This changelog only includes added major features and changes. Bugfixes and minor changes are omitted.
Currently on the dev branch
- #695 Fixed a performance regression in
phd. - #700 Added missing MIPS shellcode documentation to readthedocs, and enabled unit tests
- #701 Command line tools refactored to have a common
pwnentry point.- Added an option to not install the traditional
asm,disasm,checksec, etc scripts - All existing tools can be accessed from the
pwncommand (e.g.pwn asm nop).
- Added an option to not install the traditional
- #704 The
processobject has a new, optional argumentalarmfor setting aSIGALRMtimeout for processes. - #705 Added the Android Emulator to the test suite and Travis CI.
- Android Emulator is now required for the full test suite
- Android Emulator tests are skipped if no Android-related changes are detected
- #711
DynELFhas a new attribute,heap, which leaks the currentbrkaddress (heap base). This is useful for finding heap allocations with dlmalloc-derived allocators like those used by Glibc. - #717
sh_stringwas rewritten to emit more compact and compatible strings- This was achieved by embedding single-quoted non-printable literals
- Much more testing was added
- Emitted strings are no longer copy-paste compatible, but work fine with e.g.
tubesmodule and the defaultsubprocessmodule
- #709 The
adbmodule now directly talks to theadbserver process via a new module,adb.protocol- Removes the need to shell out to
adb - Avoids version-compatibility issues with
adbserver vs. client
- Removes the need to shell out to
Currently on the beta branch
A number of smaller bugfixes and documentation tweaks.
Current release
- Fixed some performance and usability problems with the update system (Issues: #723, #724, #736. PRs: #729, #738, #747).
- Fixed a bug related to internals in pyelftools (PRs: #730, #746).
- Fixed an issue with travis (Issue: #741, PRs: #743, #744, #745).
- Cherry-pick #695, as this was a regression-fix.
- Added a fix for the update checker, as it would suggest prereleases as updates to stable releases.
- Various documentation fixes.
A small bugfix release. There were a lot of references to the master-branch, however after 3.0.0 we use the names stable, beta and dev for our branches.
This was a large release (1305 commits since 2.2.0) with a lot of bugfixes and changes. The Binjitsu project, a fork of Pwntools, was merged back into Pwntools. As such, its features are now available here.
As always, the best source of information on specific features is the comprehensive docs at https://pwntools.readthedocs.org.
This list of changes is non-complete, but covers all of the significant changes which were appropriately documented.
Android support via a new adb module, context.device, context.adb_host, and context.adb_port.
- Assembly module enhancements for making ELF modules from assembly or pre-assembled shellcode. See
asm.make_elfandasm.make_elf_from_assembly. asmandshellcraftcommand-line tools support flags for the new shellcode encodersasmandshellcraftcommand-line tools support--debugflag for automatically launching GDB on the result- Added MIPS, PowerPC, and AArch64 support to the
shellcraftmodule - Added Cyber Grand Challenge (CGC) support to the
shellcraftmodule - Added syscall wrappers for every Linux syscall for all supported architectures to the
shellcraftmodule- e.g.
shellcraft.<arch>.gettimeofday
- e.g.
- (e.g.
shellcraft.i386.linux.) - Added in-memory ELF loaders for most supported architectures
- Only supports statically-linked binaries
shellcraft.<arch>.linux.loader
- Added
context.aslrwhich controls ASLR on launched processes. This works with bothprocess()andssh.process(), and can be specified per-process with theaslr=keyword argument. - Added
context.binarywhich automatically sets allcontextvariables from an ELF file. - Added
context.device,context.adb,context.adb_port, andcontext.adb_hostfor connecting to Android devices. - Added
context.kernelsetting for SigReturn-Oriented-Programming (SROP). - Added
context.log_filesetting for sending logs to a file. This can be set with theLOG_FILEmagic command-line option. - Added
context.noptracesetting for disabling actions which requireptracesupport. This is useful for turning allgdb.debugandgdb.attachoptions into no-ops, and can be set via theNOPTRACEmagic command-line option. - Added
context.proxywhich hooks all connections and sends them to a SOCKS4/SOCKS5. This can be set via thePROXYmagic command-line option. - Added
context.randomizeto control randommization of settings like XOR keys and register ordering (default off). - Added
context.termianlfor setting how to launch commands in a new terminal.
- Added a
DynELF().libcproperty which attempt to find the remote libc and download the ELF from LibcDB. - Added a
DynELF().stackproperty which leaks the__environpointer from libc, making it easy to leak stack addresses. - Added
MemLeak.StringandMemLeak.NoNewlinesand other related helpers for handling special leakers which cannot e.g. handle newlines in the leaked addresses and which leak a C string (e.g. auto-append a'\x00'). - Enhancements for leaking speed via
MemLeak.compareto avoid leaking an entire field if we can tell from a partial leak that it does not match what we are searching for.
- Added a
pwnlib.encodersmodule for assembled-shellcode encoders/decoders - Includes position-indepentent basic XOR encoders
- Includes position-independent delta encoders
- Includes non-position-independent alphanumeric encoders for Intel
- Includes position-independent alphanumeric encoders for ARM/Thumb
- Added a
Coreobject which can parse core-files, in order to extract / search for memory contents, and extract register states (e.g.Core('./corefile').eax).
- Added a basic
fmtstrmodule for assisting with Format String exploitation
- Added support for debugging Android devices when
context.os=='android' - Added helpers for debugging shellcode snippets with
gdb.debug_assembly()andgdb.debug_shellcode()
- Added support for SigReturn via
pwnlib.rop.srop- Occurs automatically when syscalls are invoked and a function cannot be found
- SigReturn frames can be constructed manually with
SigreturnFrame()objects
- Added functional doctests for ROP and SROP
process()has many new options, check out the documentationaslrcontrols ASLRsetuidcan disable the effect of setuid, allowing core dumps (useful for extracting crash state via the newCore()object)- TTY echo and control characters can be enabled via
rawargument
stdoutandstderrare now PTYs by defaultstdincan be set to a PTY also via settingstdin=process.PTY
- Massive enhancements all over
sshobjects now have assh.process()method which avoids the need to handle shell expansion via the oldssh.run()method- Files are downloaded via SFTP if available
- New
downloadanduploadmethods auto-detect whether the target is a file or directory and acts accordingly - Added
listen()method alias forlisten_remote() - Added
remote()method alias forconnect_remote()
- Added
fit()method to combine the functionality offlat()with the functionality ofcyclic() - Added
negative()method to negate the value of an integer via two's complement, with respect to the current integer size (context.bytes). - Added
xor_key()method to generate an XOR key which avoids undesirable bytes over a given input. - Added a multi-threaded
bruteforce()implementation,mbruteforce(). - Added
dealarm_shell()helper to remove the effects ofalarm()after you've popped a shell.
This was a large release with a lot of bugfixes and changes. Only the most significant are mentioned here.
- Added shellcodes
- Added phd
- Re-added our expansion of itertools
- Added replacements for some semi-broken python standard library modules
- Re-implemented the rop module
- Added a serial tube
- Huge performance gains in the buffering for tubes
- Re-added user agents
- Begun using Travis CI with lots of test
- Removed bundled binutils in favor of documenting how to build them yourselves
- Added support for port forwarding though our SSH module
- Added dependency for capstone and ropgadget
- Added a lots of shellcodes
- Stuff we forgot
- Lots of documentation fixes
- Lots of bugfixes