读取
-
-h
,
--help
¶
show this help message and exit
-
-f
{raw,hex,string,elf}
,
--format
{raw,hex,string,elf}
¶ 格式化输出 (默认输出到终端的为十六进制, 其他的是原始二进制)
-
-o
<file>
,
--output
<file>
¶ 指定输出文件 (默认标准输出流)
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ 指定 shellcode 将要被运行的系统环境: 操作系统/架构/字节序/字长 (默认: linux/i386), 可以在其中进行选择: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-v
<avoid>
,
--avoid
<avoid>
¶ 编码 shellcode 使它避免指定的字符 (以 16 进制提供; 默认: 000a)
-
-n
,
--newline
¶
编码 shellcode 使它避免换行符
-
-z
,
--zero
¶
编码 shellcode 使它避免空字节
-
-d
,
--debug
¶
使用 GDB 调试 shellcode
-
-e
<encoder>
,
--encoder
<encoder>
¶ 指定编码器
-
-i
<infile>
,
--infile
<infile>
¶ 指定输入文件
-
-r
,
--run
¶
运行输出
pwn checksec¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
elf
¶
Files to check
-
-h
,
--help
¶
show this help message and exit
-
--file
<elf>
¶ File to check (for compatibility with checksec.sh)
pwn constgrep¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
regex
¶
The regex matching constant you want to find
-
constant
¶
The constant to find
-
-h
,
--help
¶
show this help message and exit
-
-e
<constant>
,
--exact
<constant>
¶ Do an exact match for a constant instead of searching for a regex
-
-i
,
--case-insensitive
¶
Search case insensitive
-
-m
,
--mask-mode
¶
Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
pwn cyclic¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
count
¶
Number of characters to print
-
-h
,
--help
¶
show this help message and exit
-
-a
<alphabet>
,
--alphabet
<alphabet>
¶ The alphabet to use in the cyclic pattern (defaults to all lower case letters)
-
-n
<length>
,
--length
<length>
¶ Size of the unique subsequences (defaults to 4).
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-l
<lookup_value>
,
-o
<lookup_value>
,
--offset
<lookup_value>
,
--lookup
<lookup_value>
¶ Do a lookup instead printing the alphabet
pwn debug¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
-h
,
--help
¶
show this help message and exit
-
-x
<gdbscript>
¶ Execute GDB commands from this file.
-
--pid
<pid>
¶ PID to attach to
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
--exec
<executable>
¶ File to debug
-
--process
<process_name>
¶ Name of the process to attach to (e.g. “bash”)
-
--sysroot
<sysroot>
¶ GDB sysroot path
pwn disablenx¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
elf
¶
Files to check
-
-h
,
--help
¶
show this help message and exit
pwn disasm¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
hex
¶
Hex-string to disasemble. If none are supplied, then it uses stdin in non-hex mode.
-
-h
,
--help
¶
show this help message and exit
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-a
<address>
,
--address
<address>
¶ Base address
-
--color
¶
Color output
-
--no-color
¶
Disable color output
pwn elfdiff¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
a
¶
-
b
¶
-
-h
,
--help
¶
show this help message and exit
pwn elfpatch¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
-h
,
--help
¶
show this help message and exit
pwn errno¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
error
¶
Error message or value
-
-h
,
--help
¶
show this help message and exit
pwn hex¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
data
¶
Data to convert into hex
-
-h
,
--help
¶
show this help message and exit
pwn phd¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
file
¶
File to hexdump. Reads from stdin if missing.
-
-h
,
--help
¶
show this help message and exit
-
-w
<width>
,
--width
<width>
¶ Number of bytes per line.
-
-l
<highlight>
,
--highlight
<highlight>
¶ Byte to highlight.
-
-s
<skip>
,
--skip
<skip>
¶ Skip this many initial bytes.
-
-c
<count>
,
--count
<count>
¶ Only show this many bytes.
-
-o
<offset>
,
--offset
<offset>
¶ Addresses in left hand column starts at this address.
-
--color
{always,never,auto}
¶ Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.
pwn pwnstrip¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
file
¶
-
-h
,
--help
¶
show this help message and exit
-
-b
,
--build-id
¶
Strip build ID
-
-p
<function>
,
--patch
<function>
¶ Patch function
-
-o
<output>
,
--output
<output>
¶
pwn scramble¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
-h
,
--help
¶
show this help message and exit
-
-f
{raw,hex,string,elf}
,
--format
{raw,hex,string,elf}
¶ Output format (defaults to hex for ttys, otherwise raw)
-
-o
<file>
,
--output
<file>
¶ Output file (defaults to stdout)
-
-c
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
,
--context
{16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}
¶ The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]
-
-p
,
--alphanumeric
¶
Encode the shellcode with an alphanumeric encoder
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-d
,
--debug
¶
Debug the shellcode with GDB
pwn shellcraft¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
shellcode
¶
The shellcode you want
-
arg
¶
Argument to the chosen shellcode
-
-h
,
--help
¶
show this help message and exit
-
-
?
,
--show
¶
Show shellcode documentation
-
-o
<file>
,
--out
<file>
¶ Output file (default: stdout)
-
-f
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}
,
--format
{r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}
¶ Output format (default: hex), choose from {e}lf, {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code, escape{d} hex string
-
-d
,
--debug
¶
Debug the shellcode with GDB
-
-b
,
--before
¶
Insert a debug trap before the code
-
-a
,
--after
¶
Insert a debug trap after the code
-
-v
<avoid>
,
--avoid
<avoid>
¶ Encode the shellcode to avoid the listed bytes
-
-n
,
--newline
¶
Encode the shellcode to avoid newlines
-
-z
,
--zero
¶
Encode the shellcode to avoid NULL bytes
-
-r
,
--run
¶
Run output
-
--color
¶
Color output
-
--no-color
¶
Disable color output
-
--syscalls
¶
List syscalls
-
--address
<address>
¶ Load address
-
-l
,
--list
¶
List available shellcodes, optionally provide a filter
-
-s
,
--shared
¶
Generated ELF is a shared library
pwn template¶
usage: pwn [-h] {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update} …
-
exe
¶
Target binary
-
-h
,
--help
¶
show this help message and exit
-
--host
<host>
¶ Remote host / SSH server
-
--port
<port>
¶ Remote port / SSH port
-
--user
<user>
¶ SSH Username
-
--pass
<password>
¶ SSH Password
-
--path
<path>
¶ Remote path of file on SSH server
-
--quiet
¶
Less verbose template comments