Simple Buffer Overflow - 0x02
tags: CTF PWN
Why we’d like to create shellcode?
In pwn problem, most of the program don’t have the secret function that we can take the shell. Thus, we can create a shellcode by ourselves and use bof to overlap the original address by shellcode address. Then we can take the shell.
How to create a shellcode in BOF?
In lecture 0x01, we can see sub-function that create a shell using command:
execve("/bin/sh", (char *[]){0}, (char *[]){0});
According to Linux System Call Table for x86 64, we can see that `execve` is a system call and the parameter sequence is as the same as normal calling convention.
- Note that in
x86-64→The kernel interface uses
RDI,RSI,RDX,R10,R8andR9. In C++, this is the first parameter.
| %rax | System Call | %rdi | %rsi | %rdx | %r10 | %r8 | %r9 |
|---|---|---|---|---|---|---|---|
| 59(0x3B) | sys_execve | const char *filename | const char *const argv[] | const char *const envp[] |
Therefore, %rdi store address of /bin/sh and %rsi, %rdx can temporarily set 0
Implement
mov rbx, 0x68732f6e69622f
push rbx
mov rdi, rsp
xor rsi, rsi
xor rdx, rdx
mov rax, 0x3b
syscall
- We can use hex2text tool to parse .
0x68732f6e69622fand we obtain?hs/nib/ - First 3 line, we push
/bin/shto stack and%rspis the top of the stack address, so we%rdiwill obtain/bin/shaddress from%rsp - Then, let
%rsiand%rdxbe0 - To set
%raxto right system call number, that is0x3b - Finally, we did it!!!
