Share
## https://sploitus.com/exploit?id=CADF1CB3-74EC-5605-B851-7EA0A30E5357
# Shellcode Injection Exploit

## Author

**Created by 0x5da** (Toasty / OsintToast / WoahToast)  
Exploit Developer & Security Engineer • OSINT • Malware Analysis • Pentesting Tools  
[https://www.imperiumsolutions.xyz/](https://www.imperiumsolutions.xyz/) • [GitHub @0x5da](https://github.com/0x5da)

This project and all code in this directory were fully written and designed by me. You may use, study, and build upon it for authorized security research and education only.

---

## What This Is

A **shellcode injection** proof-of-concept. The vulnerable program uses `gets()` to read into a stack buffer and prints the buffer’s address. The binary is compiled with an **executable stack** and no NX, so we can place shellcode in the buffer and overwrite the return address to point into our buffer. When the function returns, execution jumps to our shellcode (here, x64 `execve("/bin/sh", 0, 0)`), giving a shell.

## Why I Made It

I built this as the classic “overflow + executable stack + shellcode” example. It’s the most direct form of code execution after a stack overflow and is still useful in CTFs and in environments where NX is disabled (e.g. some embedded or legacy systems).

## What It’s Used For

- **Learning** — See how buffer address leak + overflow + exec stack lead to code execution.
- **CTF / labs** — Template for shellcode challenges.
- **Reference** — Minimal x64 execve shellcode and payload layout.

## Contents

| File | Description |
|------|-------------|
| `vulnerable.c` | Prints buffer address, then `gets()` into a 128-byte buffer. No NX, so stack is executable. |
| `shellcode_payload.c` | Builds payload: nopsled, shellcode (execve("/bin/sh")), padding to saved RIP, then the buffer address so return jumps into the shellcode. |
| `Makefile` | Builds the vulnerable binary and the exploit (with `-z execstack` for the target). |

## How to Build

```bash
make
```

## How to Use

1. Build: `make`
2. Run the vulnerable program once to get the buffer address from its output (or disable ASLR).
3. Run:  
   `./shellcode_payload  | ./vulnerable`  
   Example:  
   `./exploit 0x7fffffffe000 | ./vulnerable`
4. If the address is correct and the stack is executable, you get a shell.

## Notes

- The shellcode is position-independent and uses the stack for the `/bin/sh` string (built in the instructions).
- On modern systems, executable stack is less common; ret2libc/ROP are used when NX is on.

---

**Use only on systems you own or have explicit permission to test.**