3.5.0

3.5.0

• b584ca3 Fixed an issue running setup.py on ARM
• #822 Enabled relative leaks with MemLeak
  • This should be useful for e.g. heap-relative leaks
• #832 Changed all internal imports to use absolute imports (no functional changes)
• a12d0b6 Move STDOUT, PIPE, PTY constants to globals
  • process(..., stdin=process.PTY) --> process(..., stdin=PTY)
• #828 Use PR_SET_PTRACER for all process() and ssh.process() instances
  • This simplifies debugging on systems with YAMA ptrace enabled
• Various documentation enhancements
  • In particular, the gdb, elf, and ssh docs are much better
• #833 Performance enhancements for adb module
• d0267f3 packing.fit() now treats large offsets as cyclic patterns (e.g. 0x61616161 behaves the same as "aaaa")
• #835 Added ssh.checksec
  • Reports the kernel version and other relevant information on connection
• #857 Slightly shortened execve shellcode
• 300f8e0 Slightly speed up processing of large ELF files
• #861 Adds support for extracting IKCONFIG configs from Linux kernel images, and extends checksec to report on any insecure configurations discovered
• #871 Moves all of the basic syscall templates to shellcraft/common and exposes them via symlinks. Closed #685
  • Should not have any visible effects from any documented APIs
  • shellcraft.arch.os.syscall_function() still works the same
  • We now have the ability to differentiate between the connect syscall, and a TCP connect helper
• #887 sh_string now returns a quoted empty string '' rather than just an empty string
• #839 Exposes a huge amount of functionality via corefiles which was not previously availble. See the docs for examples.
  • process().corefile will automatically instantiate a Corefile for the process
  • QEMU-emulated processes are supported
  • Native processes are supported, including extraction of coredumps from apport crash logs
  • Native processes can be dumped while running, in a manner similar to GDB's gcore script
• #875 Added documentation (and tests) for AArch64 shellcode
• #882 The ROP class now respects context.bytes instead of using the hard-coded value of 4 (fixed #879)
• #869 Added several fields to the process class (uid, gid, suid, sgid) which are recorded at execution time, based on the file permissions
• #868 Changed the way that ssh.process() works internally, and it now returns a more specialized class, ssh_process.
  • Added ssh_process.corefile for fetching remote corefiles
  • Added ssh_process.ELF for getting an ELF of the remote executable
  • The uid, gid, and suid, and sgid which are recorded at execution time, based on the file permissions
• #865 Fixes ELF.read to support contiguous memory reads across non-contiguous file-backed segments
• #862 Adds a symlink= argument to ssh.set_working_directory, which will automatically symlink all of the files in the "old" working directory into the "new" working directory

3.4.1

3.4.1

• #894 Fix a bug when using gdb.debug() over ssh.
• e021f57 Fix a bug (#891) in rop when needing to insert padding to fix alignment

3.4.0

3.4.0

• #800 Add shell= option to ssh.process()
• #806 Add context.buffer_size for fine-tuning tube performance
  • Also adds buffer_fill_size= argument for all tubes
• b83a6c7 Fix undocumented process.leak function
• 546061e Modify coredump_filter of all spawned processes, so that core dumps are more complete
• #809 Add several functions to adb (unlink, mkdir, makedirs, isdir, exists)
• #817 Make disconnection detection more robust

3.3.4

3.3.4

• #850 and #846 fix issues with hexdump and the phd command-line utility, when using pipes (e.g. echo foo | phd)
• #852 Fixes register ordering in regsort
• #853 Fixes the registers restored in shellcraft.amd64.popad

3.3.3

3.3.3

• #843 fixed a bug in amd64.mov.

3.3.2

3.3.2

• #840 Fixed a regression introduced by [#837][837].

3.3.1

3.3.1

• #833 Fixed a performance-impacting bug in the adb module.
• #837 Fixed a bug(#836) causing hexdump(cyclic=True) to throw an exception.

3.3.0

3.3.0

• b198ec8 Added tube.stream() function, which is like tube.interact() without a prompt or keyboard input.
  • Effectively, this is similar to cat file and just prints data as fast as it is received.
• aec3fa6 Disable update checks against GitHub
  • These checks frequently broke due to GitHub query limits
• #757 Fixed adb.wait_for_device() re-use of the same connection
• f9133b1 Add a STDERR magic argument to make logging go to stderr instead of stdout
  • Usage is e.g. python foo.py STDERR or PWNLIB_STDERR=1 python foo.py
  • Also adds context.log_console to log to any file or terminal
• 67e11a9 Add faster error checking to cyclic() when provided very large values
• 5fda658 Expose BitPolynom in globals()
• #765 Added -d option for hex-escaped output for shellcraft command-line tool
• #772 Fixed bash completion regressions
• 30c34b7 Fix ROP.call() with Function objects from ELF.functions
• fa402ce Add adb.uptime and adb.boot_time
• 82312ba Add cyclic_metasploit and cyclic_metasploit_find

3.2.1

3.2.1

Multiple bug fixes.

• #783 Fix adb.uninstall typo
• #787 Added error handling for ssh.process argument preexec_fn
• #793 Fixed progress message in remote() when connections failed
• #802 Fixed partition listing in adb.partitions, which accidentally shelled out to the adb binary
• #804 Fix error message for 32-bit distributions
• #805 Fix exception in Core.segments when a segment has no name
• #811 Fixes and performance improvements for adb.wait_for_device()
• #813 Fixed a release script
• #814 Fixed exceptions thrown if the $HOME directory is not writable
• #815 Properly handle None in MemLeak

3.2.0

• #695 Fixed a performance regression in phd.
• 452605e Fixed #629 related to correct removal of temporary files.
• ea94ee4 Disallows semi-colons in for the run_in_terminal function, since it did not work properly in all cases.
• 6376d07 Added the mips shellcode pushstr_array.
• #700 Added missing MIPS shellcode documentation to readthedocs, and enabled unit tests
• #701 Command line tools refactored to have a common pwn entry point.
  • Added an option to not install the traditional asm, disasm, checksec, etc scripts
  • All existing tools can be accessed from the pwn command (e.g. pwn asm nop).
• #704 The process object has a new, optional argument alarm for setting a SIGALRM timeout for processes.
• #705 Added the Android Emulator to the test suite and Travis CI.
  • Android Emulator is now required for the full test suite
  • Android Emulator tests are skipped if no Android-related changes are detected
• #711 DynELF has a new attribute, heap, which leaks the current brk address (heap base). This is useful for finding heap allocations with dlmalloc-derived allocators like those used by Glibc.
• #717 sh_string was rewritten to emit more compact and compatible strings
  • This was achieved by embedding single-quoted non-printable literals
  • Much more testing was added
  • Emitted strings are no longer copy-paste compatible, but work fine with e.g. tubes module and the default subprocess module
• #709 The adb module now directly talks to the adb server process via a new module, adb.protocol
  • Removes the need to shell out to adb
  • Avoids version-compatibility issues with adb server vs. client
• #703 Added new methods to adb
  • install - Installs an APK
  • uninstall - Uninstalls a package
  • packages - Lists installed packages
• 4893819 Modified shellcraft.sh on all platforms to provide argv[0] and set argc==1
  • This is needed for systems which have Busybox or other minimal shell for /bin/sh which does not behave well with argc==0 or argv[0]==NULL.
• 1e414af Added connect() alias for remote()
  • For example, io=connect('google.com', 80)
  • This also works with tcp(...) and udp(...) aliases
• 869ec42 Added ssh.read() and ssh.write() aiases
• 2af55c9 AdbDevice objects exposed via e.g. adb.devices() now offer scoped access to all adb module properties
  • It is now possible to e.g. map(lambda d: d.process(['id']).recvall(), adb.devices())