1  ---
 2  abbr:
 3    - "NX: No eXecute"
 4  ---
 5  Category: #pwn 
 6  Rated Difficulty: #VeryEasy 
 7  Personal Difficulty: #Easy 
 8  
 9  Running `file` we know that this executable is statistically linked
10  
11  Upon running `checksec` it shows that NX is disable. Meaning we can inject shellcode
12  
13  Now trying to find the vulnerability.
14  
15  We found that in the `read()` function the variable is at offset -0x100 and the syscall is taking 0x110 bytes of input meaning we have a buffer overflow vulnerability
16  
17  Apparently ASLR is enabled so the address of the shellcode will be random and we can't just write the start of the shellcode in the return address.
18  
19  Once we inspect the *RSP* register, we realise the *RSI* is pointing to the start of the shellcode.
20  
21  If we check the disassembly we can see that there is indeed an address that says `jmp RSI` and we can insert that into the return address
22  
23  Since the address is always random, we use `next(elf.search(asm("jmp rsi")))` to find the address of the instruction of `jmp RSI`
24  
25  So the final payload will look something like shellcode+"A"\*(0x100-len(shellcode))+JMP_RSI_ADDRESS