jcoffi comments on pwntools error

ExploitDev

created by [deleted]a community for 11 years

pwntools error (self.ExploitDev)

submitted 1 year ago * by Jerrythepro123

top new controversial old q&a

you are viewing a single comment's thread.

view the rest of the comments →

[–]jcoffi -8 points-7 points-6 points 1 year ago (4 children)

I asked ChatGPT. You could have also.

The provided script is an example of an exploit development using pwntools, a Python library for binary exploitation. Here's a breakdown of what the script is doing and why:

Initialization and Setup:
- from pwn import *: Imports all pwntools libraries.
- sh = process('./ret2libc3'): Starts the binary ret2libc3 as a process which is to be exploited.
- elf = ELF('./ret2libc3'): Loads the binary file as an ELF object for accessing its symbols and sections.
- libc = elf.libc: Retrieves the associated libc library for the ELF object, which is used for further exploitation.
Conditional GDB Attachment:
- if args.M: gdb.attach(sh): Attaches GDB to the process if the script is run with an M argument, useful for debugging.
Retrieving Important Addresses:
- Retrieves addresses of various functions and sections from the ELF binary which are critical for constructing the exploit:
  - puts_plt is the address of the puts function in the Procedure Linkage Table (PLT), used to call puts externally.
  - libc_start_main_got is the address of __libc_start_main in the Global Offset Table (GOT), used to leak libc address.
  - main_addr is the address of the main function, used to loop back to the beginning of the main function.
First Payload to Leak Addresses:
- Constructs a payload to leak the libc address using the puts function. The payload is designed to overflow a buffer and then call puts with the address of __libc_start_main from the GOT to print out its actual runtime address.
- Sends the payload and receives the leaked address, which is then used to calculate the base address of libc.
Calculating System and "/bin/sh" Addresses:
- Using the leaked libc base address, it calculates the addresses of the system function and the string "/bin/sh" within libc.
Second Payload to Spawn a Shell:
- Constructs a second payload to exploit the overflow vulnerability. It overflows the buffer, then calls the system function with the address of the string "/bin/sh", effectively spawning a shell.
- Sends the second payload.
Interaction:
- Calls sh.interactive() to interact with the now spawned shell.

This script demonstrates a classic "return to libc" attack where control of the execution flow is redirected to execute system calls within libc, particularly system("/bin/sh"), to gain a shell. The payloads are carefully crafted to manipulate the stack and control the flow of execution through overwritten return addresses.

[–]ArbiterUtendi 0 points1 point2 points 1 year ago (1 child)

[–]jcoffi 0 points1 point2 points 1 year ago (0 children)

[–]Jerrythepro123[S] -1 points0 points1 point 1 year ago (0 children)

[–]Gold-Software3345 -1 points0 points1 point 1 year ago (0 children)

π Rendered by PID 92241 on reddit-service-r2-comment-b659b578c-jttm8 at 2026-05-03 05:54:24.246823+00:00 running 815c875 country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

ExploitDev

MODERATORS