Created by 0x5da (Toasty / OsintToast / WoahToast)
Exploit Developer & Security Engineer • OSINT • Malware Analysis • Pentesting Tools
https://www.imperiumsolutions.xyz/ • GitHub @0x5da
This project and all code in this directory were fully written and designed by me. You may use, study, and build upon it for authorized security research and education only.
A shellcode injection proof-of-concept. The vulnerable program uses gets() to read into a stack buffer and prints the buffer’s address. The binary is compiled with an executable stack and no NX, so we can place shellcode in the buffer and overwrite the return address to point into our buffer. When the function returns, execution jumps to our shellcode (here, x64 execve("/bin/sh", 0, 0)), giving a shell.
I built this as the classic “overflow + executable stack + shellcode” example. It’s the most direct form of code execution after a stack overflow and is still useful in CTFs and in environments where NX is disabled (e.g. some embedded or legacy systems).
- Learning — See how buffer address leak + overflow + exec stack lead to code execution.
- CTF / labs — Template for shellcode challenges.
- Reference — Minimal x64 execve shellcode and payload layout.
| File | Description |
|---|---|
vulnerable.c |
Prints buffer address, then gets() into a 128-byte buffer. No NX, so stack is executable. |
shellcode_payload.c |
Builds payload: nopsled, shellcode (execve("/bin/sh")), padding to saved RIP, then the buffer address so return jumps into the shellcode. |
Makefile |
Builds the vulnerable binary and the exploit (with -z execstack for the target). |
make- Build:
make - Run the vulnerable program once to get the buffer address from its output (or disable ASLR).
- Run:
./shellcode_payload <buffer_addr_hex> | ./vulnerable
Example:
./exploit 0x7fffffffe000 | ./vulnerable - If the address is correct and the stack is executable, you get a shell.
- The shellcode is position-independent and uses the stack for the
/bin/shstring (built in the instructions). - On modern systems, executable stack is less common; ret2libc/ROP are used when NX is on.
Use only on systems you own or have explicit permission to test.