In the exploit code, you don't know the address of the function(e.g., printf, socket...) in advance, so you have to leverage system call to execute it.

make

GCC flags -z execstack: Since our shellcode is in the data segment, we must set it executable in the link-time. -fno-stack-protector: To remove the guard variable that detecting stack smash attack in the function epilogue. 

objdump -D -M intel shellcode | less

The output :

 00000000004004ed <main> : 4004ed: 55 push rbp 4004ee: 48 89 e5 mov rbp,rsp 4004f1: 48 83 ec 10 sub rsp,0x10 4004f5: 48 c7 45 f8 60 10 60 mov QWORD PTR [rbp-0x8],0x601060 4004fc: 00 4004fd: 48 8b 55 f8 mov rdx,QWORD PTR [rbp-0x8] 400501: b8 00 00 00 00 mov eax,0x0 400506: ff d2 call rdx 400508: c9 leave 400509: c3 ret 40050a: 66 0f 1f 44 00 00 nop WORD PTR [rax+rax*1+0x0] 

It will call 0x601060 address in the main function.(in my computer, it's different in yours)

0000000000601060 <shellcode> : 601060: 48 b8 48 45 4c 4c 4f movabs rax,0x94f4c4c4548 601067: 09 00 00 60106a: 48 bb 00 00 00 00 00 movabs rbx,0x10000000000 601071: 01 00 00 601074: 48 01 d8 add rax,rbx 601077: 50 push rax 601078: 48 c7 c7 01 00 00 00 mov rdi,0x1 60107f: 48 89 e6 mov rsi,rsp 601082: 48 c7 c2 06 00 00 00 mov rdx,0x6 601089: 48 c7 c0 01 00 00 00 mov rax,0x1 601090: 0f 05 syscall 601092: 48 c7 c0 3c 00 00 00 mov rax,0x3c 601099: 48 c7 c7 00 00 00 00 mov rdi,0x0 6010a0: 0f 05 syscall 

Here is the shellcode we insert.

movabs rax,0x94f4c4c4548 movabs rbx,0x10000000000 add rax,rbx string 'HELLO\n' in little-endian format. 

push rax push string to the top of stack. mov rdi,0x1 //stdout mov rsi,rsp //rsp is the top of stack. mov rdx,0x6 //the len of 'HELLO\n' mov rax,0x1 //the write system call syscall //call system call mov rax,0x3c //the exit system call mov rdi,0x0 //the exit status(return value) 

Linux system call table: https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md