Ellingson - remote ROP challenges

Hey all, this one took me a while, specifically with getting root. For root, I had my exploit working locally against a binary with the appropriate permission with ASLR enabled. Remotely, I couldn’t get it to work for the longest time, even against the loopback interface of my Kali box.

I eventually figured out that the libc pointer was getting corrupted with recv when over ssh. I just ended up trimming the number and it worked like a charm. Debug output showed that the messages from my target binary were actually coming in out of order of SSH, but were fine locally, which explains the ptr corruption.

Has anyone seen this? Can someone please point me in the right direction to help me understand why I had to make that adjustment with the libc pointer?

I used pwn and there were no issues with the connection:

s = ssh(host = "10.10.10.139", user="ABC", password="ABC")
c = s.connect_remote(s.host, s.port)
p = s.process('/path/file')

then you can use p like a local process.

re libc issue: did you make sure to calculate your offsets against the libc on ellingson (different from kali, at least for me)?

Yah, that’s exactly what I did. I had a copy of libc from the remote host. I used that in my script. I used the same ssh connection options too, and set my process variable like you. I just had things come in out of order when doing it like that. Weird.

Dunno if you got it fixed but I just rooted the machine and used p=s.run instead of p=s.process if that will make a difference.

I don’t understand why we are giving the setuid(0) .
For ‘0’ it represents root user i knew it.
But this binary why we are giving setuid() please answer me dude.
I don’t understand.