seccomp-tools 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: afb07d55f6cf7b437b6829709c0897af34ae112e
+  data.tar.gz: 72b290bd53662794f8b588d59912733096d7d79d
+SHA512:
+  metadata.gz: 0d38df515ef8dc6474b3b407be4c3e0959cd2e28227e863c3826d8b437154c65ca7e5b385d1db4ba6ae1010f1058c25b089d2918bbe6b6b805a9bbdbe438ad07
+  data.tar.gz: 54730dafe8e3a77743f0d2eaa8cb947767d00b9aa3b5f2cd4a8d77386eb65decc664f74d84998d7630c7216a985cf8d8e7ca7345a63eae99aa3d9ae449d495db

data/README.md

@@ -0,0 +1,151 @@
+[![Build Status](https://travis-ci.org/david942j/seccomp-tools.svg?branch=master)](https://travis-ci.org/david942j/seccomp-tools)
+[![Code Climate](https://codeclimate.com/github/david942j/seccomp-tools/badges/gpa.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
+[![Issue Count](https://codeclimate.com/github/david942j/seccomp-tools/badges/issue_count.svg)](https://codeclimate.com/github/david942j/seccomp-tools)
+[![Test Coverage](https://codeclimate.com/github/david942j/seccomp-tools/badges/coverage.svg)](https://codeclimate.com/github/david942j/seccomp-tools/coverage)
+[![Inline docs](https://inch-ci.org/github/david942j/seccomp-tools.svg?branch=master)](https://inch-ci.org/github/david942j/seccomp-tools)
+[![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)](http://choosealicense.com/licenses/mit/)
+
+# Seccomp Tools
+Provides powerful tools for seccomp analysis.
+
+This project is targeted to (but not limited to) analyze seccomp sandbox in CTF pwn challenges.
+Some features might be CTF-specific, but still useful for analysis of seccomp in real-case.
+
+## Features
+* Dump - Automatically dump seccomp-bpf from binary.
+* Disasm - Convert bpf to human readable format.
+  - Simple decompile.
+  - Show syscall names.
+  - (TODO) Simplify disassemble result.
+* (TODO) Solve constraints for executing syscalls (e.g. `execve/open/read/write`).
+* Support multi-architectures.
+
+## Installation
+
+Will be available on RubyGems.org!
+(TODO)
+
+## Command Line Interface
+
+### seccomp-tools
+
+```bash
+$ seccomp-tools --help
+# Usage: seccomp-tools [--version] [--help] <command> [<options>]
+#
+# List of commands:
+#
+# 	dump	Automatically dump seccomp bpf from execution file.
+# 	disasm	Disassembly seccomp bpf.
+#
+# See 'seccomp-tools --help <command>' to read about a specific subcommand.
+
+$ seccomp-tools --help dump
+# dump - Automatically dump seccomp bpf from execution file.
+#
+# Usage: seccomp-tools dump [exec] [options]
+#     -c, --sh-exec <command>          Executes the given command (via sh).
+#                                      Use this option if want to pass arguments or do pipe things to the execution file.
+#     -f, --format FORMAT              Output format. FORMAT can only be one of <disasm|raw|inspect>.
+#                                      Default: disasm
+#     -l, --limit LIMIT                Limit the number of calling "prctl(PR_SET_SECCOMP)".
+#                                      The target process will be killed whenever its calling times reaches LIMIT.
+#                                      Default: 1
+#     -o, --output FILE                Output result into FILE instead of stdout.
+#                                      If multiple seccomp syscalls have been invoked (see --limit),
+#                                      results will be written to FILE, FILE_1, FILE_2.. etc.
+#                                      For example, "--output out.bpf" and the output files are out.bpf, out_1.bpf, ...
+
+```
+
+### dump
+
+Dump the seccomp bpf from an execution file.
+This work is done by the `ptrace` syscall.
+
+NOTICE: beware of the execution file will be executed.
+```bash
+$ file spec/binary/twctf-2016-diary
+# spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
+
+$ seccomp-tools dump spec/binary/twctf-2016-diary
+#  line  CODE  JT   JF      K
+# =================================
+#  0000: 0x20 0x00 0x00 0x00000000  A = sys_number
+#  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003
+#  0002: 0x06 0x00 0x00 0x00000000  return KILL
+#  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005
+#  0004: 0x06 0x00 0x00 0x00000000  return KILL
+#  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007
+#  0006: 0x06 0x00 0x00 0x00000000  return KILL
+#  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009
+#  0008: 0x06 0x00 0x00 0x00000000  return KILL
+#  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0011
+#  0010: 0x06 0x00 0x00 0x00000000  return KILL
+#  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013
+#  0012: 0x06 0x00 0x00 0x00000000  return KILL
+#  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015
+#  0014: 0x06 0x00 0x00 0x00000000  return KILL
+#  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017
+#  0016: 0x06 0x00 0x00 0x00000000  return KILL
+#  0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW
+
+$ seccomp-tools dump spec/binary/twctf-2016-diary -f inspect
+# "\x20\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x02\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x01\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3B\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x38\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x39\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3A\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x55\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x42\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\xFF\x7F"
+
+$ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd
+# 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............
+# 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................
+# 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;...
+# 00000030: 0600 0000 0000 0000 1500 0001 3800 0000  ............8...
+# 00000040: 0600 0000 0000 0000 1500 0001 3900 0000  ............9...
+# 00000050: 0600 0000 0000 0000 1500 0001 3a00 0000  ............:...
+# 00000060: 0600 0000 0000 0000 1500 0001 5500 0000  ............U...
+# 00000070: 0600 0000 0000 0000 1500 0001 4201 0000  ............B...
+# 00000080: 0600 0000 0000 0000 0600 0000 0000 ff7f  ................
+
+```
+
+### disasm
+
+Disassemble the seccomp bpf.
+```bash
+$ xxd spec/data/twctf-2016-diary.bpf | head -n 3
+# 00000000: 2000 0000 0000 0000 1500 0001 0200 0000   ...............
+# 00000010: 0600 0000 0000 0000 1500 0001 0101 0000  ................
+# 00000020: 0600 0000 0000 0000 1500 0001 3b00 0000  ............;...
+
+$ seccomp-tools disasm spec/data/twctf-2016-diary.bpf
+#  line  CODE  JT   JF      K
+# =================================
+#  0000: 0x20 0x00 0x00 0x00000000  A = sys_number
+#  0001: 0x15 0x00 0x01 0x00000002  if (A != open) goto 0003
+#  0002: 0x06 0x00 0x00 0x00000000  return KILL
+#  0003: 0x15 0x00 0x01 0x00000101  if (A != openat) goto 0005
+#  0004: 0x06 0x00 0x00 0x00000000  return KILL
+#  0005: 0x15 0x00 0x01 0x0000003b  if (A != execve) goto 0007
+#  0006: 0x06 0x00 0x00 0x00000000  return KILL
+#  0007: 0x15 0x00 0x01 0x00000038  if (A != clone) goto 0009
+#  0008: 0x06 0x00 0x00 0x00000000  return KILL
+#  0009: 0x15 0x00 0x01 0x00000039  if (A != fork) goto 0011
+#  0010: 0x06 0x00 0x00 0x00000000  return KILL
+#  0011: 0x15 0x00 0x01 0x0000003a  if (A != vfork) goto 0013
+#  0012: 0x06 0x00 0x00 0x00000000  return KILL
+#  0013: 0x15 0x00 0x01 0x00000055  if (A != creat) goto 0015
+#  0014: 0x06 0x00 0x00 0x00000000  return KILL
+#  0015: 0x15 0x00 0x01 0x00000142  if (A != execveat) goto 0017
+#  0016: 0x06 0x00 0x00 0x00000000  return KILL
+#  0017: 0x06 0x00 0x00 0x7fff0000  return ALLOW
+
+```
+
+## Screenshots
+
+### Dump
+![dump](https://github.com/david942j/seccomp-tools/blob/master/examples/dump-diary.png?raw=true)
+
+
+## I Need You
+Any suggestion or feature request is welcome!
+Feel free to file an issue or send a pull request.
+And, if you like this work, I'll be happy to be [stared](https://github.com/david942j/seccomp-tools/stargazers) :grimacing:

data/bin/seccomp-tools

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'seccomp-tools/cli/cli'
+
+SeccompTools::CLI.work(ARGV)

data/ext/ptrace/extconf.rb

@@ -0,0 +1,5 @@
+require 'mkmf'
+
+extension_name = 'seccomp-tools/ptrace'
+
+create_makefile(extension_name)

data/ext/ptrace/ptrace.c

@@ -0,0 +1,76 @@
+#include <sys/ptrace.h>
+#include <sys/signal.h>
+
+#include "ruby.h"
+
+static VALUE
+ptrace_geteventmsg(VALUE _mod, VALUE pid) {
+  unsigned long val;
+  ptrace(PTRACE_GETEVENTMSG, NUM2LONG(pid), NULL, &val);
+  return ULONG2NUM(val);  
+}
+
+static VALUE
+ptrace_peekdata(VALUE _mod, VALUE pid, VALUE addr, VALUE _data) {
+  long val = ptrace(PTRACE_PEEKDATA, NUM2LONG(pid), NUM2LONG(addr), NULL);
+  return LONG2NUM(val);  
+}
+
+static VALUE
+ptrace_peekuser(VALUE _mod, VALUE pid, VALUE off, VALUE _data) {
+  long val = ptrace(PTRACE_PEEKUSER, NUM2LONG(pid), NUM2LONG(off), NULL);
+  return LONG2NUM(val);  
+}
+
+static VALUE
+ptrace_setoptions(VALUE _mod, VALUE pid, VALUE _addr, VALUE option) {
+  if(ptrace(PTRACE_SETOPTIONS, NUM2LONG(pid), NULL, NUM2LONG(option)) != 0)
+    perror("ptrace setoptions");
+  return Qnil;
+}
+
+static VALUE
+ptrace_syscall(VALUE _mod, VALUE pid, VALUE _addr, VALUE sig) {
+  if(ptrace(PTRACE_SYSCALL, NUM2LONG(pid), NULL, NUM2LONG(sig)) != 0)
+    perror("ptrace syscall");
+  return Qnil;
+}
+
+static VALUE
+ptrace_traceme(VALUE _mod) {
+  if(ptrace(PTRACE_TRACEME, 0, 0, 0) != 0)
+    perror("ptrace traceme");
+  return Qnil;
+}
+
+static VALUE
+ptrace_traceme_and_stop(VALUE mod) {
+  ptrace_traceme(mod);
+  kill(getpid(), SIGSTOP);
+  return Qnil;
+}
+
+
+void Init_ptrace(void) {
+  VALUE mSeccompTools = rb_define_module("SeccompTools");
+  VALUE mPtrace = rb_define_module_under(mSeccompTools, "Ptrace");
+
+  /* consts */
+  rb_define_const(mPtrace, "EVENT_CLONE", UINT2NUM(PTRACE_EVENT_CLONE));
+  rb_define_const(mPtrace, "EVENT_FORK", UINT2NUM(PTRACE_EVENT_FORK));
+  rb_define_const(mPtrace, "EVENT_VFORK", UINT2NUM(PTRACE_EVENT_VFORK));
+  rb_define_const(mPtrace, "O_TRACECLONE", UINT2NUM(PTRACE_O_TRACECLONE));
+  rb_define_const(mPtrace, "O_TRACEFORK", UINT2NUM(PTRACE_O_TRACEFORK));
+  rb_define_const(mPtrace, "O_TRACESYSGOOD", UINT2NUM(PTRACE_O_TRACESYSGOOD));
+  rb_define_const(mPtrace, "O_TRACEVFORK", UINT2NUM(PTRACE_O_TRACEVFORK));
+
+  /* ptrace wrapper */
+  rb_define_module_function(mPtrace, "geteventmsg", ptrace_geteventmsg, 1);
+  rb_define_module_function(mPtrace, "peekdata", ptrace_peekdata, 3);
+  rb_define_module_function(mPtrace, "peekuser", ptrace_peekuser, 3);
+  rb_define_module_function(mPtrace, "setoptions", ptrace_setoptions, 3);
+  rb_define_module_function(mPtrace, "syscall", ptrace_syscall, 3);
+  rb_define_module_function(mPtrace, "traceme", ptrace_traceme, 0);
+  rb_define_module_function(mPtrace, "traceme_and_stop", ptrace_traceme_and_stop, 0);
+}
+

data/lib/seccomp-tools.rb

@@ -0,0 +1,8 @@
+# @author david942j
+
+# Main module.
+module SeccompTools
+end
+
+require 'seccomp-tools/dumper'
+require 'seccomp-tools/version'

data/lib/seccomp-tools/bpf.rb

@@ -0,0 +1,71 @@
+require 'seccomp-tools/const'
+require 'seccomp-tools/instruction/instruction'
+
+module SeccompTools
+  # Define the +struct sock_filter+, while more powerful.
+  class BPF
+    attr_reader :line, :code, :jt, :jf, :k, :arch
+    # @return [Array<SeccompTools::Context>]
+    attr_accessor :contexts
+
+    # @param [String] raw
+    #   One +struct sock_filter+ in bytes, should exactly 8 bytes.
+    # @param [Symbol] arch
+    #   Architecture, for showing constant names in decompile.
+    # @param [Integer] line
+    #   Line number of this filter.
+    def initialize(raw, arch, line)
+      io = StringIO.new(raw)
+      @code = io.read(2).unpack('S').first
+      @jt = io.read(1).ord
+      @jf = io.read(1).ord
+      @k = io.read(4).unpack('L').first
+      @arch = arch
+      @line = line
+    end
+
+    # Pretty display the disassemble result.
+    # @return [String]
+    def disasm
+      format(' %04d: 0x%02x 0x%02x 0x%02x 0x%08x  %s',
+             line, code, jt, jf, k, decompile)
+    end
+
+    # @return [Symbol]
+    def command
+      Const::BPF::COMMAND.invert[code & 7]
+    end
+
+    # @return [String]
+    def decompile
+      inst.decompile
+    end
+
+    # @param [Context] context
+    #   Current context.
+    # @yieldparam [Integer] pc
+    #   Program conter after this instruction.
+    # @yieldparam [Context] ctx
+    #   Context after this instruction.
+    # @return [void]
+    def branch(context, &block)
+      # TODO: consider alu
+      inst.branch(context).each(&block)
+    end
+
+    private
+
+    def inst
+      @inst ||= case command
+                when :alu  then SeccompTools::Instruction::ALU
+                when :jmp  then SeccompTools::Instruction::JMP
+                when :ld   then SeccompTools::Instruction::LD
+                when :ldx  then SeccompTools::Instruction::LDX
+                when :misc then SeccompTools::Instruction::MISC
+                when :ret  then SeccompTools::Instruction::RET
+                when :st   then SeccompTools::Instruction::ST
+                when :stx  then SeccompTools::Instruction::STX
+                end.new(self)
+    end
+  end
+end

data/lib/seccomp-tools/cli/base.rb

@@ -0,0 +1,67 @@
+require 'optparse'
+
+module SeccompTools
+  module CLI
+    # Base class for handlers.
+    class Base
+      attr_reader :option, :argv
+      def initialize(argv)
+        @option = {}
+        @argv = argv
+      end
+
+      private
+
+      # Handle show help message.
+      # @return [Boolean]
+      #   For decestors to check if needs to conitnue.
+      def handle
+        return CLI.show(parser.help) if argv.empty? || %w[-h --help].any? { |h| argv.include?(h) }
+        parser.parse!(argv)
+        true
+      end
+
+      # Write data to stdout or file(s).
+      # @param [String] data
+      #   Data.
+      # @return [void]
+      def output(data)
+        # if file name not present, just output to stdout.
+        return $stdout.write(data) if option[:ofile].nil?
+        # times of calling output
+        @serial ||= 0
+        IO.binwrite(file_of(option[:ofile], @serial), data)
+        @serial += 1
+      end
+
+      # Get filename with serial number.
+      #
+      # @param [String] file
+      #   Filename.
+      # @param [Integer] serial
+      #   serial number, starts from zero.
+      # @return [String]
+      #   Result filename.
+      # @example
+      #   file_of('a.png', 0)
+      #   #=> 'a.png'
+      #   file_of('a.png', 1)
+      #   #=> 'a_1.png'
+      #   file_of('test/a.png', 3)
+      #   #=> 'test/a_3.png'
+      def file_of(file, serial)
+        suffix = serial.zero? ? '' : "_#{serial}"
+        ext = File.extname(file)
+        base = File.basename(file, ext)
+        File.join(File.dirname(file), base + suffix) + ext
+      end
+
+      # For decestors easy to define usage message.
+      # @return [String]
+      #   Usage information.
+      def usage
+        self.class.const_get(:USAGE)
+      end
+    end
+  end
+end

data/lib/seccomp-tools/cli/cli.rb

@@ -0,0 +1,72 @@
+require 'seccomp-tools/cli/disasm'
+require 'seccomp-tools/cli/dump'
+require 'seccomp-tools/version'
+
+module SeccompTools
+  # Handle CLI arguments parse.
+  module CLI
+    # Handled commands
+    COMMANDS = {
+      'dump' => SeccompTools::CLI::Dump,
+      'disasm' => SeccompTools::CLI::Disasm
+    }.freeze
+
+    # Main usage message.
+    USAGE = <<EOS.sub('%COMMANDS', COMMANDS.map { |k, v| "\t#{k}\t#{v::SUMMARY}" }.join("\n")).freeze
+Usage: seccomp-tools [--version] [--help] <command> [<options>]
+
+List of commands:
+
+%COMMANDS
+
+See 'seccomp-tools --help <command>' to read about a specific subcommand.
+EOS
+
+    module_function
+
+    # Main work method for CLI.
+    # @param [Array<String>] argv
+    #   Command line arguments.
+    # @return [void]
+    # @example
+    #   work(argv: %w[--help])
+    #   #=> # usage message
+    #   work(argv: %w[--version])
+    #   #=> # version message
+    def work(argv)
+      # all -h equivalent to --help
+      argv = argv.map { |a| a == '-h' ? '--help' : a }
+      idx = argv.index { |c| !c.start_with?('-') }
+      preoption = idx.nil? ? argv.shift(argv.size) : argv.shift(idx)
+
+      # handle --version or --help or nothing
+      return show("SeccompTools Version #{SeccompTools::VERSION}") if preoption.include?('--version')
+      return show(USAGE) if idx.nil?
+
+      # let's handle commands
+      cmd = argv.shift
+      argv = %w[--help] if preoption.include?('--help')
+      return show(invalid(cmd)) if COMMANDS[cmd].nil?
+      COMMANDS[cmd].new(argv).handle
+    end
+
+    # Just write message to stdout.
+    # @param [String] msg
+    #   The message.
+    # @return [false]
+    #   Always return +false+.
+    def show(msg)
+      puts msg
+      false
+    end
+
+    class << self
+      private
+
+      # Invalid command message.
+      def invalid(cmd)
+        format("Invalid command '%s'\n\nSee 'seccomp-tools --help' for list of valid commands", cmd)
+      end
+    end
+  end
+end