I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.
I first got the entire attack working with my local version of libc, then I used the version of libc provided by the challenge to work out the offsets on the remote target. It doesn't work on remote so I startup a Ubuntu Bionic container and LD_PRELOAD their version of libc, then fire up gdb to see what's up.
The attack works, I ROP to a gadget, the gadget loads "/bin/sh" into RDI, and then I crash.
Any ideas what I should be looking for here? Again this whole setup works with the identical binary linking against newer versions of libc.
ASLR, stack protection, and NX are all turned on, not that I think it matters for this attack.