A recent CTF challenge (babyrop from the 2021 edition of Dice CTF) brought my attention to something called return-to-csu. I had honestly never heard of this method before, but apparently is rather well known, part of ropemporium and actually even got its own BlackHat Briefings talk. Apparently I was missing out.
This return-to-csu method can be applied when a binary does not contain many useful gadgets to use for a rop exploit.
This is particularly useful in 64bit intel binaries which follow the System V calling convention, where arguments
are placed in registers instead of the stack. One can set the
rdx registers and call a function from
the got such as
I made a solver script of the aforementioned babyrop challenge and put it in my repository of CTF solutions.