This shows you the differences between two versions of the page.
cns:labs:lab-05 [2020/11/09 15:48] dennis.plosceanu [2. Multistage exploit] |
cns:labs:lab-05 [2022/11/07 14:44] (current) mihai.dumitru2201 [Tasks] |
||
---|---|---|---|
Line 398: | Line 398: | ||
All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
- | |||
==== 1. Passing shellcode through the environment ==== | ==== 1. Passing shellcode through the environment ==== | ||
Line 418: | Line 417: | ||
Env var addr 0xfffdd1e7 | Env var addr 0xfffdd1e7 | ||
</code> | </code> | ||
+ | |||
+ | <note tip>You can also use pwntools to pass the env var: | ||
+ | <code python> | ||
+ | from pwn import * | ||
+ | p = process(['./getenv', 'A'], env={'A': shellcode}) | ||
+ | print(p.recvline()) | ||
+ | </code> | ||
+ | |||
+ | This way you can do the whole exploit with a python script: | ||
+ | - run ''getenv'' to leak the address | ||
+ | - parse the output of ''getenv'' | ||
+ | - build the payload and send to ''vuln'' | ||
+ | </note> | ||
This is the address at which you will return to. | This is the address at which you will return to. |