Tags: elf seccomp sandbox pwn parsing
Rating: 4.0
### TL;DR
After trying half a dozen different ideas, I came up with the following working solution
- ELF parser used by the binary skips program header table if `e_phoff == 0`
- Linux kernel will still load the ELF
- Exploit this with an ELF containing:
- `PT_LOAD` segment with `p_vaddr == 0x10000` to bypass `mmap()` restriction
- Shellcode to set up arguments and call `execve()`
For more details, check out the link below.
