1

I'm working on an exploit development challenge right now in which I've been presented with a compiled binary and I have to exploit it on a remote server. No stack protections have been enabled and ASLR is disabled. I've written the exploit successfully and tested on my device and it works. However when I run it on the remote server it fails.

There aren't any memory leaks so I can't do a ret2libc style attack and I'm not very good at ROP. The buffer overflows by quite a bit and there is an executable stack. What are the other options rather than ROP that I could use to get EIP pointing to my buffer without knowing it's exact location? Is it possible to use just a couple gadgets to point EIP to some location relative to the current stack? If so, could one potentially help explain the ASM required to do that?

Thank you in advance.

leaustinwile
  • 366
  • 1
  • 8
  • 1
    In your local exploit, how are you determining the address to jump to? You are probably not going to be able to blindly determine this on the server, even without ASLR. You say the buffer is rather large; are you trying to catch the jump with a NOP sled? – multithr3at3d Aug 04 '19 at 19:22

1 Answers1

1

In the end, it turns out that I was making an elementary mistake. Prefixing my shellcode with a NOP sled ended up successfully exploiting the remote instance of the vulnerable application.

leaustinwile
  • 366
  • 1
  • 8