K-atc/README.md

## README.md

      
    Raw
  

              README.md
            
          
    tp の環境構築を簡便にする方法

cf. ATND - katagaitai CTF勉強会 #5 - 関東|med
Requirements


vagrant

報告


この環境でExploitできるようです！！

https://twitter.com/bata_24/status/749127224968646656
https://twitter.com/Bono_iPad/status/750353691954122752


下準備

### prepare your working dir. for example:
# mkdir -p ~/ctf/katagaitai-6/tp
# cd ~/ctf/katagaitai-6/tp
### pull ubuntu 14.04 box
#### (see https://atlas.hashicorp.com/bento/boxes/ubuntu-14.04)
vagrant init bento/ubuntu-14.04; vagrant up --provider virtualbox
Vagrantfile

添付の Vagrantfile に置き換えてください。
同じディレクトリに、添付の bootstrap.sh を置いてください。【重要】
Vagrantfileがあるディレクトリにtpのファイルを置くと幸せになります
vagrant up

VMを立ち上げます。<20分かかります。アニメでも見てくつろいでいてください。
このフェーズで http://pastebin.com/RjmDapEv にあるインストールが完了します。
vagrant up
vagrant ssh

tpが動く＆デバック環境が出来上がり！
[K_atc]% vagrant ssh                                                                                           at [~/ctf/katagaitai-kanto-med-2016/tp]
Welcome to Ubuntu 14.04.4 LTS (GNU/Linux 3.13.0-86-generic x86_64)

 * Documentation:  https://help.ubuntu.com/
vagrant@vagrant:~$ ls -la
total 48
drwxr-xr-x  7 vagrant vagrant 4096 Jul  2 04:21 .
drwxr-xr-x  3 root    root    4096 May 21 22:49 ..
-rw-r--r--  1 vagrant vagrant  220 May 21 22:49 .bash_logout
-rw-r--r--  1 vagrant vagrant 3637 May 21 22:49 .bashrc
drwx------  2 vagrant vagrant 4096 May 21 22:50 .cache
-rw-r--r--  1 vagrant vagrant   81 Jul  2 04:17 .gdbinit
drwxr-xr-x  9 vagrant vagrant 4096 Jul  2 04:23 katana
drwxr-xr-x 10 vagrant vagrant 4096 Jul  2 04:17 libseccomp
drwxr-xr-x  4 vagrant vagrant 4096 Jul  2 04:16 peda
-rw-r--r--  1 vagrant vagrant  675 May 21 22:49 .profile
drwx------  2 vagrant vagrant 4096 Jul  2 04:11 .ssh
-rw-r--r--  1 vagrant vagrant    6 May 21 22:50 .vbox_version
vagrant@vagrant:~$ cat .gdbinit
source /home/vagrant/peda/peda.py
define heap
  python from libheap import *
end
vagrant@vagrant:~$ cd /vagrant/
vagrant@vagrant:/vagrant$ ls
bootstrap.sh  Dockerfile  problem_414d338fffb41107a3cf70bd0a7feffe.elf  Vagrantfile
vagrant@vagrant:/vagrant$ echo | ./problem_414d338fffb41107a3cf70bd0a7feffe.elf
Check failed at problem.cc:183 (Success): ReadLen(STDIN_FILENO, &command, sizeof(command)) == sizeof(command)
Killed
vagrant@vagrant:/vagrant$ gdb -q problem_414d338fffb41107a3cf70bd0a7feffe.elf
Reading symbols from problem_414d338fffb41107a3cf70bd0a7feffe.elf...(no debugging symbols found)...done.
gdb-peda$ heap
gdb-peda$ q
vagrant@vagrant:/vagrant$ katana
> 
VMをシャットダウンしたいとき

vagrant halt
VMを消したいとき

vagrant destroy
special thanks!!


katana がうまくビルドできない問題を解決 by bataさん
この環境でリモートでExploitできることを確認 by bataさん


## bootstrap.sh
#!/bin/bash

# based on: http://pastebin.com/RjmDapEv

HOME=/home/vagrant

cd $HOME
pwd

# ■common
apt-get update
apt-get install -y vim tmux gdb gdbserver socat binutils nasm python git autoconf libtool make || \
    (echo "[!] apt-get install failed"; exit)

# ■peda
cd $HOME
git clone https://github.com/longld/peda.git $HOME/peda
echo source $HOME/peda/peda.py >> $HOME/.gdbinit

# ■rp++
cd $HOME
wget -q https://github.com/downloads/0vercl0k/rp/rp-lin-x64
chmod +x rp-lin-x64 && mv rp-lin-x64 /usr/local/bin

# ■disas-seccomp-filter
cd $HOME
git clone git://github.com/seccomp/libseccomp && cd libseccomp
./autogen.sh && ./configure && make
cp tools/scmp_bpf_disasm tools/scmp_sys_resolver /usr/local/bin
wget -q https://raw.githubusercontent.com/akiym/akitools/master/disas-seccomp-filter
chmod +x disas-seccomp-filter && mv disas-seccomp-filter /usr/local/bin


# 以下，使うかどうかわからないけど取り敢えず

# ■libheap
cd $HOME
apt-get install -y libc6-dbg || \
    (echo "[!] apt-get install failed"; exit)
wget -q http://pastebin.com/raw/8Mx8A1zG -O libheap.py
echo 'from .libheap import *' > __init__.py
mkdir -p /usr/local/lib/python3.4/dist-packages/libheap/
mv libheap.py __init__.py /usr/local/lib/python3.4/dist-packages/libheap/
echo -e 'define heap\n  python from libheap import *\nend' >> $HOME/.gdbinit

# ■katana
cd $HOME
apt-get -y install libelf-dev libdwarf-dev libunwind8-dev libreadline-dev bison flex g++
git clone git://git.savannah.nongnu.org/katana.git && cd katana
ls /usr/bin/aclocal-1.15 || ln -s /usr/bin/aclocal-1.14 /usr/bin/aclocal-1.15
ls /usr/bin/automake-1.15 || ln -s /usr/bin/automake-1.14 /usr/bin/automake-1.15
sed -i '784,787d' src/patchwrite/patchwrite.c
sed -i '783a\int res=dwarf_producer_init(flags,dwarfWriteSectionCallback,dwarfErrorHandler,NULL,&err);' src/patchwrite/patchwrite.c
./configure && make
sed -i 's/\($(AM_V_CCLD).*\)/\1 $(lebtest_LDFLAGS)/' tests/code/Makefile
make && make install

chown vagrant:vagrant -R $HOME
echo "[+] bootstrap.sh done!"

## Vagrantfile
# -*- mode: ruby -*-
# vi: set ft=ruby :

# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
  # The most common configuration options are documented and commented below.
  # For a complete reference, please see the online documentation at
  # https://docs.vagrantup.com.

  # Every Vagrant development environment requires a box. You can search for
  # boxes at https://atlas.hashicorp.com/search.
  config.vm.box = "bento/ubuntu-14.04"

  # Disable automatic box update checking. If you disable this, then
  # boxes will only be checked for updates when the user runs
  # `vagrant box outdated`. This is not recommended.
  config.vm.box_check_update = false

  # Create a forwarded port mapping which allows access to a specific port
  # within the machine from a port on the host machine. In the example below,
  # accessing "localhost:8080" will access port 80 on the guest machine.
  # config.vm.network "forwarded_port", guest: 80, host: 8080

  # Create a private network, which allows host-only access to the machine
  # using a specific IP.
  # config.vm.network "private_network", ip: "192.168.33.10"

  # Create a public network, which generally matched to bridged network.
  # Bridged networks make the machine appear as another physical device on
  # your network.
  # config.vm.network "public_network"

  # Share an additional folder to the guest VM. The first argument is
  # the path on the host to the actual folder. The second argument is
  # the path on the guest to mount the folder. And the optional third
  # argument is a set of non-required options.
  # config.vm.synced_folder "../data", "/vagrant_data"

  # Provider-specific configuration so you can fine-tune various
  # backing providers for Vagrant. These expose provider-specific options.
  # Example for VirtualBox:
  #
  # config.vm.provider "virtualbox" do |vb|
  #   # Display the VirtualBox GUI when booting the machine
  #   vb.gui = true
  #
  #   # Customize the amount of memory on the VM:
  #   vb.memory = "1024"
  # end
  #
  # View the documentation for the provider you are using for more
  # information on available options.

  # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
  # such as FTP and Heroku are also available. See the documentation at
  # https://docs.vagrantup.com/v2/push/atlas.html for more information.
  # config.push.define "atlas" do |push|
  #   push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
  # end

  # Enable provisioning with a shell script. Additional provisioners such as
  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
  # documentation for more information about their specific syntax and use.
  # config.vm.provision "shell", inline: <<-SHELL
  #   apt-get update
  #   apt-get install -y apache2
  # SHELL
  config.vm.provision :shell, :path => "bootstrap.sh"
end
	#!/bin/bash

	# based on: http://pastebin.com/RjmDapEv

	HOME=/home/vagrant

	cd $HOME
	pwd

	# ■common
	apt-get update
	apt-get install -y vim tmux gdb gdbserver socat binutils nasm python git autoconf libtool make \|\| \
	(echo "[!] apt-get install failed"; exit)

	# ■peda
	cd $HOME
	git clone https://github.com/longld/peda.git $HOME/peda
	echo source $HOME/peda/peda.py >> $HOME/.gdbinit

	# ■rp++
	cd $HOME
	wget -q https://github.com/downloads/0vercl0k/rp/rp-lin-x64
	chmod +x rp-lin-x64 && mv rp-lin-x64 /usr/local/bin

	# ■disas-seccomp-filter
	cd $HOME
	git clone git://github.com/seccomp/libseccomp && cd libseccomp
	./autogen.sh && ./configure && make
	cp tools/scmp_bpf_disasm tools/scmp_sys_resolver /usr/local/bin
	wget -q https://raw.githubusercontent.com/akiym/akitools/master/disas-seccomp-filter
	chmod +x disas-seccomp-filter && mv disas-seccomp-filter /usr/local/bin


	# 以下，使うかどうかわからないけど取り敢えず

	# ■libheap
	cd $HOME
	apt-get install -y libc6-dbg \|\| \
	(echo "[!] apt-get install failed"; exit)
	wget -q http://pastebin.com/raw/8Mx8A1zG -O libheap.py
	echo 'from .libheap import *' > __init__.py
	mkdir -p /usr/local/lib/python3.4/dist-packages/libheap/
	mv libheap.py __init__.py /usr/local/lib/python3.4/dist-packages/libheap/
	echo -e 'define heap\n python from libheap import *\nend' >> $HOME/.gdbinit

	# ■katana
	cd $HOME
	apt-get -y install libelf-dev libdwarf-dev libunwind8-dev libreadline-dev bison flex g++
	git clone git://git.savannah.nongnu.org/katana.git && cd katana
	ls /usr/bin/aclocal-1.15 \|\| ln -s /usr/bin/aclocal-1.14 /usr/bin/aclocal-1.15
	ls /usr/bin/automake-1.15 \|\| ln -s /usr/bin/automake-1.14 /usr/bin/automake-1.15
	sed -i '784,787d' src/patchwrite/patchwrite.c
	sed -i '783a\int res=dwarf_producer_init(flags,dwarfWriteSectionCallback,dwarfErrorHandler,NULL,&err);' src/patchwrite/patchwrite.c
	./configure && make
	sed -i 's/\($(AM_V_CCLD).*\)/\1 $(lebtest_LDFLAGS)/' tests/code/Makefile
	make && make install

	chown vagrant:vagrant -R $HOME
	echo "[+] bootstrap.sh done!"
	# -- mode: ruby --
	# vi: set ft=ruby :

	# All Vagrant configuration is done below. The "2" in Vagrant.configure
	# configures the configuration version (we support older styles for
	# backwards compatibility). Please don't change it unless you know what
	# you're doing.
	Vagrant.configure("2") do \|config\|
	# The most common configuration options are documented and commented below.
	# For a complete reference, please see the online documentation at
	# https://docs.vagrantup.com.

	# Every Vagrant development environment requires a box. You can search for
	# boxes at https://atlas.hashicorp.com/search.
	config.vm.box = "bento/ubuntu-14.04"

	# Disable automatic box update checking. If you disable this, then
	# boxes will only be checked for updates when the user runs
	# `vagrant box outdated`. This is not recommended.
	config.vm.box_check_update = false

	# Create a forwarded port mapping which allows access to a specific port
	# within the machine from a port on the host machine. In the example below,
	# accessing "localhost:8080" will access port 80 on the guest machine.
	# config.vm.network "forwarded_port", guest: 80, host: 8080

	# Create a private network, which allows host-only access to the machine
	# using a specific IP.
	# config.vm.network "private_network", ip: "192.168.33.10"

	# Create a public network, which generally matched to bridged network.
	# Bridged networks make the machine appear as another physical device on
	# your network.
	# config.vm.network "public_network"

	# Share an additional folder to the guest VM. The first argument is
	# the path on the host to the actual folder. The second argument is
	# the path on the guest to mount the folder. And the optional third
	# argument is a set of non-required options.
	# config.vm.synced_folder "../data", "/vagrant_data"

	# Provider-specific configuration so you can fine-tune various
	# backing providers for Vagrant. These expose provider-specific options.
	# Example for VirtualBox:
	#
	# config.vm.provider "virtualbox" do \|vb\|
	# # Display the VirtualBox GUI when booting the machine
	# vb.gui = true
	#
	# # Customize the amount of memory on the VM:
	# vb.memory = "1024"
	# end
	#
	# View the documentation for the provider you are using for more
	# information on available options.

	# Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
	# such as FTP and Heroku are also available. See the documentation at
	# https://docs.vagrantup.com/v2/push/atlas.html for more information.
	# config.push.define "atlas" do \|push\|
	# push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
	# end

	# Enable provisioning with a shell script. Additional provisioners such as
	# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
	# documentation for more information about their specific syntax and use.
	# config.vm.provision "shell", inline: <<-SHELL
	# apt-get update
	# apt-get install -y apache2
	# SHELL
	config.vm.provision :shell, :path => "bootstrap.sh"
	end