PWiNTOOLS is a very basic implementation of pwntools for Windows to play with local processes and remote sockets.
Windows is not yet supported in the official pwntools: Minimal support for Windows #996.
Feel free to contribute or report bugs.
Read the code :)
from pwintools import *
DEBUG = True
if DEBUG:
r = Process("chall.exe") # Spawn chall.exe process
r.spawn_debugger(breakin=False)
log.info("WinExec @ 0x{:x}".format(r.symbols['kernel32.dll']['WinExec']))
else:
r = Remote("challenge.remote.service", 8080)
r.sendline('ID123456789') # send / write
if r.recvline().strip() == 'GOOD': # recv / read / recvn / recvall / recvuntil
log.success('Woot password accepted!')
r.send(shellcraft.amd64.WinExec('cmd.exe'))
else:
log.failure('Bad password')
log.info('Starting interactive mode ...')
r.interactive() # interactive2 for Remote available
The test directory provides some examples of usage:
- test_pwn_pe spawns pwn.exe and exploits it (pwn.exe can be build using
tests/build_pwn_pe.py
requires LIEF) - test_remote is a basic TCP connection and interaction
- test_shellcode injects shellcodes into notepad.exe to test them locally
- exemple_rop is a example of exploit script for the associated vulnerable exemple_rop
PythonForWindows providing a Python implementation to play with Windows.
Optionals:
Improve 32 bits support and testing
Support local Context like pwntools
Improve Shellcraft to avoid NULL bytes (xor_pair)
Provide examples with Python Debugger
Integrate gadgets tool support (rp++)
Process mitigation (appcontainer / Force ASLR rebase / Job sandboxing ...)
pip install pwintools :)
`Port` the project to pwntools
- Mastho
- Geluchat