Home Unlabelled Seccomp Tools - Furnish Powerful Tools For Seccomp Analysis

Seccomp Tools - Furnish Powerful Tools For Seccomp Analysis

By
Sunday, March 31, 2013
Read
Add Comment

Provide powerful tools for seccomp analysis.
This projection is targeted to (but non express to) analyze seccomp sandbox inwards CTF pwn challenges. Some features mightiness hold upwardly CTF-specific, exactly nonetheless useful for analyzing seccomp inwards real-case.

Features
  • Dump - Automatically dumps seccomp-bpf from execution file(s).
  • Disasm - Converts bpf to human readable format.
    • Simple decompile.
    • Display syscall names in addition to arguments when possible.
    • Colorful!
  • Asm - Write seccomp rules is therefore easy!
  • Emu - Emulates seccomp rules.
  • Supports multi-architectures.

Installation
Available on RubyGems.org!
$ jewel install seccomp-tools
If you lot failed when compiling, try:
sudo apt install gcc ruby-dev
in addition to install seccomp-tools again.

Command Line Interface

seccomp-tools
$ seccomp-tools --help # Usage: seccomp-tools [--version] [--help]  [] # # List of commands: # #  asm Seccomp bpf assembler. #  disasm Disassemble seccomp bpf. #  dump Automatically dump seccomp bpf from execution file(s). #  emu Emulate seccomp rules. # # See 'seccomp-tools  --help' to read nigh a specific subcommand.  $ seccomp-tools dump --help # dump - Automatically dump seccomp bpf from execution file(s). # # Usage: seccomp-tools dump [exec] [options] #     -c, --sh-exec           Executes the given ascendance (via sh). #                                      Use this selection if desire to overstep arguments or produce pipage things to the execution file. #                                      e.g. purpose `-c "./bin > /dev/null"` to dump seccomp without existence mixed amongst stdout. #     -f, --format FORMAT              Output format. FORMAT tin solely    hold upwardly 1 of . #                                      Default: disasm #     -l, --limit LIMIT                Limit the number of calling "prctl(PR_SET_SECCOMP)". #                                      The target procedure volition hold upwardly killed whenever its calling times reaches LIMIT. #                                      Default: 1 #     -o, --output FILE                Output outcome into FILE instead of stdout. #                                      If multiple seccomp syscalls convey been invoked (see --limit), #                                      results volition hold upwardly written to FILE, FILE_1, FILE_2.. etc. #                                      For example, "--output out.bpf" in addition to the output files are out.bpf, out_1.bpf, ...

dump
Dumps the seccomp bpf from an execution file. This operate is done past times the ptrace syscall.
NOTICE: beware of the execution file volition hold upwardly executed.
$ file spec/binary/twctf-2016-diary # spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, non stripped  $ seccomp-tools dump spec/binary/twctf-2016-diary #  line of piece of occupation  CODE  JT   JF      K # ================================= #  0000: 0x20 0x00 0x00 0x00000000  Influenza A virus subtype H5N1 = sys_number #  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003 #  0002: 0x06 0x00 0x00 0x00000000  furnish KILL #  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005 #  0004: 0x06 0x00 0x00 0x00000000  furnish KILL #  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007 #  0006: 0x06 0x00 0x00 0x00000000  furnish KILL #  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009 #  0008: 0x06 0x00 0x00 0x00000000  furnish KILL #  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 001   1 #  0010: 0x06 0x00 0x00 0x00000000  furnish KILL #  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013 #  0012: 0x06 0x00 0x00 0x00000000  furnish KILL #  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015 #  0014: 0x06 0x00 0x00 0x00000000  furnish KILL #  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017 #  0016: 0x06 0x00 0x00 0x00000000  furnish KILL #  0017: 0x06 0x00 0x00 0x7fff0000  furnish ALLOW  $ seccomp-tools dump spec/binary/twctf-2016-diary -f inspect # "\x20\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x02\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x01\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3B\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x38\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x39\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3A\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x55\x00\x00\x00\x06\x00   \x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x42\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\xFF\x7F"  $ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd # 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ............... # 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................ # 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;... # 00000030: 0600 0000 0000 0000 1500 0001 3800 0000  ............8... # 00000040: 0600 0000 0000 0000 1500 0001 3900 0000  ............9... # 00000050: 0600 0000 0000 0000 1500 0001 3a00 0000  ............:... # 00000060: 0600 0000 0000 0000 1500 0001 5500 0000  ............U... # 00000070: 0600 0000 0000 0000 1500 0001 4201 0000  ............B... # 00000080: 0600 0000 0000 0000 0600 0000 0000 ff7f  ................

disasm
Disassembles the seccomp from raw bpf.
$ xxd spec/data/twctf-2016-diary.bpf | caput -n three # 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ............... # 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................ # 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;...  $ seccomp-tools disasm spec/data/twctf-2016-diary.bpf #  line of piece of occupation  CODE  JT   JF      K # ================================= #  0000: 0x20 0x00 0x00 0x00000000  Influenza A virus subtype H5N1 = sys_number #  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003 #  0002: 0x06 0x00 0x00 0x00000000  furnish KILL #  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005 #  0004: 0x06 0x00 0x00 0x00000000  furnish KILL #  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007 #  0006: 0x06 0x00 0x00 0x00000000  furnish KILL #  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009 #  0008: 0x06 0x00 0x00 0x00000000  furnish KILL #  0009: 0x15 0x00 0x01 0x00000039  if (A    != fork) goto 0011 #  0010: 0x06 0x00 0x00 0x00000000  furnish KILL #  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013 #  0012: 0x06 0x00 0x00 0x00000000  furnish KILL #  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015 #  0014: 0x06 0x00 0x00 0x00000000  furnish KILL #  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017 #  0016: 0x06 0x00 0x00 0x00000000  furnish KILL #  0017: 0x06 0x00 0x00 0x7fff0000  furnish ALLOW

asm
Assembles the seccomp rules into raw bytes. It's really useful when 1 wants to write custom seccomp rules.
Supports labels for jumping in addition to uses syscall names directly. See examples below.
$ seccomp-tools asm # asm - Seccomp bpf assembler. # # Usage: seccomp-tools asm IN_FILE [options] #     -o, --output FILE                Output outcome into FILE instead of stdout. #     -f, --format FORMAT              Output format. FORMAT tin solely hold upwardly 1 of . #                                      Default: inspect #     -a, --arch ARCH                  Specify architecture. #                                      Supported architectures are .  # Input file for asm $ truthful cat spec/data/libseccomp.asm # # depository fiscal establishment tally if arch is X86_64 # Influenza A virus subtype H5N1 = arch # Influenza A virus subtype H5N1 == ARCH_X86_64 ? side past times side : dead # Influenza A virus subtype H5N1 = sys_number # Influenza A virus subtype H5N1 >= 0x40000000 ? dead : side past times side # Influenza A virus subtype H5N1 == write ? ok : side past times side # Influenza A virus subtype H5N1 == unopen ? ok : side past times side # Influenza A virus subtype H5N1 == dup ? ok : side past times side # Influenza A virus subtype H5N1 == travel out ? ok : side past times side # furnish ERRNO(5) # ok: # furnish ALLOW # dead: # furnish KILL  $ seccomp-tools asm spec/data/libseccomp.asm # " \x00\x00\x00\x04\x00\x00\x00\x15\x00\x00\b>\x00\x00\xC0 \x00\x00\x00\x00\x00\x00\x005\x00\x06\x00\x00\x00\x00@\x15\x00\x04\x00\x01\x00\x00\x00\x15\x00\x03\x00\x03\x00\x00\x00\x15\x00\x02\x00 \x00\x00\x00\x15\x00\x01\x00<\x00\x00\x00\x06\x00\x00\x00\x05\x00\x05\x00\x06\x00\x00\x00\x00\x00\xFF\x7F\x06\x00\x00\x00\x00\x00\x00\x00"  $ seccomp-tools asm spec/data/libseccomp.asm -f c_source # #include  # #include  # #include  # #include  # # static void install_seccomp() { #   static unsigned char filter[] = {32,0,0,0,4,0,0,0,21,0,0,8,62,0,0,192,32,0,0,0,0,0,0,0,53,0,6,0,0,0,0,64,21,0,4,0,1,0,0,0,21,0,3,0,3,0,0,0,21,0,2,0,32,0,0,0,21,0,1,0,60,0,0,0,6,0,0,0,5,0,5,0,6,0,0,0,0,0,255,127,6,0,0,0,0,0,0,0}; #   struct prog { #     unsigned curt len; #     unsig   ned char *filter; #   } dominion = { #     .len = sizeof(filter) >> 3, #     .filter = filter #   }; #   if(prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { perror("prctl(PR_SET_NO_NEW_PRIVS)"); exit(2); } #   if(prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &rule) < 0) { perror("prctl(PR_SET_SECCOMP)"); exit(2); } # }  $ seccomp-tools asm spec/data/libseccomp.asm -f assembly # install_seccomp: #   force   rbp #   mov    rbp, rsp #   force   38 #   popular    rdi #   force   0x1 #   popular    rsi #   xor    eax, eax #   mov    al, 0x9d #   syscall #   force   22 #   popular    rdi #   lea    rdx, [rip + _filter] #   force   rdx /* .filter */ #   force   _filter_end - _filter >> three /* .len */ #   mov    rdx, rsp #   force   0x2 #   popular    rsi #   xor    eax, eax #   mov    al, 0x9d #   syscall #   leave of absence #   ret # _filter: # .ascii "\040\000\000\000\004\000\   000\000\025\000\000\010\076\000\000\300\040\000\000\000\000\000\000\000\065\000\006\000\000\000\000\100\025\000\004\000\001\000\000\000\025\000\003\000\003\000\000\000\025\000\002\000\040\000\000\000\025\000\001\000\074\000\000\000\006\000\000\000\005\000\005\000\006\000\000\000\000\000\377\177\006\000\000\000\000\000\000\000" # _filter_end:   # let's asm therefore disasm! $ seccomp-tools asm spec/data/libseccomp.asm -f raw | seccomp-tools disasm - #  line of piece of occupation  CODE  JT   JF      K # ================================= #  0000: 0x20 0x00 0x00 0x00000004  Influenza A virus subtype H5N1 = arch #  0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010 #  0002: 0x20 0x00 0x00 0x00000000  Influenza A virus subtype H5N1 = sys_number #  0003: 0x35 0x06 0x00 0x40000000  if (A >= 0x40000000) goto 0010 #  0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009 #  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009 #  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009 #  00   07: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009 #  0008: 0x06 0x00 0x00 0x00050005  furnish ERRNO(5) #  0009: 0x06 0x00 0x00 0x7fff0000  furnish ALLOW #  0010: 0x06 0x00 0x00 0x00000000  furnish KILL

Emu
Emulates seccomp given sys_nr, arg0, arg1, etc.
$ seccomp-tools emu --help # emu - Emulate seccomp rules. # # Usage: seccomp-tools emu [options] BPF_FILE [sys_nr [arg0 [arg1 ... arg5]]] #     -a, --arch ARCH                  Specify architecture. #                                      Supported architectures are . #     -q, --[no-]quiet                 Run quietly, solely exhibit emulation result.  $ seccomp-tools emu spec/data/libseccomp.bpf write 0x3 #  line of piece of occupation  CODE  JT   JF      K # ================================= #  0000: 0x20 0x00 0x00 0x00000004  Influenza A virus subtype H5N1 = arch #  0001: 0x15 0x00 0x08 0xc000003e  if (A != ARCH_X86_64) goto 0010 #  0002: 0x20 0x00 0x00 0x00000000  Influenza A virus subtype H5N1 = sys_number #  0003: 0x35 0x06 0x00 0x40000000  if (A >= 0x40000000) goto 0010 #  0004: 0x15 0x04 0x00 0x00000001  if (A == write) goto 0009 #  0005: 0x15 0x03 0x00 0x00000003  if (A == close) goto 0009 #  0006: 0x15 0x02 0x00 0x00000020  if (A == dup) goto 0009 #  0   007: 0x15 0x01 0x00 0x0000003c  if (A == exit) goto 0009 #  0008: 0x06 0x00 0x00 0x00050005  furnish ERRNO(5) #  0009: 0x06 0x00 0x00 0x7fff0000  furnish ALLOW #  0010: 0x06 0x00 0x00 0x00000000  furnish KILL # # furnish ALLOW at line of piece of occupation 0009

Screenshots

Dump


Emu



Development
I recommend to purpose rbenv for your Ruby environment.

Setup
  • Install bundler
    • $ jewel install bundler
  • Clone the source
    • $ git clone https://github.com/david942j/seccomp-tools && cd seccomp-tools
  • Install dependencies
    • $ package install

Run tests
$ package exec rake

I Need You
Any proposition or characteristic asking is welcome! Feel costless to file an number or post a draw request. And, if you lot similar this work, I'll hold upwardly happy to hold upwardly starred

Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us