Awesome

pwntools-r2

Launch radare2 from pwntools. This has been tested to work in combination with tmux - other combinations may or may not work. This might also work with other setups without tmux but that's not supported currently.

As of now, only the Python2 version of pwntools is being actively maintained. A version for the currently unmaintained Python3 fork of pwntools will be released as soon as it's being actively maintained and updated with pwntools-gdb environment variable support.

Ok How To Use This?

• Create a new pipenv: pipenv --python 2.7
• Install this: pipenv install pwntools-r2
• Enter the virtual environment: pipenv shell
• Code your 1337 exploit:

#!/usr/bin/env python2

from pwntools_r2 import *

# You might want to change this
context.terminal = ['tmux', 'splitw', '-v']

r2script = """
#r2.cmd('db sym.main')
#r2.cmd('aaa')
#r2.cmd('V!')
"""

p = r2dbg('./a', r2script=r2script)
p.interactive()

Be sure to not forget interactive() at the end :)

Please note that the commands for r2 have to be prefixed with a #. If you want to pass additional parameters, you can use the same in the function prototype of gdb.debug from pwntools.

• Do stuff: python2.7 ./exploit.py

Ok But How To Pass argv Values?

• Write your payload to a temporary file before running the target process
• Use this:

#r2.cmd('ood `!cat /tmp/payload`')

Troubleshooting

• You can debug any errors with context.log_level = 'DEBUG' via your pwntools python script.
• If no terminal can be found or any weird errors come up, try setting context.terminal accordingly - e.g. to urxvtc or ['tmux', 'splitw', '-v']

Credits

This is based on this and this.