Unknown format code 'x' for object of type 'str' Error when running generated <tmp_file>.py from skel.py

[acondra2]

When running a generated exploit skeleton using skel.py from within gef, the resulting temp file cannot run and gives the following output:

[DEBUG] '/home/user/Downloads/start' is statically linked, skipping GOT/PLT symbols
[*] '/home/user/Downloads/start'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)
[+] Starting local process '/home/user/Downloads/start': pid 17445
Traceback (most recent call last):
  File "/home/user/Downloads/./getem.py", line 36, in <module>
    exploit(r)
  File "/home/user/Downloads/./getem.py", line 24, in exploit
    attach(r)
  File "/home/user/Downloads/./getem.py", line 20, in attach
    gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
  File "/home/user/Downloads/./getem.py", line 20, in <listcomp>
    gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))
ValueError: Unknown format code 'x' for object of type 'str'
[*] Stopped process '/home/user/Downloads/start' (pid 17445)

[Grazfather]

Please share the generated file, your python version, and your gdb version.

Looks likes bkps is a list of strings instead of breakpoints or numbers that know how to format, so probably has to do with your gdb version.

[acondra2]

Python script that gef outputs:

#!/usr/bin/env python3                                                                                                                                                          
import sys, os                                                                                                                                                                  
from pwn import *                                                                                                                                                               
context.update(                                                                                                                                                                 
    arch="i386",                                                                                                                                                                
    endian="little",                                                                                                                                                            
    os="linux",                                                                                                                                                                 
    log_level="debug",                                                                                                                                                          
    terminal=["tmux", "split-window", "-h", "-p 65"],                                                                                                                           
)                                                                                                                                                                               
                                                                                                                                                                                
REMOTE = False                                                                                                                                                                  
TARGET=os.path.realpath("/home/user/Downloads/start")                                                                                                                           
elf = ELF(TARGET)                                                                                                                                                               
                                                                                                                                                                                
def attach(r):                                                                                                                                                                  
    if not REMOTE:                                                                                                                                                              
        bkps = []                                                                                                                                                               
        cmds = []                                                                                                                                                               
        gdb.attach(r, '\n'.join(["break *{:#x}".format(x) for x in bkps] + cmds))                                                                                               
    return                                                                                                                                                                      
                                                                                                                                                                                
def exploit(r):                                                                                                                                                                 
    attach(r)
    # r.sendlineafter(b"> ", b"HelloPwn" )
    r.interactive()
    return

if __name__ == "__main__":
    if len(sys.argv)==2 and sys.argv[1]=="remote":
        REMOTE = True
        r = remote("chall.pwnable.tw", 10000)
    else:
        REMOTE = False
        r = process([TARGET,])
    exploit(r)
    exit(0)

[hugsy]

I suspect this is not the file that generated the stack because bkps is empty.
However, there was a bug and it is fixed.

@acondra2 you're welcome to report bugs in gef (or gef-extras) but in the future provide as much details as possible for us to reproduce. Remember that we're not on your computer 😀 You can use this for a template example.

Cheers.