User Tools
Sidebar
session:solution:10
Table of Contents
Session 10 Solutions
ret-to-plt
Idea: The stack would need to look like:
- address of puts (in place of the return address)
- address of exit
- argument to puts call (address of string)
ret-to-libc
Idea: The stack would need to look like:
- address of system (in place of the return address)
- address of exit
- argument to system call (address of string)
To find the "/bin/sh" string use the searchmem command in GDB PEDA.
Brute Force
Idea: Used fixed addresses for system() and "/bin/sh" and run the exploit test command until the addresses match.
mprotect
Idea: The stack would need to look like:
- address of
mprotect() - address of buffer start (where the shellcode is located)
- first argument of
mprotect() - 2nd argument of
mprotect()
…
session/solution/10.txt · Last modified: 2020/07/19 12:49 (external edit)
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
