Hey, I am currently doing a CTF for college. The job is to do a buffer overflow ROP attack. The idea is to exploit the interrupt call (int 0x80) and call execve to call a program, which then reads the flag file. It took some time, but I managed to write an exploit that works perfectly locally. The binaries as well as the source code were provided locally and in the task it says that the binary on the remote server is the same as the local one.
However, the exploit only works locally and I have no clue why. Some might say it is because of the libc-offset but the program is statically linked, which means that this cannot be the case as far as I understand.
To give a bit more context, this is what the exploit sends to the program:
- The name of the program, which has to be called followed by a \x00 byte
- A padding string full of A’s until we reach the return address
- Gadget address which pops value into eax
- 0xb for the execve command
- Gadget address which pops value into ebx
- The starting memory address of the stack (where the name is located) as the first parameter
- Two more gadgets to set ecx and edx to NULL
- Address of int 0x80 ; ret gadget
- Some final eip address to jump back to
As I said, this works perfectly locally, but remotely it segfaults I guess (I don’t get a response, which happens when it crashes).
The file command outputs:
ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 3.2.0
I would appreciate some help!