Exploitation with Syscalls
SyscallsTo make it super simple, I made it in assembly using pwntools:
The binary contains all the gadgets you need! First it executes a read syscall, writes to the stack, then the ret occurs and you can gain control.
But what about the /bin/sh? I slightly cheesed this one and couldn't be bothered to add it to the assembly, so I just did:
As we mentioned before, we need the following layout in the registers:
To get the address of the gadgets, I'll just do objdump -d vuln. The address of /bin/sh can be gotten using strings:
The offset from the base to the string is 0x1250 (-t x tells strings to print the offset as hex). Armed with all this information, we can set up the constants:
Now we just need to populate the registers. I'll tell you the padding is 8 to save time:
And wehey - we get a shell!