return-to-csu

February 2021

A recent CTF challenge (babyrop from the 2021 edition of Dice CTF) brought my attention to something called return-to-csu. I had honestly never heard of this method before, but apparently is rather well known, part of ropemporium and actually even got its own BlackHat Briefings talk. Apparently I was missing out.

This return-to-csu method can be applied when a binary does not contain many useful gadgets to use for a rop exploit. This is particularly useful in 64bit intel binaries which follow the System V calling convention, where arguments are placed in registers instead of the stack. One can set the edi, rsi and rdx registers and call a function from the got such as write.

I made a solver script of the aforementioned babyrop challenge and put it in my repository of CTF solutions.