`#`crackbox

Just another restricted qemu-user sandbox.

nc chal.amt.rs 1339

unvariant <- author pwn <- category 505 <- points 0 <- solves hard <- difficulty

`#`solution

qemu does not properly sanitize mmap flags, use mmap with MAP_FIXED_NOREPLACE to oracle the host mappings, then modify the qemu RWX JIT state with shellcode to print the flag.

Solve script works 100% on local, around 1/32 on remote.

`#`unintendeds

none

`#`CONTENT

`#`TOP

`#`crackbox

`#`solution

`#`unintendeds

#CONTENT

#TOP

#crackbox

#solution

#unintendeds

`#`CONTENT

`#`TOP

`#`crackbox

`#`solution

`#`unintendeds