Last active
August 11, 2024 21:01
-
-
Save Liebranca/3f4eb8eda5fc12031a0209cfd8272e7d to your computer and use it in GitHub Desktop.
Rellocate stack to the heap (evil)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| format ELF64 executable 3; | |
| entry start; | |
| segment readable writeable | |
| ; copied verbatim from my lib | |
| SYS.mmap: | |
| .id = $09 | |
| .proto_r = $01 | |
| .proto_rw = $03 | |
| .proto_rx = $05 | |
| .anon = $22 | |
| .shared = $01 | |
| .nofd = -1 | |
| SYS.munmap.id=$0B | |
| BUFF_SZ=1 | |
| ; --- * --- * --- | |
| ; setup | |
| segment readable executable | |
| start: | |
| ; get N pages | |
| mov rsi,BUFF_SZ | |
| shl rsi,12 | |
| ; linux boilerpaste | |
| mov rdx,SYS.mmap.proto_rw | |
| mov r10,SYS.mmap.anon | |
| mov r8 ,SYS.mmap.nofd | |
| xor rdi,rdi | |
| xor r9 ,r9 | |
| ; ^call mmap | |
| mov rax,SYS.mmap.id | |
| syscall | |
| ; ^get end of buff (recomputing size seems faster) | |
| mov rdx,BUFF_SZ | |
| shl rdx,12 | |
| ; THE BIT: use heap as stack because we can | |
| lea rsp,[rax+rdx] | |
| push rax | |
| ; once you're done it'd be a good idea to reset rsp/rbp | |
| ; back to what they where. rather, it'd be a good idea to | |
| ; never do this, in fact. but because the program ends here, | |
| ; it doesn't matter | |
| ; cleanup | |
| pop rdi | |
| mov rsi,rdx | |
| mov rax,SYS.munmap.id | |
| syscall | |
| ; exit | |
| mov rax,60 | |
| syscall | |
| ; --- * --- * --- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment