/..

#CONTENT

#TOP

chal
3 MiB2024-04-10 03:03
exploit
7 KiB2024-04-10 03:03
dist.tar.xz
787 KiB2024-04-10 03:03
README.mdx
531 bytes2024-04-10 03:03

#crackbox

Just another restricted qemu-user sandbox.

nc chal.amt.rs 1339

unvariant <-     author pwn <-   category 505 <-     points 0 <-     solves hard <- difficulty

#solution

qemu does not properly sanitize mmap flags, use mmap with MAP_FIXED_NOREPLACE to oracle the host mappings, then modify the qemu RWX JIT state with shellcode to print the flag.

Solve script works 100% on local, around 1/32 on remote.

#unintendeds

none