linux – Unable to exploit buffer overflow based on a stack with ASLR disabled, because RSP differs significantly from one run to the other.

I have created a small toy program, compiled with ALSR disabled, that I wish to exploit with the help of a stack buffer overflow:

// gcc stackexec0x1.c -Wl, -z, execstack -no-pie -fno-stack-protector -o stackexec0x1


#define SBUFSZ 0x100
#define LBUFSZ 0x800

main int (int argc, char * argv[]) {
buf tank[SBUFSZ];
printf ("#");
objects (buf, LBUFSZ, stdin); // exploit that!
printf ("% s", buf);
returns 0;

I can easily overwrite the return address, stored on the stack, by a custom address. However, between consecutive executions of the program, the RSP register differs:


By calculating the differences between the RSP register values ‚Äč‚Äčabove, we can see that they are large. It would not be possible to put a NOP sled that covers most of it?

How can I easily choose a return address in the NOP-sledge + payload packet from the stack, so that it is executed (with high probability) when the function returns?


checksec stackexec0x1
[*] & # 39; / home / nlykkei / exploit-dev / stackexec0x1 / stackexec0x1 & # 39;
Arch: amd64-64-small
RELRO: partial RELRO
Pile: no canary found
NX: NX disabled
PIE: no PIE (0x400000)
RWX: contains RWX segments