Welcome to the Google Summer of Code landing page for the Pwntools project!
You can find more information about the project, its mentors, project ideas, and how to get started below!
Information on registration can be found on the pwntools GSoC 2015 mailing list.
pwntools is an open-source, MIT-licensed framework for automating and aiding in the development of exploits for Capture The Flag (CTF) computer security competitions. binjitsu is a fork of this project that is developed more rapidly, which contributes changes back to the main pwntools project.
In particular, pwntools provides commonly-used functionality which are frequently re-implemented by exploit authors for each exploit, or copy-pasted around. Additionally, it provides assistance in the exploit development process by automating some operations, or providing automated analysis and discovery about a program.
If you're unfamiliar with Capture the Flag and Competitive Hacking, you should watch this video!.
Hollywood glamorizes hacking and hackers, but the truth is that computer security, vulnerability research, and exploit development are much more tedious than what's shown on the silver screen. While we'll never reach a place where we have crazy 3D cube exploit auto-generators, we can certainly strive to make each part easier, faster, and more enjoyable.
pwntools is widely used throughout the Capture the Flag and Wargames community. It's primarily developed by the Gallopsled CTF team, which use it exclusively. Its has spread among the community because of its ease of use and utility.
One of the common post-competition activities for CTF is to post a write-up of the challenge binary. Generally, this includes an analysis of the binary, its vulnerabilities, and details on the exploitation process. Searching Google for "from pwn import" yields about 1300 hits, almost all of which are unique write-ups from different authors.
pwntools is written exclusively in Python, and targets Python 2.7.
pwntools is already an excellent resource for experienced competitors, but ideally would also be a teaching resource. Many of the pitfalls that are encountered when starting out with reverse engineering and exploit development are side-stepped by using pwntools, because it was written with knowledge of those pitfalls.
By making computer security and exploitation more approachable, we can enhance general awareness about common security-related mistakes which lead to memory corruption and eventually code execution.
This is the current list of mentors for any Google Summer of Code projects.
If you have questions about pwntools GSoC, shoot on over to the mailing list! and ask away :-).
Maintainer and developer of the binjitsu fork, contributor to pwntools.
Maintainer and developer of pwntools.
Maintainer and developer of pwntools.
The best way to get ahold of us is via the mailing list! Feel free to join and introduce yourself, or ask any questions you may have!
We're also available on IRC
- IRC channel:
#pwntoolson Freenode - Nicks:
ebeip90,Idolf,br0ns
Pwntools is designed to get you up and running as fast as possible!
If you're a prospective GSoC student, you need to pick a project! We've provided lots of ideas here, but you don't have to choose from there. If you've got a great idea, we're open to it!
You should also pick some additional projects. Most of the ones cited here won't fill up your whole summer -- they're generally much smaller projects if you're smart and move fast.
Once you've got an idea what you want to do with a project, follow the steps below to get everything installed, make sure it works, and get started hacking!
Make sure to join #pwntools on Freenode amd ping one of the mentors. You'll be given a very small, simple challenge to solve that's related to your project idea. This will count as your patch that's required for your GSoC contribution.
Getting started with pwntools is easy! If you're using Ubuntu, only a few commands away.
For this example, we'll use the binjitsu fork of pwntools.
$ apt-get install python2.7 python2.7-dev python-pip
$ git clone https://github.com/binjitsu/binjitsu
$ cd binjitsu
$ pip install -e .
To make sure that everything installed correctly, we recommend running the test suite.
To run the test suite, you should be running Ubuntu 12.04 or 14.04, and run the following commands. Be aware that this will add a user to your machine, and create a public key for SSH login!
bash .travis_install.sh
bash .travis_ssh_setup.sh
cd docs
PWNLIB_NOTERM=1 make clean doctestThe online documentation has a Getting Started section for demonstrating some of the basic features. More advanced use cases be found in the write-ups repository, or just by searching Google for from pwn import *!
Both pwntools uses Github for source control and Travis CI for automatic testing.
Instructions on getting up and running with a local copy for development are available in CONTRIBUTING.md for each project.
This is the current list of ideas, sorted in general order of "easiest" to "hardest".
These ideas only require knowledge of Python, and do not expect experience regarding binary exploitation or Capture the Flag.
- Unit Testing
- Integration Testing
- ELF Modification
- OS X Compatibility
- Windows PE Support
- Terminal Revamp
These improvements require both knowledge of Python, and a good understanding of reverse engineering and exploitation primitives.
- Moar Exploits!
- Moar Shellcode!
- SIGRET Assistance
- Format Strings
- Shellcode Encoders
- Multi-Architecture ROP
Pwntools is surprisingly well tested for an exploit development framework -- it currently has over 900 tests. All of the tests are currently implemented as doctests, and run automatically by sphinx.
However, sphinx is not very flexible, and running tests is not its primary purpose (sphinx is for generating documentation -- but will also run basic doctests). This places a large number of restrictions on the tests, and requires manual addition to the corpus rather than automated test enumeration.
Ideally, test discovery would be automated, and handle both doctests and unit tests. Both nosetests and py.test are excellent candidates for this, but there are expectations built into the current tests which preclude the use of these frameworks.
- Python
- Linux
- Testing Your Code - Hitchhiker's Guide to Python
- PyTest.org
- Continuous Integration in Python: Travis-CI
Low
ebeip90Idolfbr0ns
There is also a regression testing framework that's designed to permit automatic testing of various parts of pwntools as a whole, rather than in bite-sized prepared chunks. This regression testing code works, but it is not complete and does not give good coverage for all of the code.
The current examples repository is a bit outdated and doesn't work with the current incarnation of pwntools or binjitsu. Unfortunately, new users have very little options to turn to when looking for a good starting point for "How do I pwntools".
- C
- Python
- Linux
Low to medium
ebeip90Idolfbr0ns
Currently, the pwnlib.elf module has primitives to allow modifying arbitrary sections of the on-disk image of a loaded ELF file. However, the limitations of the pyelftools library used to perform these operations prevents adding entire sections to the ELF binary, or adding relocations to it.
Extending the existing functionality to provide the ability to modify, re-order, or otherwise re-write ELF files without affecting their native functionality (a la the-backdoor-factory) would be a great benefit to attack-defend CTFs.
- Python
- Linux
Medium
ebeip90Idolfbr0ns
Currently, pwntools works best on Linux distributions like Ubuntu.
However, lots of developers prefer to use alternate operating systems like Mac OS X,
and some future challenges may even be written for it.
This project would require making changes to binjitsu to make as many unit tests
as possible pass on Mac OS X, integrating these with Travis CI, and perhaps even
writing some integration tests to ensure end-to-end functionality.
A stretch goal would be to extend the current generation and parsing of ELF files to include the Mach-O format used by OS X.
- Python
- Linux
- OS X
Medium
ebeip90
Currently, pwntools has a lot of helper utilities for loading,
parsing, and extracting information from Linux ELF files. However, the same
level of support is not present for Windows PE files.
The goal of this project would be to create a compatibility layer between the
current ELF functionality based on pyelftools, and the Python PE library, pefile.
- Python
- Linux
- Windows
Medium
ebeip90Idolfbr0ns
This module is currently the least-well-understood module and in its current form isn't documented or tested.
Re-implementing, or re-factoring the current implementation, should allow this module to be tested in an automated manner.
- Python
- Linux
Low to medium
ebeip90Idolfbr0ns
There are easily hundreds of different exploits available just from searching Google. Unfortunately, these aren't all in one central location, and aren't being used to verify that we're aware of any feature-breaking changes that we make.
This project would involve finding well-written exploits using pwntools
(or re-writing other exploits to use it) and collecting them into the
pwntools-write-ups repository.
After a good number are gathered and in working condition, a wrapper should be developed to ensure that the exploits all work with a single command, so that this can be integrated into the Continuous Integration tests.
- Python
- Linux
- Willing to learn!
Varies wildly, from low to very high
ebeip90Idolfbr0ns
Pwntools currently has a good deal of shellcode available in pwnlib.shellcraft for i386, amd64, and ARM. However, there are lots of things that are missing (e.g. file-read, file-write, file descriptor proxying) which would be excellent additions to the corpus.
Porting shellcode to pwntools would require ingesting shellcode from Shell-Storm.org or ExploitDB.com, and re-writing them as Mako templates in pwntools. Ideally, all shellcode will use (or be refactored to use) templates for common operations.
- Python
- Assembly
- Linux
Low to Moderate
ebeip90Idolfbr0ns
Currently, pwntools is completely unaware of SIGRET-style ROP (SROP). Helpers for generating valid register frames for use with SROP would be very useful.
- Python
- Linux
- Familiar with ROP
- Framing Signals - A Return to Portable Shellcode
- Playing around with SROP
- An overview on Sigreturn Oriented Programming
Medium
ebeip90Idolfbr0ns
Currently, pwntools is unable to offer any assistance in generation of format string payloads. The open-source project libformatstr would serve as an excellent starting point for adding this functionality to pwntools.
Additional functionality could be added in order to enhance the robustness and automation. For example, the DynELF object in pwntools allows automatically leaking memory to resolve symbols in remote address spaces. A similar mechanism could be used to automate discovery of control bounds (e.g. format string input size, argument index, prefixed characters, etc.).
- Python
- Linux
Low to medium
ebeip90Idolfbr0ns
Currently, pwntools does not have internal support for encoding shellcode to avoid detection by filters or functions which stop on terminators (e.g. \0 or \n). Previously, there was a port of Metasploit's shikata-ga-nai encoder which was available in pwntools.
Porting this encoder back into the current pwntools, as well as adding additional encoders for alternate architectures, would be extremely useful for exploitation. In particular, pwntools currently goes to great lengths to ensure that most shellcode that is generated is NULL- and newline-free. Adding encoders would allow use of pwntools-generated for the remaining shellcode, and ease the constraints on existing shellcode.
- Python
- Assembly
- Shellcoder's Handbook
- Metasploit: Low Level
- Cascading Polymorphic XOR Encoder in Python
- ALPAH3 Shellcode Encoder
- SLAE - Custom RBIX Shellcode Encoder
Medium (port old encoder to current pwntools) to High (porting other encoders)
ebeip90Idolfbr0ns
Currently, the ROP generation in the released version of pwntools does not support any architectures for automatic ROP gadget extraction, or chain building, except for on i386.
Given the increasing prevalence of x86_64, ARM, and Windows binaries, the current pwnlib.rop module needs to be overhauled. In particular, it needs support for specifying which ABI is being used, in addition to which architecture. This is important for distinguishing x86_64 Linux vs. Windows, which use different registers to pass their arguments, as well as different stack alignments and reserved per-frame stack space.
Additionally, specification of ABIs should allow direct invokation of syscalls after properly preparing the register arguments. While this is no different from the standard user-mode ABI on some architectures (e.g. x86_64 Linux), it differs greatly on others (i386 Linux).
- Python
- Linux
- Assembly
- Familiar with buffer overflows
High, but varies depending on familiarity with the underlying technique of Return
ebeip90Idolfbr0ns