from pwn import *

Pwntools

ELF

# Create an ELF object
>>> elf = ELF("/bin/bash")
[*] '/bin/bash'
    Arch:     amd64-64-little
    RELRO:    Full RELRO
    Stack:    Canary found
    NX:       NX enabled
    PIE:      PIE enabled
    FORTIFY:  Enabled
    
# Find the binary base address
>>> hex(elf.address)
'0x0'

# Find the binary entry point
>>> hex(elf.entry)
'0x30430'

# Search function address in PLT table
>>> hex(elf.plt['write'])
'0x2e044'

# Search function address in GOT table
>>> hex(elf.got['write'])
'0x118938'

# .search() returns a generator
>>> elf.search(b"/bin/sh\x00")
<generator object ELF.search at 0x7f05c79ccac0>

# next() returns the "next" item of the generator
>>> hex(next(elf.search(b"/bin/sh\x00")))
'0x30c42'

# Search a gadget
>>> hex(next(elf.search(asm('jmp esp'))))
'0x949c1'

ROP

# Create a ROP object
>>> rop = ROP(elf)
[*] Loaded 141 cached gadgets for '/bin/bash'

# Find gadgets containing rax
>>> rop.rax
Gadget(0xb03eb, ['pop rax', 'ret'], ['rax'], 0x8)

# Get the gadget address
>>> hex(rop.rax.address)
'0xb03eb'

Reference

pwntools — pwntools 4.7.0 documentation

pwntools documentation