Command Line Tools

pwntools comes with a handful of useful command-line utilities which serve as wrappers for some of the internal functionality.

pwn

Pwntools Command-line Interface

usage: pwn [-h]
           {asm,checksec,constgrep,cyclic,debug,disasm,disablenx,elfdiff,elfpatch,errno,hex,phd,pwnstrip,scramble,shellcraft,template,unhex,update}
           ...
-h, --help

show this help message and exit

pwn asm

usage: pwn asm [-h] [-f {raw,hex,string,elf}] [-o file] [-c context]
               [-v AVOID] [-n] [-z] [-d] [-e ENCODER] [-i INFILE] [-r]
               [line [line ...]]
line

Lines to assemble. If none are supplied, use stdin

-h, --help

show this help message and exit

-f {raw,hex,string,elf}, --format {raw,hex,string,elf}

Output format (defaults to hex for ttys, otherwise raw)

-o <file>, --output <file>

Output file (defaults to stdout)

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes (provided as hex)

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-d, --debug

Debug the shellcode with GDB

-e <encoder>, --encoder <encoder>

Specific encoder to use

-i <infile>, --infile <infile>

Specify input file

-r, --run

Run output

pwn checksec

usage: pwn checksec [-h] [--file [elf [elf ...]]] [elf [elf ...]]
elf

Files to check

-h, --help

show this help message and exit

--file <elf>

File to check (for compatibility with checksec.sh)

pwn constgrep

usage: pwn constgrep [-h] [-e constant] [-i] [-m] [-c arch_or_os]
                     [regex] [constant]
regex

The regex matching constant you want to find

constant

The constant to find

-h, --help

show this help message and exit

-e <constant>, --exact <constant>

Do an exact match for a constant instead of searching for a regex

-i, --case-insensitive

Search case insensitive

-m, --mask-mode

Instead of searching for a specific constant value, search for values not containing strictly less bits that the given value.

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

pwn cyclic

usage: pwn cyclic [-h] [-a alphabet] [-n length] [-c context]
                  [-l lookup_value]
                  [count]
count

Number of characters to print

-h, --help

show this help message and exit

-a <alphabet>, --alphabet <alphabet>

The alphabet to use in the cyclic pattern (defaults to all lower case letters)

-n <length>, --length <length>

Size of the unique subsequences (defaults to 4).

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

-l <lookup_value>, -o <lookup_value>, --offset <lookup_value>, --lookup <lookup_value>

Do a lookup instead printing the alphabet

pwn debug

usage: pwn debug [-h] [-x GDBSCRIPT] [--pid PID] [-c context]
                 [--exec EXECUTABLE] [--process PROCESS_NAME]
                 [--sysroot SYSROOT]
-h, --help

show this help message and exit

-x <gdbscript>

Execute GDB commands from this file.

--pid <pid>

PID to attach to

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

--exec <executable>

File to debug

--process <process_name>

Name of the process to attach to (e.g. “bash”)

--sysroot <sysroot>

GDB sysroot path

pwn disablenx

usage: pwn disablenx [-h] elf [elf ...]
elf

Files to check

-h, --help

show this help message and exit

pwn disasm

usage: pwn disasm [-h] [-c arch_or_os] [-a address] [--color] [--no-color]
                  [hex [hex ...]]
hex

Hex-string to disassemble. If none are supplied, then it uses stdin in non-hex mode.

-h, --help

show this help message and exit

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

-a <address>, --address <address>

Base address

--color

Color output

--no-color

Disable color output

pwn elfdiff

usage: pwn elfdiff [-h] a b
a
b
-h, --help

show this help message and exit

pwn elfpatch

usage: pwn elfpatch [-h]
-h, --help

show this help message and exit

pwn errno

usage: pwn errno [-h] error
error

Error message or value

-h, --help

show this help message and exit

pwn hex

usage: pwn hex [-h] [data [data ...]]
data

Data to convert into hex

-h, --help

show this help message and exit

pwn phd

usage: pwn phd [-h] [-w WIDTH] [-l [HIGHLIGHT [HIGHLIGHT ...]]] [-s SKIP]
               [-c COUNT] [-o OFFSET] [--color [{always,never,auto}]]
               [file]
file

File to hexdump. Reads from stdin if missing.

-h, --help

show this help message and exit

-w <width>, --width <width>

Number of bytes per line.

-l <highlight>, --highlight <highlight>

Byte to highlight.

-s <skip>, --skip <skip>

Skip this many initial bytes.

-c <count>, --count <count>

Only show this many bytes.

-o <offset>, --offset <offset>

Addresses in left hand column starts at this address.

--color {always,never,auto}

Colorize the output. When ‘auto’ output is colorized exactly when stdout is a TTY. Default is ‘auto’.

pwn pwnstrip

usage: pwn pwnstrip [-h] [-b] [-p FUNCTION] [-o OUTPUT] file
file
-h, --help

show this help message and exit

-b, --build-id

Strip build ID

-p <function>, --patch <function>

Patch function

-o <output>, --output <output>

pwn scramble

usage: pwn scramble [-h] [-f {raw,hex,string,elf}] [-o file] [-c context] [-p]
                    [-v AVOID] [-n] [-z] [-d]
-h, --help

show this help message and exit

-f {raw,hex,string,elf}, --format {raw,hex,string,elf}

Output format (defaults to hex for ttys, otherwise raw)

-o <file>, --output <file>

Output file (defaults to stdout)

-c {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}, --context {16,32,64,android,cgc,freebsd,linux,windows,powerpc64,aarch64,sparc64,powerpc,mips64,msp430,thumb,amd64,sparc,alpha,s390,i386,m68k,mips,ia64,cris,vax,avr,arm,little,big,el,le,be,eb}

The os/architecture/endianness/bits the shellcode will run in (default: linux/i386), choose from: [‘16’, ‘32’, ‘64’, ‘android’, ‘cgc’, ‘freebsd’, ‘linux’, ‘windows’, ‘powerpc64’, ‘aarch64’, ‘sparc64’, ‘powerpc’, ‘mips64’, ‘msp430’, ‘thumb’, ‘amd64’, ‘sparc’, ‘alpha’, ‘s390’, ‘i386’, ‘m68k’, ‘mips’, ‘ia64’, ‘cris’, ‘vax’, ‘avr’, ‘arm’, ‘little’, ‘big’, ‘el’, ‘le’, ‘be’, ‘eb’]

-p, --alphanumeric

Encode the shellcode with an alphanumeric encoder

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-d, --debug

Debug the shellcode with GDB

pwn shellcraft

usage: pwn shellcraft [-h] [-?] [-o file] [-f format] [-d] [-b] [-a]
                      [-v AVOID] [-n] [-z] [-r] [--color] [--no-color]
                      [--syscalls] [--address ADDRESS] [-l] [-s]
                      [shellcode] [arg [arg ...]]
shellcode

The shellcode you want

arg

Argument to the chosen shellcode

-h, --help

show this help message and exit

-?, --show

Show shellcode documentation

-o <file>, --out <file>

Output file (default: stdout)

-f {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}, --format {r,raw,s,str,string,c,h,hex,a,asm,assembly,p,i,hexii,e,elf,d,escaped,default}

Output format (default: hex), choose from {e}lf, {r}aw, {s}tring, {c}-style array, {h}ex string, hex{i}i, {a}ssembly code, {p}reprocssed code, escape{d} hex string

-d, --debug

Debug the shellcode with GDB

-b, --before

Insert a debug trap before the code

-a, --after

Insert a debug trap after the code

-v <avoid>, --avoid <avoid>

Encode the shellcode to avoid the listed bytes

-n, --newline

Encode the shellcode to avoid newlines

-z, --zero

Encode the shellcode to avoid NULL bytes

-r, --run

Run output

--color

Color output

--no-color

Disable color output

--syscalls

List syscalls

--address <address>

Load address

-l, --list

List available shellcodes, optionally provide a filter

-s, --shared

Generated ELF is a shared library

pwn template

usage: pwn template [-h] [--host HOST] [--port PORT] [--user USER]
                    [--pass PASSWORD] [--path PATH] [--quiet]
                    [exe]
exe

Target binary

-h, --help

show this help message and exit

--host <host>

Remote host / SSH server

--port <port>

Remote port / SSH port

--user <user>

SSH Username

--pass <password>

SSH Password

--path <path>

Remote path of file on SSH server

--quiet

Less verbose template comments

pwn unhex

usage: pwn unhex [-h] [hex [hex ...]]
hex

Hex bytes to decode

-h, --help

show this help message and exit

pwn update

usage: pwn update [-h] [--install] [--pre]
-h, --help

show this help message and exit

--install

Install the update automatically.

--pre

Check for pre-releases.