pwnlib.tubes — Talking to the World!

The pwnlib is not a big truck! It’s a series of tubes!

This is our library for talking to sockets, processes, ssh connections etc. Our goal is to be able to use the same API for e.g. remote TCP servers, local TTY-programs and programs run over over SSH.

It is organized such that the majority of the functionality is implemented in pwnlib.tubes.tube. The remaining classes should only implement just enough for the class to work and possibly code pertaining only to that specific kind of tube.

pwnlib.tubes.tube — Common Functionality

class pwnlib.tubes.tube.tube[source]

Container of all the tube functions common to sockets, TTYs and SSH connetions.

can_recv(timeout = 0) → bool[source]

Returns True, if there is data available within timeout seconds.

Examples

>>> import time
>>> t = tube()
>>> t.can_recv_raw = lambda *a: False
>>> t.can_recv()
False
>>> _=t.unrecv('data')
>>> t.can_recv()
True
>>> _=t.recv()
>>> t.can_recv()
False
clean(timeout = 0.05)[source]

Removes all the buffered data from a tube by calling pwnlib.tubes.tube.tube.recv() with a low timeout until it fails.

If timeout is zero, only cached data will be cleared.

Note: If timeout is set to zero, the underlying network is not actually polled; only the internal buffer is cleared.

Returns:All data received

Examples

>>> t = tube()
>>> t.unrecv('clean me up')
>>> t.clean(0)
'clean me up'
>>> len(t.buffer)
0
clean_and_log(timeout = 0.05)[source]

Works exactly as pwnlib.tubes.tube.tube.clean(), but logs received data with pwnlib.self.info().

Returns:All data received

Examples

>>> def recv(n, data=['', 'hooray_data']):
...     while data: return data.pop()
>>> t = tube()
>>> t.recv_raw      = recv
>>> t.connected_raw = lambda d: True
>>> t.fileno        = lambda: 1234
>>> with context.local(log_level='info'):
...     data = t.clean_and_log() 
[DEBUG] Received 0xb bytes:
    'hooray_data'
>>> data
'hooray_data'
>>> context.clear()
close()[source]

Closes the tube.

connect_both(other)[source]

Connects the both ends of this tube object with another tube object.

connect_input(other)[source]

Connects the input of this tube to the output of another tube object.

Examples

>>> def p(x): print x
>>> def recvone(n, data=['data']):
...     while data: return data.pop()
...     raise EOFError
>>> a = tube()
>>> b = tube()
>>> a.recv_raw = recvone
>>> b.send_raw = p
>>> a.connected_raw = lambda d: True
>>> b.connected_raw = lambda d: True
>>> a.shutdown      = lambda d: True
>>> b.shutdown      = lambda d: True
>>> import time
>>> _=(b.connect_input(a), time.sleep(0.1))
data
connect_output(other)[source]

Connects the output of this tube to the input of another tube object.

Examples

>>> def p(x): print x
>>> def recvone(n, data=['data']):
...     while data: return data.pop()
...     raise EOFError
>>> a = tube()
>>> b = tube()
>>> a.recv_raw = recvone
>>> b.send_raw = p
>>> a.connected_raw = lambda d: True
>>> b.connected_raw = lambda d: True
>>> a.shutdown      = lambda d: True
>>> b.shutdown      = lambda d: True
>>> _=(a.connect_output(b), time.sleep(0.1))
data
connected(direction = 'any') → bool[source]

Returns True if the tube is connected in the specified direction.

Parameters:direction (str) – Can be the string ‘any’, ‘in’, ‘read’, ‘recv’, ‘out’, ‘write’, ‘send’.

Doctest:

>>> def p(x): print x
>>> t = tube()
>>> t.connected_raw = p
>>> _=map(t.connected, ('any', 'in', 'read', 'recv', 'out', 'write', 'send'))
any
recv
recv
recv
send
send
send
>>> t.connected('bad_value') 
Traceback (most recent call last):
...
KeyError: "direction must be in ['any', 'in', 'out', 'read', 'recv', 'send', 'write']"
fileno() → int[source]

Returns the file number used for reading.

interactive(prompt = pwnlib.term.text.bold_red('$') + ' ')[source]

Does simultaneous reading and writing to the tube. In principle this just connects the tube to standard in and standard out, but in practice this is much more usable, since we are using pwnlib.term to print a floating prompt.

Thus it only works in while in pwnlib.term.term_mode.

recv(numb = 4096, timeout = default) → str[source]

Receives up to numb bytes of data from the tube, and returns as soon as any quantity of data is available.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Raises:exceptions.EOFError – The connection is closed
Returns:A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> # Fake a data source
>>> t.recv_raw = lambda n: 'Hello, world'
>>> t.recv() == 'Hello, world'
True
>>> t.unrecv('Woohoo')
>>> t.recv() == 'Woohoo'
True
>>> with context.local(log_level='debug'):
...    _ = t.recv() 
[...] Received 0xc bytes:
    'Hello, world'
recvall() → str[source]

Receives data until EOF is reached.

recvline(keepends = True) → str[source]

Receive a single line from the tube.

A “line” is any sequence of bytes terminated by the byte sequence set in newline, which defaults to '\n'.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • keepends (bool) – Keep the line ending (True).
  • timeout (int) – Timeout
Returns:

All bytes received over the tube until the first newline '\n' is received. Optionally retains the ending.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: 'Foo\nBar\r\nBaz\n'
>>> t.recvline()
'Foo\n'
>>> t.recvline()
'Bar\r\n'
>>> t.recvline(keepends = False)
'Baz'
>>> t.newline = '\r\n'
>>> t.recvline(keepends = False)
'Foo\nBar'
recvline_contains(items, keepends=False, timeout=pwnlib.timeout.Timeout.default)[source]

Receive lines until one line is found which contains at least one of items.

Parameters:
  • items (str,tuple) – List of strings to search for, or a single string.
  • keepends (bool) – Return lines with newlines if True
  • timeout (int) – Timeout, in seconds

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: "Hello\nWorld\nXylophone\n"
>>> t.recvline_contains('r')
'World'
>>> f = lambda n: "cat dog bird\napple pear orange\nbicycle car train\n"
>>> t = tube()
>>> t.recv_raw = f
>>> t.recvline_contains('pear')
'apple pear orange'
>>> t = tube()
>>> t.recv_raw = f
>>> t.recvline_contains(('car', 'train'))
'bicycle car train'
recvline_endswith(delims, keepends = False, timeout = default) → str[source]

Keep receiving lines until one is found that starts with one of delims. Returns the last line received.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

See recvline_startswith() for more details.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: 'Foo\nBar\nBaz\nKaboodle\n'
>>> t.recvline_endswith('r')
'Bar'
>>> t.recvline_endswith(tuple('abcde'), True)
'Kaboodle\n'
>>> t.recvline_endswith('oodle')
'Kaboodle'
recvline_pred(pred, keepends = False) → str[source]

Receive data until pred(line) returns a truthy value. Drop all other data.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:pred (callable) – Function to call. Returns the line for which this function returns True.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: "Foo\nBar\nBaz\n"
>>> t.recvline_pred(lambda line: line == "Bar\n")
'Bar'
>>> t.recvline_pred(lambda line: line == "Bar\n", keepends=True)
'Bar\n'
>>> t.recvline_pred(lambda line: line == 'Nope!', timeout=0.1)
''
recvline_regex(regex, exact=False, keepends=False, timeout=pwnlib.timeout.Timeout.default)[source]

recvregex(regex, exact = False, keepends = False, timeout = default) -> str

Wrapper around recvline_pred(), which will return when a regex matches a line.

By default re.RegexObject.search() is used, but if exact is set to True, then re.RegexObject.match() will be used instead.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

recvline_startswith(delims, keepends = False, timeout = default) → str[source]

Keep receiving lines until one is found that starts with one of delims. Returns the last line received.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • delims (str,tuple) – List of strings to search for, or string of single characters
  • keepends (bool) – Return lines with newlines if True
  • timeout (int) – Timeout, in seconds
Returns:

The first line received which starts with a delimiter in delims.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: "Hello\nWorld\nXylophone\n"
>>> t.recvline_startswith(tuple('WXYZ'))
'World'
>>> t.recvline_startswith(tuple('WXYZ'), True)
'Xylophone\n'
>>> t.recvline_startswith('Wo')
'World'
recvlines(numlines, keepends = False, timeout = default) → str list[source]

Receive up to numlines lines.

A “line” is any sequence of bytes terminated by the byte sequence set by newline, which defaults to '\n'.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • numlines (int) – Maximum number of lines to receive
  • keepends (bool) – Keep newlines at the end of each line (False).
  • timeout (int) – Maximum timeout
Raises:

exceptions.EOFError – The connection closed before the request could be satisfied
Returns:

A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: '\n'
>>> t.recvlines(3)
['', '', '']
>>> t.recv_raw = lambda n: 'Foo\nBar\nBaz\n'
>>> t.recvlines(3)
['Foo', 'Bar', 'Baz']
>>> t.recvlines(3, True)
['Foo\n', 'Bar\n', 'Baz\n']
recvn(numb, timeout = default) → str[source]

Receives exactly n bytes.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Raises:exceptions.EOFError – The connection closed before the request could be satisfied
Returns:A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> data = 'hello world'
>>> t.recv_raw = lambda *a: data
>>> t.recvn(len(data)) == data
True
>>> t.recvn(len(data)+1) == data + data[0]
True
>>> t.recv_raw = lambda *a: None
>>> # The remaining data is buffered
>>> t.recv() == data[1:]
True
>>> t.recv_raw = lambda *a: time.sleep(0.01) or 'a'
>>> t.recvn(10, timeout=0.05)
''
>>> t.recvn(10, timeout=0.06) 
'aaaaaa...'
recvpred(pred, timeout = default) → str[source]

Receives one byte at a time from the tube, until pred(bytes) evaluates to True.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • pred (callable) – Function to call, with the currently-accumulated data.
  • timeout (int) – Timeout for the operation
Raises:

exceptions.EOFError – The connection is closed
Returns:

A string containing bytes received from the socket, or '' if a timeout occurred while waiting.
recvregex(regex, exact = False, timeout = default) → str[source]

Wrapper around recvpred(), which will return when a regex matches the string in the buffer.

By default re.RegexObject.search() is used, but if exact is set to True, then re.RegexObject.match() will be used instead.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

recvrepeat(timeout = default) → str[source]

Receives data until a timeout or EOF is reached.

Examples

>>> data = [
... 'd',
... '', # simulate timeout
... 'c',
... 'b',
... 'a',
... ]
>>> def delayrecv(n, data=data):
...     return data.pop()
>>> t = tube()
>>> t.recv_raw = delayrecv
>>> t.recvrepeat(0.2)
'abc'
>>> t.recv()
'd'
recvuntil(delims, timeout = default) → str[source]

Receive data until one of delims is encountered.

If the request is not satisfied before timeout seconds pass, all data is buffered and an empty string ('') is returned.

Parameters:
  • delims (str,tuple) – String of delimiters characters, or list of delimiter strings.
  • drop (bool) – Drop the ending. If True it is removed from the end of the return value.
Raises:

exceptions.EOFError – The connection closed before the request could be satisfied
Returns:

A string containing bytes received from the socket, or '' if a timeout occurred while waiting.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: "Hello World!"
>>> t.recvuntil(' ')
'Hello '
>>> _=t.clean(0)
>>> # Matches on 'o' in 'Hello'
>>> t.recvuntil(tuple(' Wor'))
'Hello'
>>> _=t.clean(0)
>>> # Matches expressly full string
>>> t.recvuntil(' Wor')
'Hello Wor'
>>> _=t.clean(0)
>>> # Matches on full string, drops match
>>> t.recvuntil(' Wor', drop=True)
'Hello'

>>> # Try with regex special characters
>>> t = tube()
>>> t.recv_raw = lambda n: "Hello|World"
>>> t.recvuntil('|', drop=True)
'Hello'
send(data)[source]

Sends data.

If log level DEBUG is enabled, also prints out the data received.

If it is not possible to send anymore because of a closed connection, it raises exceptions.EOFError

Examples

>>> def p(x): print repr(x)
>>> t = tube()
>>> t.send_raw = p
>>> t.send('hello')
'hello'
sendafter(delim, data, timeout = default) → str[source]

A combination of recvuntil(delim, timeout) and send(data).

sendline(data)[source]

Shorthand for t.send(data + t.newline).

Examples

>>> def p(x): print repr(x)
>>> t = tube()
>>> t.send_raw = p
>>> t.sendline('hello')
'hello\n'
>>> t.newline = '\r\n'
>>> t.sendline('hello')
'hello\r\n'
sendlineafter(delim, data, timeout = default) → str[source]

A combination of recvuntil(delim, timeout) and sendline(data).

sendlinethen(delim, data, timeout = default) → str[source]

A combination of sendline(data) and recvuntil(delim, timeout).

sendthen(delim, data, timeout = default) → str[source]

A combination of send(data) and recvuntil(delim, timeout).

settimeout(timeout)[source]

Set the timeout for receiving operations. If the string “default” is given, then context.timeout will be used. If None is given, then there will be no timeout.

Examples

>>> t = tube()
>>> t.settimeout_raw = lambda t: None
>>> t.settimeout(3)
>>> t.timeout == 3
True
shutdown(direction = "send")[source]

Closes the tube for futher reading or writing depending on direction.

Parameters:direction (str) – Which direction to close; “in”, “read” or “recv” closes the tube in the ingoing direction, “out”, “write” or “send” closes it in the outgoing direction.
Returns:None

Examples

>>> def p(x): print x
>>> t = tube()
>>> t.shutdown_raw = p
>>> _=map(t.shutdown, ('in', 'read', 'recv', 'out', 'write', 'send'))
recv
recv
recv
send
send
send
>>> t.shutdown('bad_value') 
Traceback (most recent call last):
...
KeyError: "direction must be in ['in', 'out', 'read', 'recv', 'send', 'write']"
spawn_process(*args, **kwargs)[source]

Spawns a new process having this tube as stdin, stdout and stderr.

Takes the same arguments as subprocess.Popen.

stream()[source]

Receive data until the tube exits, and print it to stdout.

Similar to interactive(), except that no input is sent.

Similar to print tube.recvall() except that data is printed as it is received, rather than after all data is received.

Parameters:line_mode (bool) – Whether to receive line-by-line or raw data.
Returns:All data printed.
timeout_change()[source]

Informs the raw layer of the tube that the timeout has changed.

Should not be called directly.

Inherited from Timeout.

unrecv(data)[source]

Puts the specified data back at the beginning of the receive buffer.

Examples

>>> t = tube()
>>> t.recv_raw = lambda n: 'hello'
>>> t.recv()
'hello'
>>> t.recv()
'hello'
>>> t.unrecv('world')
>>> t.recv()
'world'
>>> t.recv()
'hello'
wait()[source]

Waits until the tube is closed.

wait_for_close()[source]

Waits until the tube is closed.

newline = '\n'[source]

Delimiter to use for sendline(), recvline(), and related functions.