#Provided Files#chal decompilation1234567891011121314151617181920212223242526272829303132333435363738394041
int32_t main(int32_t argc, char** argv, char** envp)
int32_t var_4c = argc
void* fsbase
int64_t rax = *(fsbase + 0x28)
setbuf(fp: stdout, buf: nullptr)
setbuf(fp: stderr, buf: nullptr)
puts(str: "I'm sure you all enjoy doing she…")
puts(str: "But have you ever tried ELF golf…")
puts(str: "Have fun!")
int32_t rax_1 = memfd_create("golf", 0)
if (rax_1 s< 0) {
perror(s: "failed to execute fd = memfd_cre…")
exit(status: 1)
noreturn
}
void var_38
int32_t rax_2 = read(fd: 0, buf: &var_38, nbytes: 0x20)
if (rax_2 s< 0) {
perror(s: "failed to execute ok = read(0, b…")
exit(status: 1)
noreturn
}
printf(format: "read %d bytes from stdin\n", zx.q(rax_2))
int32_t rax_7 = write(fd: rax_1, buf: &var_38, nbytes: sx.q(rax_2))
if (rax_7 s< 0) {
perror(s: "failed to execute ok = write(fd,…")
exit(status: 1)
noreturn
}
printf(format: "wrote %d bytes to file\n", zx.q(rax_7))
if (fexecve(fd: rax_1, argv, envp) s< 0) {
perror(s: "failed to execute fexecve(fd, ar…")
exit(status: 1)
noreturn
}
*(fsbase + 0x28)
if (rax == *(fsbase + 0x28)) {
return 0
}
__stack_chk_fail()
noreturn
#IntendedIn the decompilation, the binary is reading and executing a file using
memfd_create and fexecve. This is a method of executing binaries without making
a file on the filesystem, it exists only in memory. The challenge only allows
binaries of maxiumum size of 32 and making a valid ELF this small should be
impossible. The problem is that remote does not validate that the given file is
actually an ELF file (it should start with at least b'\x7FELF') and you can put a
shebang instead to get a shell.
#Solution#UnintendedsNo unintendeds to see here!