Hey all, this one took me a while, specifically with getting root. For root, I had my exploit working locally against a binary with the appropriate permission with ASLR enabled. Remotely, I couldn’t get it to work for the longest time, even against the loopback interface of my Kali box.
I eventually figured out that the libc pointer was getting corrupted with recv when over ssh. I just ended up trimming the number and it worked like a charm. Debug output showed that the messages from my target binary were actually coming in out of order of SSH, but were fine locally, which explains the ptr corruption.
Has anyone seen this? Can someone please point me in the right direction to help me understand why I had to make that adjustment with the libc pointer?