no_syscall

pwn_spbctf

Task: 64-bit NON-PIE shellcode runner that mmaps an RWX page, reads up to 0x1000 bytes, but blocks input via memmem scan for the literal SYSCALL opcode (0f 05). Solution: self-modifying shellcode — embed a harmless `0f 04 c3` gate, `inc byte [gate+1]` at runtime to forge `0f 05` (syscall;ret), then `call gate` for open/read/write of /flag; submitted input never literally contains 0f 05.

elf x86-64 shellcode pwn syscall no-pie remote mmap-rwx self-modifying-code opcode-filter-bypass no-0f05

self_modifying_shellcoderuntime_opcode_constructionsyscall_gate_patchstack_string_push

$ ls tags/ techniques/

elf x86-64 shellcode pwn syscall no-pie remote mmap-rwx self-modifying-code opcode-filter-bypass no-0f05

self_modifying_shellcoderuntime_opcode_constructionsyscall_gate_patchstack_string_push

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[pwn][Pro]characteristic— pwn_spbctf
[pwn][Pro]pwn4_call_fcn_small— pwn_spbctf
[pwn][Pro]pwn4 / call_fcn— pwn_spbctf
[pwn][Pro]Mic Check — getflag— spbctf
[pwn][Pro]cat /flag under seccomp— spbctf