fransr

#!/bin/bash

# Written by Frans Rosén (twitter.com/fransrosen)
_debug="$2" #turn on debug
_timeout="20"
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
_aws_key="AKIA..."
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

simonlindholm

Last year's Battlecode engine did JVM instrumentation to sandbox players on the same team from each other, and to limit the amount of computation they were allowed to do. We found two fun vulnerabilities related to the latter part.

The first vulnerability

The process by which the bytecode instruction limitation was done was by decompiling .class files, adding in instruction-counting instructions in relevant places, and them re-compiling them and running the modified executable. More concretely, say the program contained a method like:

trietptm

###########################################################################
# Rotating bits (tested with Python 2.7)
 
from __future__ import print_function   # PEP 3105
 
# max bits > 0 == width of the value in bits (e.g., int_16 -> 16)
 
# Rotate left: 0b1001 --> 0b0011
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \

zachriggle

apt-get install python2.7-dev python2.7
apt-get build-dep gdb
apt-get source gdb
sed -i -E "s|python3|/usr/bin/python2.7|" debian/rules
dpkg-buildpackage -uc -us -j8
dpkg-install ../*.deb