Type your comment> @nlykkei said:
I just rooted the machine remotely using
pwntools. However, how can the exploit be converted to a local exploit? In my case,
pwntools must be available, since I use a
ret2plt approach with two rounds of payload (address of
puts is leaked in
libc) - and reinventing
pwntools's functionality would be cumbersome.
In the case of Redcross Youtube tutorial,
ret2plt is not needed, since
execvp is available through
.plt, so all input can be supplied on the command-line using
< payload. But, the exploited binary has no such function in its
Please PM me with methods of converting the exploit to one that can be executed locally on Ellingson host.
I’m guessing by writing a script that does what pwntools does but manually, reading and writing to the process i/o through socket or something (?, not much of a programmer myself), read the output addr, read the files for the other addressess or parsing output with sys calls to programs that do it for you, calculate base and offsets blahblah and write the exploit dynamically according.
i have no idea if what I just said is possible, so whatever haha.