unexploitable hackerdom

A friend of mine sent me a challenge called unexploitable download from here[1] (elf64) here it has the following source code :

1: http://0x80.org/challenges/unexploitable

compiled with

also full aslr is enabled. The binary is small therefore not many gadgets exist to do awesome things. Let us use what we have, an important gadget exists in __libc_csu_init, this can allow us to control the first three params (rdi,rsi,rdx).

and above it is the call portion

equivalent to (r12+rbx*8)(r13d,r14,r15), if we point r12 to 0x601000 we can call read with three params, this allows us to control rax, and to write anywhere writeable. Something like :

another important gadget is

So now we have all the parts needed to exploit this successfully, our approach is as follows :

in our new rop we do the following

we also set the /bin/sh string and a pointer to it and to the envp somewhere inside the known rop location that we're using.

full exploit :

Proxied content from gemini://0x80.org/gemlog/2016-03-18-unexploitable-hackerdom.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2016-03-18-unexploitable-hackerdom.gmi
Status code
20
Meta
text/gemini;lang=en-US