CTF-Writeups

Bring Your Own Program

Summary

The VM exposes a capability environment (caps) that restricts filesystem reads to /data/public via key 0x0a. A stale inline cache in opcode 0x21 (lookup) can be abused after opcode 0x70 (freeze/reorder) to remap the cached slot for key 0x0a to slot 0, which holds the absolute read function (key 0x00). Using this, the program reads /flag.txt.

VM Input Format

The program input is a hex string that decodes to:

• nr (1 byte): number of registers
• const_count (1 byte)
• constants (typed)
• bytecode

String constant format:

0x02 [u16 length little-endian] [bytes...]

Relevant Opcodes

• 0x02 (op b): load capability object by name
• 0x20 (op c): get property from env by key
• 0x21 (op d): lookup in env chain with inline cache
• 0x70 (op k): freeze env (convert to dictionary, reorder slots)
• 0x60 (op h): relative jump (signed 16-bit)
• 0x30 (op e): call function
• 0x31 (op f): return

Bug: Inline Cache Staleness

op d caches the slot index of a key in an environment. op k converts a slot-based env to a dictionary and reorders keys by numeric sort, but it does not bump the cache version. The cached slot index is then stale and can point to a different key after reordering.

In the root env:

• key 0x0a => relative read (/data/public)
• key 0x00 => absolute read (normally unreachable)

If the cache was created for key 0x0a and then the env is reordered, the cached slot can resolve to key 0x00.

Exploit Plan

1. Load caps and fetch caps[3] (io env).
2. Execute op d on key 0x0a once to populate the inline cache.
3. Execute op k on the same receiver/key to reorder slots.
4. Jump back to the cached op d to retrieve key 0x00 (absolute read).
5. Call it with "/flag.txt" and return.

Payload

Hex input (paste into nc):

0703020400636170730209002f666c61672e7478740201003102000020010003210203010a6104090070010a01040260eeff0105013006020301053106

Result

uoftctf{c4ch3_m3_1n11n3_h0w_80u7_d4h??}