[Pwn] No Return

DIdn’t see a discussion so I thought I’d start one. I’ve got something basic working, struggling to develop into something useful.

Definitely not ret2libc. Return to something else maybe?

Fun challenge :slight_smile:

I have a suspicion, but gadgets are sparse :confused:

@limbernie said:

Definitely not ret2libc. Return to something else maybe?

It would be hard to without ret or libc! I’m looking into seeing if I can find any treasure in the junk.

There is a good paper of 2010 about JOP

After 6 hours solid work, I finally owned this. Great brainfuck challenge!

There’s no need to read any paper

It actually helps, it give me an hint on what to do, of course it can be solved without reading anything

ughhh i thought this was gonna be easy as pie until i saw no pages were mapped rwx :T

Pretty nice challenge.

@ano12 said:
Pretty nice challenge.

If you need help. PM me.

I need help with the first step to expand the stack.

Hey, people…
i need a hint please.

does we need to use system (kernel) functions from vdso?
or we need to use only JOP’s from elf?

can you share some material for this exploit technique?

thank you.

ah, yes, i am be able to do infinite loop in the end of the elf. but it is waiting for “tty input”.
is this a right way?

Spoiler Removed

Could use a hint :slight_smile: trying to get s**p to work, im able to call r*_s*******n, but it segfaults right after. Am I heading the right way?

Spoiler Removed

I am totally lost. Gadget was work, but arrange the stack is painfull. Always got segfault.

EDIT: finally got it.
Learning some new technique

Great challenge .

hard to get the right JMP , but when you find it its straightforward .