Questions tagged [shellcode]
A `shellcode` or `eggshell` is a small program represented as a string of instructions in their hexadecimal encoding.
79
questions
1
vote
0
answers
94
views
Wargames RET2 Systems Shellcoding - Trouble using ```jmp``` instruction to connect parts of shellcode
I am doing the RET2 Systems Binary Exploitation course Wargames (https://wargames.ret2.systems/) and am working on the shellcoding chapter. I am learning about how to use jmp assembly instructions to ...
- 111
1
vote
1
answer
323
views
Why this x64 shellcode doesn't work?(segmentation fault)
I found a simple shellcode on the internet.
Then, to test this shellcode, I make the simple ret overwrite code.
test.c
#include <stdio.h>
#include <string.h>
char buf[100];
int main(void)...
- 55
2
votes
0
answers
211
views
Overwriting the Global Offset Table + format string vulnerability
I am trying to understand how to overwrite the Global Offset Table. On the book "Hacking: The Art of Exploitation". Following the example I get:
objdump -R ./fmt ...
- 31
2
votes
0
answers
85
views
The execution is not at AddressOfEntryPoint after patching .text section bytes
I have a shellcode and want to inject my shellcode into a PE file (a simple compiled c program that prints Hello World on the screen) . My shellcode size is 0x2a1 and the .text section of my PE file ...
2
votes
1
answer
50
views
Can ESP point to a global variable
This 3 lines of code are used by some encoders to get EIP into ECX register:
fldz
fnstenv [esp-C]
pop ecx
The 2 first instructions push some datas on stack and we get one of this into ECX on the last ...
- 797
2
votes
0
answers
371
views
neovim: pwntools process automatically stops when trying to invoke interactive shell
I'm using python pwntools.
I'm using python 3.10.x
This line of code should open a shell for me:
io.interactive()
But while running this file from vim using
!./% it doesn't open the shell doesn't ...
- 123
3
votes
0
answers
152
views
How to leak buffer address on the stack?
I am new to buffer overflows and I was trying to overwrite the saved RIP to point to a buffer containing a shellcode. The buffer is located onto the stack so its address is randomized. How can I leak ...
- 51
2
votes
0
answers
87
views
Invalid address when overwriting saved rip with buffer's address
I have an executable vulnerable to buffer overflows. The program takes a buffer of 104 chars and prints it (unfortunately, there is no format string vulnerability) until we feed it with a 0 or a \n, ...
- 51
3
votes
1
answer
95
views
x64 buffer overflow - tcp shell payload
ASLR: off
Canary: on
I have a binary that when run, it spawns zombie process on port 9191. I've been using ghidra and gdb to reverse engineer this and have found the buffer, canary, found the pop rdi ...
- 31
1
vote
1
answer
752
views
Reverse Engineering Go obfuscated binaries
I have been trying to understand the working of this go malware by reversing it, which can be found here , so basically this stuff takes a shellcode as an input, and converts it to an exe or dll file, ...
- 11
2
votes
1
answer
162
views
Am I missing symbols when RE'ing shellcode?
I have a question about reversing a tutorial which shows how to reverse engineering shellcode. My question is simple:
In figure 4, we see at (7) TEX.ProcessEnvironmentBlock: is this a comment, or was ...
2
votes
2
answers
981
views
ShellCode not running as expected - showing segmentation fault core dump
I have already run this command. But my shellcode is not working for me:
gcc -fno-stack-protector -z execstack test.c -o test
./test
Segmentation fault (core dumped)
Here is my shellcode
#include &...
- 121
3
votes
2
answers
1k
views
How to load shellcode into Ghidra
I'm trying to learn more about reverse engineering, and I've found some shellcode embedded in a C program:
unsigned char shellcode[] =
"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\...
- 175
1
vote
0
answers
59
views
Send file or non-printable character in Immunity Debugger arguments
I am a beginner in Reverse Engineering.
I am on Windows and using Immunity Debugger.
I would like to send my payload on the .exe file.
The payload contains non-printable characters.
How I can launch ...
- 141
1
vote
0
answers
194
views
Trying to call the Exit Shellcode in a c program
#include<stdio.h>
#include<stdint.h>
char shellcode[] = "\xb8\x3c\x00\x00\x00"
"\xbf\x14\x00\x00\x00"
"\x0f\x05";
int ...
- 11