This changelog only includes added major features and changes. Bugfixes and minor changes are omitted.
The table below shows which release corresponds to each branch, and what date the version was released.
Version | Branch | Release Date |
---|---|---|
4.2.0 | dev |
Feb 10, 2020 (planned) |
4.1.0 | beta |
Jan 30, 2020 (planned) |
4.0.1 | stable |
Jan 22, 2020 |
4.0.0 | Jan 09, 2020 | |
3.13.0 | Nov 5, 2019 | |
3.12.1 | Sept 17, 2018 | |
3.12.0 | Feb 22, 2018 | |
3.11.0 | Jan 3, 2018 | |
3.10.0 | Oct 25, 2017 | |
3.9.2 | Oct 5, 2017 | |
3.9.1 | Sep 28, 2017 | |
3.9.0 | Sep 11, 2017 | |
3.8.0 | Jul 29, 2017 | |
3.7.1 | Jul 14, 2017 | |
3.7.0 | Jun 19, 2017 | |
3.6.1 | May 12, 2017 | |
3.6.0 | May 8, 2017 | |
3.5.1 | Apr 15, 2017 | |
3.5.0 | Mar 26, 2017 | |
3.4.1 | Feb 17, 2017 | |
3.4.0 | Feb 13, 2017 | |
3.3.4 | Jan 12, 2016 | |
3.3.3 | Jan 10, 2016 | |
3.3.2 | Jan 10, 2016 | |
3.3.1 | Jan 10, 2016 | |
3.3.0 | Dec 24, 2016 | |
3.2.1 | Dec 24, 2016 | |
3.2.0 | Nov 12, 2016 | |
3.1.1 | Oct 23, 2016 | |
3.1.0 | Oct 2, 2016 | |
3.0.4 | Sept 19, 2016 | |
3.0.3 | Sept 18, 2016 | |
3.0.2 | Sept 6, 2016 | |
3.0.1 | Aug 20, 2016 | |
3.0.0 | Aug 20, 2016 | |
2.2.0 | Jan 5, 2015 |
To be released on Feb 10, 2020.
To be released on Jan 30, 2020.
- [#1316][1316] Fix connect shellcraft in python 3
- [#1323][1323] Fix issues related with debugging
- [#1001][1001] Enhance
unlock_bootloader
with better status messages - [#1389][1389] remove old dependencies
- #1241 Launch QEMU with sysroot if specified
- #1218 Support for FileStructure exploitation
- #1412
recvline_pred()
and similar do not reorder data - Bypass unicorn-engine/unicorn#1100 and unicorn-engine/unicorn#1170 requiring unstable package
- Python 3 support! <3
- [#1402][1402] Fix serialtube in python 3
- #1391 Fix process.libs
- #1317 Tubes with
context.encoding
- #1216 Improve format string generator
- #1285 Add freebsd generic syscall templates
- 76413f Add pwnlib.adb.bootimg for 'ANDROID!' format boot.img images
- #1202 Docker: Kill 14 layers in pwntools base images
- #1182 shellcraft.dupio() for mips
- #1204 Reduce ROP cache filename length
- #1175 Fix nested SSH connectors
- #1355 Fix 'break' syscall
- #1277 Fix timeout parameter passing in sendlineafter and other similar functions
- #1292 Provide correct arch name to gdb for sparc64
- #1104 Add
DynELF.dump()
for dumping remote ELF files - #1101 Set
context.os
viacontext.binary
, useful for Android exploitation - 5fdc08 Work around broken
pidof
on Android - 63dfed Print warning when Corefile deletion fails instead of throwing an exception
- #1094 Make hexdump output alignment more consistent
- #1096
flat()
andfit()
are now the same function
- 1242 Use IntervalTree 2.xx, disallow use of 3.xx
- 1243 Fix a typo that caused an exception when executing a binary with
process()
which returns-ENOEXEC
and the system does not haveqemu-user
binaries installed.
- [#1198][1198] More compatibility fixes for pyelftools==0.25, and pin Sphinx<1.8.0 since it causes testing errors
- [#1191][1191] Fix compatibility with pyelftools==0.25
- #1159 Fix check for
/proc/.../status
- #1162 Fix broken package versions
- #1150 Fix exception raised when a cache file is missing
- #1156 Fix ROP gadget selection logic involving
int
andsyscall
instructions - #1152 Fix QEMU LD_PREFIX calculation (wrong parameter passed)
- #1155 Use Ubuntu Trusty for all CI builds
- #1131 Add "libc-" to libc prefixes in
process
tubes - #1125 Fix a typo
- #1121 Fix tests which were broken by an upstream Sphinx change
- #1083 Better error messages for
gdb
whenLD_PRELOAD
is incorrect - #1085 Add support for extracting Android
BOOTLDR!
images - #1075 Add support for detecting GNU Screen for
run_in_new_terminal
- #1074 Add support for running
pwntools-gdb
wrapper script instead ofgdb
- #1068 Work around very old OpenSSL versions which don't have sha256 support AND don't exit with an error code when trying to use it
- #1067 Add
pwnlib.tubes.server
module, which adds a reusableserver
listener - #1063 Add support for labels in
fit()
, allowing dynamic contents to be injected. (This feature is really cool, check out the pull request!)
- #1044 Enhancements to ROP
- Much better support for 64-bit Intel (amd64) ROP
- ROP gadget selection is optimized to favor multi-pops instead of multiple single-pop gadgets
- Added support for blacklisting byte values in ROP gadget addresses
- #1049 Enhancements to
cyclic
context
now has two additional attributes,cyclic_alphabet
andcyclic_length
, which correspond to the argumentsalphabet
andn
tocyclic()
andcyclic_find()
and related routines.- The motivation for this change is to allow setting the
alphabet
globally, so that any padding / patterns generated internally to pwntools can be controlled. The specific motivation is blacklisting values in ROP padding.
- #1052 Enhancements for detecting
QEMU_LD_PREFIX
used by QEMU user-mode emulation for sysroots - #1035 Minor documentation changes
- #1032 Enhancements to
pwn template
- #1031 More accurate
Coredump.fault_addr
on amd64 - #1084 Fix broken tests due to
ftp.debian.org
going down
- #1007 Add support for setting a
gdbinit
file in the context - #1055 Fixes for
Corefile
stack parsing, speed upELF.string()
- #1057 Fix a variable name typo in
DynELF
logging which results in an exception being thrown - #1058 Fix an edge case in
ssh_process.exe
- #1043 Do not attempt to populate the libraries used by statically-linked binaries
- #1038 Fix an issue with
process()
where glibc would buffer data internally, causing a hang onselect()
- #1036 Fix Travis CI logging verbosity
- #1029 Fix some
unicode
issues when using thereadline
command history intube.interactive()
- #1003 Make
concat_all
faster while also simplifying it's logic - #1014 Fix for overwritten env when parsing core file
- #1023 Fixes to Travis CI
- #981 Fixed RELRO detection logic
- #986 Enhancements to DynELF for controlling usage of LibcDB
- A few documentation fixes
- A few fixes for the Docker image
- #998 Fix a bug where integer values could not be set in
.pwn.conf
.
- #933 DynELF works better with different base addresses
- #952 A few small fixes were made to
pwn template
, and the CRC database was updated. - 5c72d62c Updated the CRC database
- #979+1a4a1e1 Fixed #974, a bug related to the terminal handling and numlock.
- #980 Fixed the
pwn template
command.
- #895 Added a Dockerfile to simplify testing setup and allow testing on OSX
- #897 Fixed some incorrect AArch64 syscals
- #893 Added the
pwnlib.config
module- Configuration options can now be set in
~/.pwn.conf
- This replaces the old, undocumented mechanism for changing logging colors. Only @br0ns and @ebeip90 were likely using this.
- More information is available in the documentation here.
- Configuration options can now be set in
- #899 Pwntools now uses Unicorn Engine to emulate PLT instructions to ensure correct mapping of PIE / RELRO binaries.
- #904 Enhancements to the accuracy of the
pwn checksec
command. - #905 Added a
pwn debug
command-line utility which automates the process ofgdb.attach(process(...))
to spawn GDB- More information is available in the documentation here
- #919 Added a
pwn template
command-line utility to simplify the process of bootstrapping a new exploit.- More information is available in the documentation here.
- #948 Fix unnecessary warning for Core files
- #954 Fix list processing in
~/.pwn.conf
- #967 Respect
TERM_PROGRAM
forrun_in_new_terminal
- #970 Fix overly-aggressive corefile caching
- #945 Speed up ssh via caching checksec results (fixes #944)
- #950 Fixes a bug where setting
context.arch
does not have an effect onadb.compile()
output architecture
- b584ca3 Fixed an issue running
setup.py
on ARM - #822 Enabled relative leaks with
MemLeak
- This should be useful for e.g. heap-relative leaks
- #832 Changed all internal imports to use absolute imports (no functional changes)
- a12d0b6 Move
STDOUT
,PIPE
,PTY
constants to globalsprocess(..., stdin=process.PTY)
-->process(..., stdin=PTY)
- #828 Use
PR_SET_PTRACER
for allprocess()
andssh.process()
instances- This simplifies debugging on systems with YAMA ptrace enabled
- Various documentation enhancements
- #833 Performance enhancements for
adb
module - d0267f3
packing.fit()
now treats large offsets as cyclic patterns (e.g.0x61616161
behaves the same as"aaaa"
) - #835 Added
ssh.checksec
- Reports the kernel version and other relevant information on connection
- #857 Slightly shortened
execve
shellcode - 300f8e0 Slightly speed up processing of large ELF files
- #861 Adds support for extracting
IKCONFIG
configs from Linux kernel images, and extendschecksec
to report on any insecure configurations discovered - #871 Moves all of the basic syscall templates to
shellcraft/common
and exposes them via symlinks. Closed #685- Should not have any visible effects from any documented APIs
shellcraft.arch.os.syscall_function()
still works the same- We now have the ability to differentiate between the
connect
syscall, and a TCPconnect
helper
- #887
sh_string
now returns a quoted empty string''
rather than just an empty string - #839 Exposes a huge amount of functionality via corefiles which was not previously availble. See the docs for examples.
process().corefile
will automatically instantiate a Corefile for the process- QEMU-emulated processes are supported
- Native processes are supported, including extraction of coredumps from
apport
crash logs - Native processes can be dumped while running, in a manner similar to
GDB
'sgcore
script
- #875 Added documentation (and tests) for AArch64 shellcode
- #882 The
ROP
class now respectscontext.bytes
instead of using the hard-coded value of4
(fixed #879) - #869 Added several fields to the
process
class (uid
,gid
,suid
,sgid
) which are recorded at execution time, based on the file permissions - #868 Changed the way that
ssh.process()
works internally, and it now returns a more specialized class,ssh_process
.- Added
ssh_process.corefile
for fetching remote corefiles - Added
ssh_process.ELF
for getting an ELF of the remote executable - The
uid
,gid
, andsuid
, andsgid
which are recorded at execution time, based on the file permissions
- Added
- #865 Fixes
ELF.read
to support contiguous memory reads across non-contiguous file-backed segments - #862 Adds a
symlink=
argument tossh.set_working_directory
, which will automatically symlink all of the files in the "old" working directory into the "new" working directory
- #894 Fix a bug when using
gdb.debug()
over ssh. - e021f57 Fix a bug (#891) in
rop
when needing to insert padding to fix alignment
- #800 Add
shell=
option tossh.process()
- #806 Add
context.buffer_size
for fine-tuningtube
performance- Also adds
buffer_fill_size=
argument for all tubes
- Also adds
- b83a6c7 Fix undocumented
process.leak
function - 546061e Modify
coredump_filter
of all spawned processes, so that core dumps are more complete - #809 Add several functions to
adb
(unlink
,mkdir
,makedirs
,isdir
,exists
) - #817 Make disconnection detection more robust
- #850 and #846 fix issues with
hexdump
and thephd
command-line utility, when using pipes (e.g.echo foo | phd
) - #852 Fixes register ordering in
regsort
- #853 Fixes the registers restored in
shellcraft.amd64.popad
- #843 fixed a bug in
amd64.mov
.
- #833 Fixed a performance-impacting bug in the adb module.
- #837 Fixed a bug(#836) causing
hexdump(cyclic=True)
to throw an exception.
- b198ec8 Added
tube.stream()
function, which is liketube.interact()
without a prompt or keyboard input.- Effectively, this is similar to
cat file
and just prints data as fast as it is received.
- Effectively, this is similar to
- aec3fa6 Disable update checks against GitHub
- These checks frequently broke due to GitHub query limits
- #757 Fixed
adb.wait_for_device()
re-use of the same connection - f9133b1 Add a
STDERR
magic argument to make logging go tostderr
instead ofstdout
- Usage is e.g.
python foo.py STDERR
orPWNLIB_STDERR=1 python foo.py
- Also adds
context.log_console
to log to any file or terminal
- Usage is e.g.
- 67e11a9 Add faster error checking to
cyclic()
when provided very large values - 5fda658 Expose BitPolynom in
globals()
- #765 Added
-d
option for hex-escaped output forshellcraft
command-line tool - #772 Fixed bash completion regressions
- 30c34b7 Fix
ROP.call()
withFunction
objects fromELF.functions
- fa402ce Add
adb.uptime
andadb.boot_time
- 82312ba Add
cyclic_metasploit
andcyclic_metasploit_find
Multiple bug fixes.
- #783 Fix
adb.uninstall
typo - #787 Added error handling for
ssh.process
argumentpreexec_fn
- #793 Fixed progress message in
remote()
when connections failed - #802 Fixed partition listing in
adb.partitions
, which accidentally shelled out to theadb
binary - #804 Fix error message for 32-bit distributions
- #805 Fix exception in
Core.segments
when a segment has no name - #811 Fixes and performance improvements for
adb.wait_for_device()
- #813 Fixed a release script
- #814 Fixed exceptions thrown if the
$HOME
directory is not writable - #815 Properly handle
None
inMemLeak
- #695 Fixed a performance regression in
phd
. - 452605e Fixed #629 related to correct removal of temporary files.
- ea94ee4 Disallows semi-colons in for the
run_in_terminal
function, since it did not work properly in all cases. - 6376d07 Added the mips shellcode
pushstr_array
. - #700 Added missing MIPS shellcode documentation to readthedocs, and enabled unit tests
- #701 Command line tools refactored to have a common
pwn
entry point.- Added an option to not install the traditional
asm
,disasm
,checksec
, etc scripts - All existing tools can be accessed from the
pwn
command (e.g.pwn asm nop
).
- Added an option to not install the traditional
- #704 The
process
object has a new, optional argumentalarm
for setting aSIGALRM
timeout for processes. - #705 Added the Android Emulator to the test suite and Travis CI.
- Android Emulator is now required for the full test suite
- Android Emulator tests are skipped if no Android-related changes are detected
- #711
DynELF
has a new attribute,heap
, which leaks the currentbrk
address (heap base). This is useful for finding heap allocations with dlmalloc-derived allocators like those used by Glibc. - #717
sh_string
was rewritten to emit more compact and compatible strings- This was achieved by embedding single-quoted non-printable literals
- Much more testing was added
- Emitted strings are no longer copy-paste compatible, but work fine with e.g.
tubes
module and the defaultsubprocess
module
- #709 The
adb
module now directly talks to theadb
server process via a new module,adb.protocol
- Removes the need to shell out to
adb
- Avoids version-compatibility issues with
adb
server vs. client
- Removes the need to shell out to
- #703 Added new methods to
adb
install
- Installs an APKuninstall
- Uninstalls a packagepackages
- Lists installed packages
- 4893819 Modified
shellcraft.sh
on all platforms to provideargv[0]
and setargc==1
- This is needed for systems which have Busybox or other minimal shell for
/bin/sh
which does not behave well withargc==0
orargv[0]==NULL
.
- This is needed for systems which have Busybox or other minimal shell for
- 1e414af Added
connect()
alias forremote()
- For example,
io=connect('google.com', 80)
- This also works with
tcp(...)
andudp(...)
aliases
- For example,
- 869ec42 Added
ssh.read()
andssh.write()
aliases - 2af55c9
AdbDevice
objects exposed via e.g.adb.devices()
now offer scoped access to alladb
module properties- It is now possible to e.g.
map(lambda d: d.process(['id']).recvall(), adb.devices())
- It is now possible to e.g.
Fixed a bug in MemLeak.struct
(PR: #768).
A number of smaller bugfixes and documentation tweaks.
- Fixed a bug that made 3.0.3 uninstallable (Issue: #751, PR: #752)
- Fixed some performance and usability problems with the update system (Issues: #723, #724, #736. PRs: #729, #738, #747).
- Fixed a bug related to internals in pyelftools (PRs: #730, #746).
- Fixed an issue with travis (Issue: #741, PRs: #743, #744, #745).
- Cherry-pick #695, as this was a regression-fix.
- Added a fix for the update checker, as it would suggest prereleases as updates to stable releases.
- Various documentation fixes.
A small bugfix release. There were a lot of references to the master
-branch, however after 3.0.0 we use the names stable
, beta
and dev
for our branches.
This was a large release (1305 commits since 2.2.0) with a lot of bugfixes and changes. The Binjitsu project, a fork of Pwntools, was merged back into Pwntools. As such, its features are now available here.
As always, the best source of information on specific features is the comprehensive docs at https://pwntools.readthedocs.org.
This list of changes is non-complete, but covers all of the significant changes which were appropriately documented.
Android support via a new adb
module, context.device
, context.adb_host
, and context.adb_port
.
- Assembly module enhancements for making ELF modules from assembly or pre-assembled shellcode. See
asm.make_elf
andasm.make_elf_from_assembly
. asm
andshellcraft
command-line tools support flags for the new shellcode encodersasm
andshellcraft
command-line tools support--debug
flag for automatically launching GDB on the result- Added MIPS, PowerPC, and AArch64 support to the
shellcraft
module - Added Cyber Grand Challenge (CGC) support to the
shellcraft
module - Added syscall wrappers for every Linux syscall for all supported architectures to the
shellcraft
module- e.g.
shellcraft.<arch>.gettimeofday
- e.g.
- (e.g.
shellcraft.i386.linux.
) - Added in-memory ELF loaders for most supported architectures
- Only supports statically-linked binaries
shellcraft.<arch>.linux.loader
- Added
context.aslr
which controls ASLR on launched processes. This works with bothprocess()
andssh.process()
, and can be specified per-process with theaslr=
keyword argument. - Added
context.binary
which automatically sets allcontext
variables from an ELF file. - Added
context.device
,context.adb
,context.adb_port
, andcontext.adb_host
for connecting to Android devices. - Added
context.kernel
setting for SigReturn-Oriented-Programming (SROP). - Added
context.log_file
setting for sending logs to a file. This can be set with theLOG_FILE
magic command-line option. - Added
context.noptrace
setting for disabling actions which requireptrace
support. This is useful for turning allgdb.debug
andgdb.attach
options into no-ops, and can be set via theNOPTRACE
magic command-line option. - Added
context.proxy
which hooks all connections and sends them to a SOCKS4/SOCKS5. This can be set via thePROXY
magic command-line option. - Added
context.randomize
to control randomization of settings like XOR keys and register ordering (default off). - Added
context.terminal
for setting how to launch commands in a new terminal.
- Added a
DynELF().libc
property which attempt to find the remote libc and download the ELF from LibcDB. - Added a
DynELF().stack
property which leaks the__environ
pointer from libc, making it easy to leak stack addresses. - Added
MemLeak.String
andMemLeak.NoNewlines
and other related helpers for handling special leakers which cannot e.g. handle newlines in the leaked addresses and which leak a C string (e.g. auto-append a'\x00'
). - Enhancements for leaking speed via
MemLeak.compare
to avoid leaking an entire field if we can tell from a partial leak that it does not match what we are searching for.
- Added a
pwnlib.encoders
module for assembled-shellcode encoders/decoders - Includes position-independent basic XOR encoders
- Includes position-independent delta encoders
- Includes non-position-independent alphanumeric encoders for Intel
- Includes position-independent alphanumeric encoders for ARM/Thumb
- Added a
Core
object which can parse core-files, in order to extract / search for memory contents, and extract register states (e.g.Core('./corefile').eax
).
- Added a basic
fmtstr
module for assisting with Format String exploitation
- Added support for debugging Android devices when
context.os=='android'
- Added helpers for debugging shellcode snippets with
gdb.debug_assembly()
andgdb.debug_shellcode()
- Added support for SigReturn via
pwnlib.rop.srop
- Occurs automatically when syscalls are invoked and a function cannot be found
- SigReturn frames can be constructed manually with
SigreturnFrame()
objects
- Added functional doctests for ROP and SROP
process()
has many new options, check out the documentationaslr
controls ASLRsetuid
can disable the effect of setuid, allowing core dumps (useful for extracting crash state via the newCore()
object)- TTY echo and control characters can be enabled via
raw
argument
stdout
andstderr
are now PTYs by defaultstdin
can be set to a PTY also via settingstdin=process.PTY
- Massive enhancements all over
ssh
objects now have assh.process()
method which avoids the need to handle shell expansion via the oldssh.run()
method- Files are downloaded via SFTP if available
- New
download
andupload
methods auto-detect whether the target is a file or directory and acts accordingly - Added
listen()
method alias forlisten_remote()
- Added
remote()
method alias forconnect_remote()
- Added
fit()
method to combine the functionality offlat()
with the functionality ofcyclic()
- Added
negative()
method to negate the value of an integer via two's complement, with respect to the current integer size (context.bytes
). - Added
xor_key()
method to generate an XOR key which avoids undesirable bytes over a given input. - Added a multi-threaded
bruteforce()
implementation,mbruteforce()
. - Added
dealarm_shell()
helper to remove the effects ofalarm()
after you've popped a shell.
This was a large release with a lot of bugfixes and changes. Only the most significant are mentioned here.
- Added shellcodes
- Added phd
- Re-added our expansion of itertools
- Added replacements for some semi-broken python standard library modules
- Re-implemented the rop module
- Added a serial tube
- Huge performance gains in the buffering for tubes
- Re-added user agents
- Begun using Travis CI with lots of test
- Removed bundled binutils in favor of documenting how to build them yourselves
- Added support for port forwarding though our SSH module
- Added dependency for capstone and ropgadget
- Added a lots of shellcodes
- Stuff we forgot
- Lots of documentation fixes
- Lots of bugfixes