Release 4.15.0

This is the last release supporting Python 2 and Python <3.10. See #2495

This release comes with a bunch of fixes, some new features, and a few deprecations. Thank you to every contributing their features and fixes!

Highlights

• Added context.gdb_binary to specify which gdb command to use. Useful to specify e.g. pwndbg. Checkout the pwn.conf config file to set it globally. (@Ninja3047)
• Added tube.upload_manually to upload data to a shell using shell commands. Quickly upload your exploit into that kernel pwn challenge without manually typing the echo {chunk} | base64 -d >> exploit loop.
• Improved libcdb handling of a local libc-database without relying on external services. (@the-soloist)
• Cache the output of asm() to speed up subsequent exploit runs. (Disable the cache using context.cache_dir = None)
• Improve documentation regarding which ELF functions run the binary internally. (Thanks to @Hackrrr who made a CTF challenge for it at Compete With Team Europe CTF 2025)

Deprecations

Removal of some CLI command scripts

Many of the CLI utilities coming with pwntools had ambiguous names and caused problems while packaging in different distributions. Most of the commands are deprecated now and print a warning suggesting to use pwn <thecommand> instead.

Only checksec, constgrep, libcdb, phd, pwnstrip, and shellcraft stay as standalone CLI scripts. The rest will be removed and only accessible through the pwn wrapper in the future.

$ debug
/home/user/.local/bin/debug:8: DeprecationWarning: The 'debug' command is deprecated and will be removed in a future version. Please use 'pwn debug' instead.
  sys.exit(deprecated_main())
usage: pwn debug [-h] [-x GDBSCRIPT] [--pid PID] [-c context] [--exec EXECUTABLE] [--process PROCESS_NAME] [--sysroot SYSROOT]

Deprecate 'keepends' argument in favor of 'drop' in tube.recvline*

tube.recvline used the keepends argument to specify whether to include the trailing newline in the return value while tube.recvuntil uses drop to specify inclusion of the delimiter. The semantics are inversed for both functions causing confusion:

io.recvuntil(b'pwn', drop=True) # Don't include `pwn` at the end.
io.recvline(keepends=False) # Don't include `\n` at the end.

Since drop is a more generic name (and shorter to type), tube.recvline* accepts a drop parameter now and usage of keepends is deprecated.

The detailed changelog is as follows:

• Allow setting debugger path via context.gdb_binary by @Ninja3047 in #2602
• Cache output of asm() by @peace-maker in #2358
• docs: warn that .libs/.libc/.maps are dangerous by @Arusekk in #2626
• Add tube.upload_manually to upload files in chunks by @peace-maker in #2410
• Deprecate direct commandline scripts invocation and exclude nonsense ones by @tkmikan in #2364
• Extract libraries from Docker image by @lcian in #2479
• libcdb-cli: add --offline-only, refactor unstrip and add fetch parser for download libc-database by @the-soloist in #2478
• darwin: Bump syscalls from sdk 15.1 by @patryk4815 in #2448
• Support longer function names in Windows getexport shellcode by @peace-maker in #2587
• Fix attaching to a gdbserver with tuple gdb.attach(('0.0.0.0',12345)) by @ckxckx in #2291
• regsort: respect register aliases by @Arusekk in #2576
• Nicely handle non ELF files in checksec by @tesuji in #2457
• Add ELF.close() to release resources by @peace-maker in #2444
• Properly close spawned kitty window by @k4lizen in #2471
• Redirect kitty kill command stderr to /dev/null by @k4lizen in #2472
• libcdb: improve the search speed of search_by_symbol_offsets by @the-soloist in #2413
• Fix waiting for gdb under WSL2 by @peace-maker in #2470
• Stop using cmd.exe to keep current directory by @robbert1978 in #2488
• Only print checksec output of ELF.libc when it was printed for the ELF already by @peace-maker in #2483
• Throw error when using sni and setting server_hostname manually in remote by @peace-maker in #2482
• Allow to disable caching by @peace-maker in #2484
• Fix loading ELF files without valid .dynamic section by @peace-maker in #2502
• Deprecate 'keepends' argument in favor of 'drop' by @MrQubo in #2476
• ssh tube: replaced nonexistent key with str(e) in error handling method to get proper error message displayed in stacktrace by @findus in #2512
• Ignore a warning with unused args in asm on NIX by @sbancuz in #2508
• SSH: fix download/upload with -1 exit status by @kilimnik in #2545
• Fix invalid parsing of loader error message in elf.libc by @tesuji in #2567
• Add automatic detection of statically linked binaries in detect_missing_binaries function. by @chaitanyarahalkar in #2570
• Add Ubuntu and Debian debuginfod servers by @peace-maker in #2595
• Use unicorn on macOS w/ SIP enabled by @Feyorsh in #2593
• Ignore colored_traceback error when TERM is unset by @peace-maker in #2596
• Fix poll error in process.libs() by @R42ccoon in #2579
• Fix log level of child remotes of server tube by @peace-maker in #2609
• Exclude Unicorn versions segfaulting on MIPS PLT by @Arusekk in #2621
• Fix lookup of binutils for mipsel architecture by @peace-maker in #2612
• Fix regression: gdbserver can't handle command-line argument containing whitespace by @peace-maker in #2624
• CI: Install pwntools on Windows and import it once by @peace-maker in #2450
• Fix collecting coverage in CI by @peace-maker in #2477
• Cache HTTP requests to external libcdb services in CI by @peace-maker in #2487
• Update documentation for format strings by @Legoclones in #2501
• Update sphinx for Python 3.13 support by @peace-maker in #2503

New Contributors

• @lcian made their first contribution in #2479
• @robbert1978 made their first contribution in #2488
• @ckxckx made their first contribution in #2291
• @Legoclones made their first contribution in #2501
• @findus made their first contribution in #2512
• @sbancuz made their first contribution in #2508
• @kilimnik made their first contribution in #2545
• @chaitanyarahalkar made their first contribution in #2570
• @R42ccoon made their first contribution in #2579

Full Changelog: 4.14.1...4.15.0

Release 4.15.0beta1

What's Changed

• Poll before reading /proc/maps in process.libs() to avoid race condition by @peace-maker in #2516
• Fix installation on Python 3.5 and lower on stable by @peace-maker in #2533
• fix: update apport coredump path handling for CorefileFinder by @Meetesh-Saini in #2518
• Fix parsing corefile with missing auxv by @Arusekk in #2559
• Exclude broken Unicorn version by @Arusekk in #2565
• Show ELF symbols defined to value 0 by @ThijsRay in #2451
• Fix syntax highlighting of multiline comments in ASM by @peace-maker in #2562
• Fixed bound on memcpy loop in thumb,arm,aarch64 by @themaks in #2552

New Contributors

• @Meetesh-Saini made their first contribution in #2518
• @ThijsRay made their first contribution in #2451
• @themaks made their first contribution in #2552

Full Changelog: 4.15.0beta0...4.15.0beta1

Release 4.14.1

What's Changed

• Poll before reading /proc/maps in process.libs() to avoid race condition by @peace-maker in #2516
• Fix installation on Python 3.5 and lower on stable by @peace-maker in #2533
• fix: update apport coredump path handling for CorefileFinder by @Meetesh-Saini in #2518
• Fix parsing corefile with missing auxv by @Arusekk in #2559
• Exclude broken Unicorn version by @Arusekk in #2565
• Show ELF symbols defined to value 0 by @ThijsRay in #2451
• Fix syntax highlighting of multiline comments in ASM by @peace-maker in #2562
• Fixed bound on memcpy loop in thumb,arm,aarch64 by @themaks in #2552

New Contributors

• @Meetesh-Saini made their first contribution in #2518
• @ThijsRay made their first contribution in #2451
• @themaks made their first contribution in #2552

Full Changelog: 4.14.0...4.14.1

Release 4.15.0beta0

What's Changed

• Deprecate 'keepends' argument in favor of 'drop' by @MrQubo in #2476
• Deprecate direct commandline scripts invocation and exclude nonsense ones by @tkmikan in #2364
• Cache output of asm() by @peace-maker in #2358
• Add tube.upload_manually to upload files in chunks by @peace-maker in #2410
• libcdb-cli: add --offline-only, refactor unstrip and add fetch parser for download libc-database by @the-soloist in #2478
• libcdb: improve the search speed of search_by_symbol_offsets by @the-soloist in #2413
• Allow to disable caching by @peace-maker in #2484
• darwin: Bump syscalls from sdk 15.1 by @patryk4815 in #2448
• Nicely handle non ELF files in checksec commandline tool by @tesuji in #2457
• Add ELF.close() to release resources by @peace-maker in #2444
• Properly close spawned kitty window by @k4lizen in #2471
• Redirect kitty kill command stderr to /dev/null by @k4lizen in #2472
• Extract libraries from Docker image in pwn template by @lcian in #2479
• Fix waiting for gdb under WSL2 by @peace-maker in #2470
• Stop using cmd.exe to keep current directory in WSL2 by @robbert1978 in #2488
• Only print checksec output of ELF.libc when it was printed for the ELF already by @peace-maker in #2483
• Throw error when using sni and setting server_hostname manually in remote by @peace-maker in #2482
• Fix attaching to a gdbserver with tuple gdb.attach(('0.0.0.0',12345)) by @ckxckx in #2291
• Fix loading ELF files without valid .dynamic section by @peace-maker in #2502
• ssh tube: replaced nonexistent key with str(e) in error handling method to get proper error message displayed in stacktrace by @findus in #2512
• Ignore a warning with unused args in asm on NIX by @sbancuz in #2508
• Update documentation for format strings by @Legoclones in #2501
• Update sphinx for Python 3.13 support by @peace-maker in #2503
• Cache HTTP requests to external libcdb services in CI by @peace-maker in #2487
• CI: Install pwntools on Windows and import it once by @peace-maker in #2450
• Fix collecting coverage in CI by @peace-maker in #2477

New Contributors

• @tesuji made their first contribution in #2457
• @lcian made their first contribution in #2479
• @robbert1978 made their first contribution in #2488
• @ckxckx made their first contribution in #2291
• @Legoclones made their first contribution in #2501
• @findus made their first contribution in #2512
• @sbancuz made their first contribution in #2508

Full Changelog: 4.14.0beta1...4.15.0beta0

Release 4.14.0

What's Changed

• Return buffered data on first EOF in tube.readline() by @peace-maker in #2376
• Add basic RISCV64 shellcraft support by @peace-maker and @LevitatingLion in #2322
• feat: Concatenate multiple shellcraft templates on commandline using shellcraft A + B by @cocoa-xu in #2398
• Add local libc database provider for libcdb by @the-soloist in #2356
• libcdb: Add offline parameter for search_by_hash series function by @the-soloist in #2360
• libcdb: add offline_only to search_by_symbol_offsets by @the-soloist in #2388
• libcdb.unstrip_libc: debug symbols are fetched only if not present already by @sswastik02 in #2374
• Add basic support to debug processes on Windows by @peace-maker in #2327
• Support asm/disasm on Windows by @peace-maker in #2437
• Change newline when setting context.os to "windows" by @peace-maker in #2330
• Add TTY escape function for file transfer by @Arusekk in #2422
• Shellcode socket IPV6 by @Dvorhack in #2415
• Add "none" ssh authentication method by @peace-maker in #2405
• Add port, gdb_args, and gdbserver_args to gdb.debug() by @gfelber in #2382
• gdb.debug: avoid 2s timeout if possible by @mephi42 in #2435
• Add functions for retrieving process mappings by @k4lizen in #2371
• fix fromsocket to deal with ipv6 socket by @leommxj in #2497
• Fix passing bytes to context.log_file and crc.BitPolynom by @marinelay in #2389
• Change from pop to keys for reporting proper error message by @marinelay in #2391
• Fix duplicate definition of ssh.sftp by @peace-maker in #2394
• Fix access of undefined ssh._tried_sftp in raw mode by @peace-maker in #2396
• Convert bytes-like object to string in apport_corefile() method by @sanjitkumar2016 in #2387
• Add resolution_addr parameter to Ret2dlresolvePayload by @k4lizen in #2436
• Docs: Add sudo for apt-get by @qux-bbb in #2395
• Updated Mac OS Install Documentation by @lewiswatson55 in #2392
• Improve remote() documentation by @MrQubo in #2427
• feat: use --no-cache-dir flag to pip in dockerfiles to save space by @rajpratik71 in #2357
• Test Python version >= 3.10 in CI and fix tests on Python 3.12 by @peace-maker in #2486

New Contributors

• @rajpratik71 made their first contribution in #2357
• @sswastik02 made their first contribution in #2374
• @lewiswatson55 made their first contribution in #2392
• @marinelay made their first contribution in #2389
• @qux-bbb made their first contribution in #2395
• @sanjitkumar2016 made their first contribution in #2387
• @Dvorhack made their first contribution in #2415
• @cocoa-xu made their first contribution in #2398
• @gfelber made their first contribution in #2382

Full Changelog: 4.13.1...4.14.0

Release 4.14.0beta1

What's Changed

• Fix parsing the PLT on Windows by @peace-maker in #2445
• Fix PLT emulation with Unicorn 2.1.0 by @peace-maker in #2466
• Backport: Fix typo for fallback to default number of console colors on windows by @peace-maker in #2467
• Fix: GDB 15.1 rpyc detection by @SecT0uch in #2469
• gdb: fix pid attach by @Arusekk in #2474

New Contributors

• @SecT0uch made their first contribution in #2469

Full Changelog: 4.14.0beta0...4.14.0beta1

Release 4.13.1

What's Changed

• Fix parsing the PLT on Windows by @peace-maker in #2445
• Fix PLT emulation with Unicorn 2.1.0 by @peace-maker in #2466
• Backport: Fix typo for fallback to default number of console colors on windows by @peace-maker in #2467
• Fix: GDB 15.1 rpyc detection by @SecT0uch in #2469
• gdb: fix pid attach by @Arusekk in #2474

New Contributors

• @SecT0uch made their first contribution in #2469

Full Changelog: 4.13.0...4.13.1

Release 4.14.0beta0

What's Changed

• Add local libc database provider for libcdb by @the-soloist in #2356
• libcdb: Add offline_only parameter for search_by_hash series function by @the-soloist in #2360
• libcdb: Add offline_only to search_by_symbol_offsets by @the-soloist in #2388
• libcdb.unstrip_libc: debug symbols are fetched only if not present by @sswastik02 in #2374
• Add basic support to debug processes on Windows by @peace-maker in #2327
• Support asm/disasm on Windows by @peace-maker in #2437
• Change newline when setting context.os to "windows" by @peace-maker in #2330
• Add basic RISCV64 shellcraft support by @peace-maker and @LevitatingLion in #2322
• Return buffered data on first EOF in tube.readline() by @peace-maker in #2376
• Add functions for retrieving process mappings by @k4lizen in #2371
• Add TTY escape function for file transfer by @Arusekk in #2422
• Add support for generating multiple shellcodes at a time in shellcraft by @cocoa-xu in #2398
• Shellcode socket IPV6 by @Dvorhack in #2415
• Add "none" ssh authentication method by @peace-maker in #2405
• Improve remote() documentation by @MrQubo in #2427
• Add port, gdb_args, and gdbserver_args to gdb.debug() by @gfelber in #2382
• gdb.debug: avoid 2s timeout if possible by @mephi42 in #2435
• Add resolution_addr parameter to Ret2dlresolvePayload by @k4lizen in #2436
• feat : use --no-cache-dir flag to pip in dockerfiles to save space by @rajpratik71 in #2357
• Fix access of undefined ssh._tried_sftp in raw mode by @peace-maker in #2396
• Fix duplicate definition of ssh.sftp by @peace-maker in #2394
• Fix passing bytes to context.log_file and crc.BitPolynom by @marinelay in #2389
• Change from pop to keys for reporting proper error message by @marinelay in #2391
• Convert bytes-like object to string in apport_corefile() method by @sanjitkumar2016 in #2387
• Updated Mac OS Install Documentation by @lewiswatson55 in #2392

New Contributors

• @the-soloist made their first contribution in #2356
• @rajpratik71 made their first contribution in #2357
• @sswastik02 made their first contribution in #2374
• @lewiswatson55 made their first contribution in #2392
• @marinelay made their first contribution in #2389
• @qux-bbb made their first contribution in #2395
• @sanjitkumar2016 made their first contribution in #2387
• @Dvorhack made their first contribution in #2415
• @cocoa-xu made their first contribution in #2398
• @gfelber made their first contribution in #2382
• @k4lizen made their first contribution in #2371

Full Changelog: 4.13.0...4.14.0beta0

Release 4.13.0

What's Changed

• Term module revamp: activating special handling of terminal only when necessary by @Arusekk in #2242
• Add support to start a process on Windows by @peace-maker in #2310
• Add x86 CET status to checksec output by @peace-maker in #2293
• Detect challenge binary and libc in pwn template by @peace-maker in #2309
• Fix getting right amount of data for ELF.search by @gordiig in #2281
• elf: Resolve more relocations into GOT entries by @Arusekk in #2277
• rop: Make stack move faster by @Arusekk in #2300
• Basic darwin support for shellcrafter by @patryk4815 in #2161
• Allow to add to the existing environment in process instead of replacing it by @heapcrash in #1763
• Allow to add to the existing environment in ssh instead of replacing it by @heapcrash in #1764
• Nicer error when running tmux exploit outside tmux by @peace-maker in #2314
• Windows shellcode: Make sure winexec is 16 byte aligned and add nCmdShow option by @kizzx2 in #2308
• Make pwn template always set context.binary by @FlorianKothmeier in #2279
• add timeout to gdbserver by @Ordoviz in #2321
• Lookup using $PATHEXT file extensions in which on Windows by @peace-maker in #2328
• Explicitly define p64/u64 functions for IDE support by @peace-maker in #2189
• fix: follow symlink for libs on ssh connection by @teddav in #2338
• Fix: Allow setting attributes on gdb Breakpoints by @Nils1729 in #2339
• Make sure TERM_PROGRAM points to a valid program in run_in_new_terminal by @peace-maker in #2329
• fix: split current iterm window during gdb.debug process by @teddav in #2341
• Retry failed lookups after one week in libcdb by @peace-maker in #2323
• Match against local system libc first in libcdb by @peace-maker in #2325
• Add ELF.stripped and ELF.debuginfo properties by @peace-maker in #2336
• Improved DynELF address resolutions and symbol lookups by @Bl4ck-C4t in #2335
• Add a flatten argument to ssh.libs by @ValekoZ in #2268
• Fix Unicorn Engine 1GB limit that calls exit: raise OSError instead (Fixes #2343) by @disconnect3d in #2347
• Bugfix gdb.debug: exe parameter now respected by @goreil in #2233
• Fix pwn constgrep when it matches a non-constant type (Fixes #2344) by @disconnect3d in #2345
• Fix pwn libcdb file crashing if "/bin/sh" string was not found by @xambroz in #2307
• Fix unhex for odd length bytes by @snarkyyy in #2333
• Fix displaying bright color variation in terminal output by @peace-maker in #2373
• Fix support for amd64 x32 ABI by @peace-maker in #2305
• Speed up disasm with color by @snarkyyy in #2334
• Don't go through a shell in gdb.debug by @peace-maker in #2378
• elf/corefile: Clean up pyelftools workarounds by @Arusekk in #2319
• checksec.py: import ELF instead of * by @disconnect3d in #2346
• libcdb.py - python 3.12 by @xambroz in #2302
• remove python2 shebangs by @xambroz in #2301
• Bump unicorn dependency to >=2.0.1 by @peace-maker in #2315

New Contributors

• @gordiig made their first contribution in #2281
• @xambroz made their first contribution in #2302
• @kizzx2 made their first contribution in #2308
• @FlorianKothmeier made their first contribution in #2279
• @Ordoviz made their first contribution in #2321
• @snarkyyy made their first contribution in #2333
• @teddav made their first contribution in #2338
• @Nils1729 made their first contribution in #2339
• @patryk4815 made their first contribution in #2161
• @Bl4ck-C4t made their first contribution in #2335
• @ValekoZ made their first contribution in #2268

Full Changelog: 4.12.0...4.13.0

Release 4.13.0beta0

What's Changed

• Term module revamp: activating special handling of terminal only when necessary by @Arusekk in #2242
• Detect challenge binary and libc in pwn template by @peace-maker in #2309
• Add support to start a process on Windows by @peace-maker in #2310
• Add basic darwin support for shellcrafter by @patryk4815 in #2161
• Explicitly define p64/u64 functions for IDE support by @peace-maker in #2189
• Add ELF.stripped and ELF.debuginfo properties by @peace-maker in #2336
• Fix: Allow setting attributes on gdb Breakpoints by @Nils1729 in #2339
• Fix gdb.debug: exe parameter now respected, allow empty argv by @goreil in #2233
• Fix getting right amount of data for ELF.search by @gordiig in #2281
• Add x86 CET status to checksec output by @peace-maker in #2293
• elf: Resolve more relocations into GOT entries by @Arusekk in #2277
• rop: Make stack move faster by @Arusekk in #2300
• Fix Python 3.12 warning in pwn libcdb by @xambroz in #2302
• Remove unnecessary python2 shebangs by @xambroz in #2301
• Allow to add to the existing environment in process instead of replacing it by @heapcrash in #1763
• Allow to add to the existing environment in ssh instead of replacing it by @heapcrash in #1764
• Fix pwn libcdb file crashing if "/bin/sh" string was not found by @xambroz in #2307
• Fix support for amd64 x32 ABI by @peace-maker in #2305
• Nicer error when running tmux exploit outside tmux by @peace-maker in #2314
• Bump unicorn dependency to >=2.0.1 by @peace-maker in #2315
• Make sure winexec is 16 byte aligned and add nCmdShow option by @kizzx2 in #2308
• elf/corefile: Clean up pyelftools workarounds by @Arusekk in #2319
• Make pwn template always set context.binary by @FlorianKothmeier in #2279
• Add timeout to gdbserver by @Ordoviz in #2321
• Fix unhex for odd length bytes by @vsyl in #2333
• Speed up pwn disasm with colored output by @vsyl in #2334
• Lookup using $PATHEXT file extensions in which on Windows by @peace-maker in #2328
• fix: follow symlink for libs on ssh connection by @teddav in #2338
• Make sure TERM_PROGRAM points to a valid program in run_in_new_terminal by @peace-maker in #2329
• Retry failed lookups after one week in libcdb by @peace-maker in #2323
• Match against local system libc first in libcdb by @peace-maker in #2325
• checksec.py: import ELF instead of * by @disconnect3d in #2346
• Fix pwn constgrep when it matches a non-constant type (Fixes #2344) by @disconnect3d in #2345
• Launch GDB correctly in iTerm on Mac by @teddav in #2341
• Improved DynELF address resolutions and symbol lookups by @Bl4ck-C4t in #2335
• Add a flatten argument to ssh.libs by @ValekoZ in #2268
• Fix Unicorn Engine 1GB limit that calls exit: raise OSError instead (Fixes #2343) by @disconnect3d in #2347

New Contributors

• @gordiig made their first contribution in #2281
• @xambroz made their first contribution in #2302
• @kizzx2 made their first contribution in #2308
• @FlorianKothmeier made their first contribution in #2279
• @Ordoviz made their first contribution in #2321
• @vsyl made their first contribution in #2333
• @teddav made their first contribution in #2338
• @Nils1729 made their first contribution in #2339
• @patryk4815 made their first contribution in #2161
• @Bl4ck-C4t made their first contribution in #2335
• @ValekoZ made their first contribution in #2268

Full Changelog: 4.12.0...4.13.0beta0