forked from Naetw/CTF-pwn-tips
-
Notifications
You must be signed in to change notification settings - Fork 1
Pwntools and GDB PwnDBG
Rahul Sridhar edited this page Apr 10, 2022
·
7 revisions
- To attach gdb,
gdb.attach(process, '''
set disassembly-flavor intel
set height 0
b *0x40104f
c
''')
- You can control what kind of pane the gdb.attach opens, such as tmux:
context.terminal = ['tmux', 'splitw', '-h']
- You'll want command line flags for remote and gdb usage.
if len(sys.argv) > 1 and sys.argv[1] == 'remote':
p = remote( , )
else:
p = process( )
if len(sys.argv) > 1 and sys.argv[1] == 'gdb':
gdb.attach(p, """
set disassembly-flavor intel
b main
""")
- Set the log level with
contex.log_level = "debug"
-
To easily calculate offsets of strings that you input, use pwntools De Bruijn or Metasploit patterns in the cyclic module. Input the string, then use the
cyclic_*_find
functions to find the offset. -
In GDB, you can run a python script and send input to stdin with
r < <(./payload.py)
-
To construct a payload that has specific values at certain offsets, use the pwntools
fit
function:
>>> from pwn import *
>>> fit({
... 0x8 : 1234,
... 0x16 : 'HELLO',
... }, filler='A', length = 0x24)
'AAAAAAAA\xd2\x04\x00\x00AAAAAAAAAAHELLOAAAAAAAAA'
- To find a string in memory use
search "asdf"
in pwndbg - To dump some bytes in memory to binary file do
dump binary memory dump.bin buf buf+100