zer0pts CTF 2021
pwn
We can execute arbitrary assembly code.
The code is compiled by nasm and executed by an x86-64 emulator. The source code of this emulator is provided.
From a conclusion, the program doesn't have any speicific "vulnerability." The problem lies in the design of the emulator. The program emulates 6 system calls: read
, write
, mmap
, unmap
, exit
, and exit_group
.
The emulator does not "emulates" those system calls but just calls the system call on the host machine. In the man page of mmap
, you can notice the following description:
So, if we know the adddress of the machine code of the emulator, we can unmap and overwrite the whole page.
First of all, we have to leak the base address of the emulator since PIE is enabled. We can again use mmap
to leak the address. The first argument of mmap
is the address where we want to allocate a page. However, mmap
may allocate a page at a different address if it failed to alloc. When the first argument is a valid address, this failure means the desired page overlaps with other (already-mapped) pages.
We can use this as an oracle to know approximately where the binary is mapped. Since the timeout is short, we can try binary search to spot the proc base.
After finding the base address, we can unmap the machine code region and overwrite it by MAP_FIXED
. Be noted we can't unmap a page that is used by the running emulator.