Self-exploiting exploit

self_exploit.py

#!/usr/bin/python2

import sys

from pwn import *

def find_libc_path_and_offset():
    with open("/proc/self/maps") as f:
        for line in f:
            line = line.strip()
            fields = line.split(" ")

            if "/libc." in fields[-1] or "/libc-" in fields[-1]:

                start, end = fields[0].split("-")

                return fields[-1], int(start, 16)

def find_exit_offset(libc_filename):
    elf = ELF(libc_filename)
    return elf.symbols["exit"]

def get_binary_arch():
    elf = ELF(sys.executable)
    return elf.arch

def main():
    context(arch=get_binary_arch())

    libc_filename, libc_offset = find_libc_path_and_offset()

    log.info("libc filename: %s", libc_filename)
    log.info("libc offset: 0x%x", libc_offset)

    exit_offset = find_exit_offset(libc_filename)

    log.info("exit_offset in libc: 0x%x", exit_offset)

    shellcode = asm(shellcraft.sh())

    log.info("shellcode: %r", shellcode)

    with open("/proc/self/mem", "wb") as f:
        f.seek(libc_offset + exit_offset)
        f.write(shellcode)

    log.success("Shellcode written!")

if __name__ == "__main__":
    main()