Differences
This shows you the differences between two versions of the page.
|
cns:labs:lab-05 [2020/11/09 15:48] dennis.plosceanu [2. Multistage exploit] |
cns:labs:lab-05 [2022/11/07 14:44] (current) mihai.dumitru2201 [Tasks] |
||
|---|---|---|---|
| Line 398: | Line 398: | ||
| All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | All content necessary for the CNS laboratory tasks can be found in [[cns:resources:repo|the CNS public repository]]. | ||
| - | |||
| ==== 1. Passing shellcode through the environment ==== | ==== 1. Passing shellcode through the environment ==== | ||
| Line 418: | Line 417: | ||
| Env var addr 0xfffdd1e7 | Env var addr 0xfffdd1e7 | ||
| </code> | </code> | ||
| + | |||
| + | <note tip>You can also use pwntools to pass the env var: | ||
| + | <code python> | ||
| + | from pwn import * | ||
| + | p = process(['./getenv', 'A'], env={'A': shellcode}) | ||
| + | print(p.recvline()) | ||
| + | </code> | ||
| + | |||
| + | This way you can do the whole exploit with a python script: | ||
| + | - run ''getenv'' to leak the address | ||
| + | - parse the output of ''getenv'' | ||
| + | - build the payload and send to ''vuln'' | ||
| + | </note> | ||
| This is the address at which you will return to. | This is the address at which you will return to. | ||
