Ropme

I’m looking for a hint on what I’m doing wrong on this challenge. I have the leak working and can call arbitrary Libc functions locally. Calls to sleep, puts etc work, if I call SYSTEM with RDI set to the address of a shell string everything seems ok on entry to the SYSTEM function (verified using gdb). However no shell is spawned and the connection closes. I’m using Pwntools is there something I have to do on the second stage which I’m missing?

Any help really appreciated? Feel I’m close but missing something obvious to get the shell?

Watch @ippsec 's video on Bitterman and October. I used both of those to develop an exploit.

Type your comment> @wantsnewsocks said:

I’m looking for a hint on what I’m doing wrong on this challenge. I have the leak working and can call arbitrary Libc functions locally. Calls to sleep, puts etc work, if I call SYSTEM with RDI set to the address of a shell string everything seems ok on entry to the SYSTEM function (verified using gdb). However no shell is spawned and the connection closes. I’m using Pwntools is there something I have to do on the second stage which I’m missing?

Any help really appreciated? Feel I’m close but missing something obvious to get the shell?

Where does the address “of a shell” sit? Are you 100% sure about it?

@3therk1ll, Really appreciate the advice and I’ll take a look at the October video. I have seen Bitterman before and thought I was following that technique.

@windsurfer, like I say I think I’m using the leaked info correctly and using my local libc and forming a ROP chain from that. If I use GDB and place a breakpoint at the address of System in libc and inspect the RDI register it is set to the correct address on entry into the system function call on the second stage ROP chain. I feel I want to post a picture of the GDB output to show my problem but fear it may be too much of a spoiler ? Feel I’m so close but not close enough, I just can’t figure out what I’m doing wrong.

Playing around trying to fault find this, I added a few extra calls to my Libc rop chain in my second stage ROP chain just to see if I had a problem using my local libc. I can call sleep() or exit(3),exit(7) exit(9) …etc and get the correct results back so I can’t figure out why my call to System() doesn’t spawn a shell ? Could it be to do with Stdin ?

As i said, where do you find the actual “/bin/sh” address… in which space is it? I am referring to the actual string address that you are using

What helped me with this was using libc magic gadgets. The /bin/sh string is at a weird offset that I’m not sure how anyone got.

@wantsnewsocks and @windsurfer DM me if you’re still stuck

As a hint though, I’d check out Ippsecs Bitterman video

Removed Spoiler

Removed Spoiler

Hi guys) I have two questions:

  1. I follow the bitterman ippsec video way and developed the exploit. This exploit works in ellingson box also and gives a shell. But it doesn’t give a shell in this challenge, even locally on kali box! I get the “Got EOF while reading in interactive” error. What am i missing? PM, please:(
  2. I understand how to pwn the binary, but i can’t understand how to pwn the remote web service:( Where should i place my payload? In the body of post request? Or in the uri in GET request? Or where? Any hints really appreciated)