逆向工程 - 尝试在 ac 程序中调用 Exit Shellcode - 吾爱随笔录

#include<stdio.h>
#include<stdint.h>

char shellcode[] = "\xb8\x3c\x00\x00\x00"
                   "\xbf\x14\x00\x00\x00"
                   "\x0f\x05";

int main()
{
    uint64_t *ret;
    ret = (uint64_t *)&ret + 2;
    (*ret) = (uint64_t)shellcode;
}

所以在这里我想要做的是通过将 rets 地址修改为 shellcodes 地址并以状态 20 退出 c 程序来运行退出 shellcode。

Reading symbols from ./Shellcode...
(gdb) l
1       #include<stdio.h>
2       #include<stdint.h>
3
4       char shellcode[] = "\xb8\x3c\x00\x00\x00"
5                          "\xbf\x14\x00\x00\x00"
6                          "\x0f\x05";
7
8       int main()
9       {
10
(gdb) 
11          uint64_t *ret;
12          ret = (uint64_t *)&ret + 2;
13          (*ret) = (uint64_t)shellcode;
14      }
(gdb) 
Line number 15 out of range; Shellcode.c has 14 lines.
(gdb) break 12
Breakpoint 1 at 0x1129: file Shellcode.c, line 12.
(gdb) run
Starting program: /home/kali/oscp/asm/32/Shellcode 

Breakpoint 1, main () at Shellcode.c:12
12          ret = (uint64_t *)&ret + 2;
(gdb) print /x &shellcode
$1 = 0x555555558028
(gdb) x/8xg $rsp
0x7fffffffdf70: 0x0000555555555150      0x00007ffff7e12d0a
0x7fffffffdf80: 0x00007fffffffe068      0x0000000100000000
0x7fffffffdf90: 0x0000555555555125      0x00007ffff7e127cf
0x7fffffffdfa0: 0x0000000000000000      0xd60b04d41db666f5
(gdb) s
13          (*ret) = (uint64_t)shellcode;
(gdb) x/8xg $rsp
0x7fffffffdf70: 0x0000555555555150      0x00007ffff7e12d0a
0x7fffffffdf80: 0x00007fffffffe068      0x0000000100000000
0x7fffffffdf90: 0x0000555555555125      0x00007ffff7e127cf
0x7fffffffdfa0: 0x0000000000000000      0xd60b04d41db666f5
(gdb) print /x $rip
$2 = 0x555555555135
(gdb) s
14      }
(gdb) x/8xg $rsp
0x7fffffffdf70: 0x0000555555555150      0x0000555555558028
0x7fffffffdf80: 0x00007fffffffe068      0x0000000100000000
0x7fffffffdf90: 0x0000555555555125      0x00007ffff7e127cf
0x7fffffffdfa0: 0x0000000000000000      0xd60b04d41db666f5
(gdb) print /x $rip
$3 = 0x555555555148
(gdb) s
0x0000555555558028 in shellcode ()
(gdb) print /x $rip
$4 = 0x555555558028
(gdb) x/8xg $rsp
0x7fffffffdf80: 0x00007fffffffe068      0x0000000100000000
0x7fffffffdf90: 0x0000555555555125      0x00007ffff7e127cf
0x7fffffffdfa0: 0x0000000000000000      0xd60b04d41db666f5
0x7fffffffdfb0: 0x0000555555555040      0x0000000000000000
(gdb) s
Single stepping until exit from function shellcode,
which has no line number information.

Program received signal SIGSEGV, Segmentation fault.
0x0000555555558028 in shellcode ()

shellcode地址确实属于rip但shellcode不执行或我无法理解的东西。所以我应该怎么做才能让我的 shellcode 运行并且退出状态为 20。