Reverse Engineering Asked by i.e. on August 20, 2020
ELF x64 binary on a remote server communicates via simple socket server in C.
After overflowing the buffer (total buffer is 2000, password buffer is less), overwriting the RIP, filling with NOP sled (512 nops), inserting a reverse bind shellcode on the top of that, finding out a perfect address (without x00
) in middle of nop sled which after sliding it will execute the shellcode.
Remote server ASLR is off;
Binary compiled without canary and can execute code from stack.
No info leak AFAIK
I understand the many outcomes but if I decide to brute force the remote server to find the NOP-sled address.
Any good practice for that ?
Brute force is not the way you should look to in anything unless its your last resort. The address space of x64 is too large to get brute force to work. Look up on this technique called ROP(Return Oriented Programming). Currently you're bruteforcing the RIP, what if there's some code in the binary that will help you jump to your shellcode without bruteforcing and plus no PIE means that address is constant. When your control is getting transferred at ret
, look at what other registers contain. You might find code such as call eax
in the binary.
Correct answer by sudhackar on August 20, 2020
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP