Ropme

I’m looking for a hint on what I’m doing wrong on this challenge. I have the leak working and can call arbitrary Libc functions locally. Calls to sleep, puts etc work, if I call SYSTEM with RDI set to the address of a shell string everything seems ok on entry to the SYSTEM function (verified using gdb). However no shell is spawned and the connection closes. I’m using Pwntools is there something I have to do on the second stage which I’m missing?

Any help really appreciated? Feel I’m close but missing something obvious to get the shell?
Tagged:

Comments

  • Watch @ippsec 's video on Bitterman and October. I used both of those to develop an exploit.

  • Type your comment> @wantsnewsocks said:

    I’m looking for a hint on what I’m doing wrong on this challenge. I have the leak working and can call arbitrary Libc functions locally. Calls to sleep, puts etc work, if I call SYSTEM with RDI set to the address of a shell string everything seems ok on entry to the SYSTEM function (verified using gdb). However no shell is spawned and the connection closes. I’m using Pwntools is there something I have to do on the second stage which I’m missing?

    Any help really appreciated? Feel I’m close but missing something obvious to get the shell?

    Where does the address "of a shell" sit? Are you 100% sure about it?

    you got to eat shit to know shit

  • edited June 5
    @3therk1ll, Really appreciate the advice and I'll take a look at the October video. I have seen Bitterman before and thought I was following that technique.

    @windsurfer, like I say I think I'm using the leaked info correctly and using my local libc and forming a ROP chain from that. If I use GDB and place a breakpoint at the address of System in libc and inspect the RDI register it is set to the correct address on entry into the system function call on the second stage ROP chain. I feel I want to post a picture of the GDB output to show my problem but fear it may be too much of a spoiler ? Feel I'm so close but not close enough, I just can't figure out what I'm doing wrong.
  • Playing around trying to fault find this, I added a few extra calls to my Libc rop chain in my second stage ROP chain just to see if I had a problem using my local libc. I can call sleep() or exit(3),exit(7) exit(9) ...etc and get the correct results back so I can't figure out why my call to System() doesn't spawn a shell ? Could it be to do with Stdin ?
  • As i said, where do you find the actual "/bin/sh" address... in which space is it? I am referring to the actual string address that you are using

    you got to eat shit to know shit

  • What helped me with this was using libc magic gadgets. The /bin/sh string is at a weird offset that I'm not sure how anyone got.

  • @wantsnewsocks and @windsurfer DM me if you're still stuck

  • As a hint though, I'd check out Ippsecs Bitterman video

  • edited June 10

    Removed Spoiler

  • edited June 10

    Removed Spoiler

Sign In to comment.