Akira Kawata akawashiro

## 21-48-18.895-1315313_+python3_recover_pass.py.log
$ python3 recover_pass.py
<SimulationManager with 1 active>
Traceback (most recent call last):
  File "/home/akira/tmp/hoge/recover_pass.py", line 28, in <module>
    sm.explore(find=TARGET_ADDR, avoid=FAIL_ADDR, n=1)
  File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/sim_manager.py", line 330, in explore
    self.run(stash=stash, n=n, **kwargs)
  File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/sim_manager.py", line 360, in run
    self.step(stash=stash, **kwargs)
  File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/misc/hookset.py", line 96, in __call__

## exploit.py
#!/usr/bin/env python2
import socket
import struct
import subprocess

HOST,PORT = "136.243.194.45", 1024

def ru(a, n=4096):
	d = ""
	while not d.endswith(a):

## 23-19-46.295-4168218_+find_._grep_x86_64_grep_S.log
$ find . | grep x86_64 | grep S$
./sysdeps/x86_64/rshift.S
./sysdeps/x86_64/add_n.S
./sysdeps/x86_64/__longjmp.S
./sysdeps/x86_64/stpcpy.S
./sysdeps/x86_64/dl-tlsdesc.S
./sysdeps/x86_64/submul_1.S
./sysdeps/x86_64/wcsrchr.S
./sysdeps/x86_64/dl-trampoline.S
./sysdeps/x86_64/mempcpy.S

## 21-35-06.907-3752235_+gp.log
$ gp
Enumerating objects: 5, done.
Counting objects:  20% (1/5)
Counting objects:  40% (2/5)
Counting objects:  60% (3/5)
Counting objects:  80% (4/5)
Counting objects: 100% (5/5)
Counting objects: 100% (5/5), done.
Delta compression using up to 32 threads
Compressing objects:  33% (1/3)

## 21-17-30.620-2883193_+benchmark.sh.log
$ ./benchmark.sh
delete: s3://bucket1/many/1
delete: s3://bucket1/many/10
delete: s3://bucket1/many/100
delete: s3://bucket1/many/1000
delete: s3://bucket1/many/101
delete: s3://bucket1/many/103
delete: s3://bucket1/many/102
delete: s3://bucket1/many/104
delete: s3://bucket1/many/105

## 12-19-36.870-3960150_+sudo_docker_build_._--network_ho.log
$ sudo docker build . --network=host -f ./debian-Dockerfile
[+] Building 0.0s (0/1)                                                                                                                                                     docker:default
[+] Building 0.2s (2/3)                                                                                                                                                     docker:default
 => [internal] load .dockerignore                                                                                                                                                     0.0s
 => => transferring context: 99B                                                                                                                                                      0.0s
 => [internal] load build definition from debian-Dockerfile                                                                                                                           0.0s
 => => transferring dockerfil

## gist:8c5070d287af70a62e5652f1a0d2eef6
Microsoft (R) COFF/PE Dumper Version 14.37.32824.0
Copyright (C) Microsoft Corporation.  All rights reserved.


Dump of file hello-win.exe

PE signature found

File Type: EXECUTABLE IMAGE

## 00-12-01.102-847748_+run.sh.log
$ ./run.sh
+ gcc -o ./make_core ./make_core.c
+ sudo bash -c 'echo core.%t > /proc/sys/kernel/core_pattern'
+ echo 0
+ sudo tee /proc/sys/kernel/randomize_va_space
0

+ ulimit -c unlimited
+ ./make_core
555555554000-555555555000 r--p 00000000 103:01 43157706                  /home/akira/ghq/github.com/akawashiro/misc/core/make_core

## 12-39-58.063-55105_+readelf_-l_libadd_injected.so.log
$ readelf -l libadd_injected.so

Elf file type is DYN (Shared object file)
Entry point 0x0
There are 12 program headers, starting at offset 64

Program Headers:
  Type           Offset             VirtAddr           PhysAddr
                 FileSiz            MemSiz              Flags  Align
  LOAD           0x0000000000000000 0x0000000000000000 0x0000000000000000

## sudo strace mknod
> sudo strace mknod /dev/myDevice c 63 1
execve("/usr/bin/mknod", ["mknod", "/dev/myDevice", "c", "63", "1"], 0x7ffd1d54fda0 /* 26 vars */) = 0
brk(NULL)                               = 0x5563dcfdb000
arch_prctl(0x3001 /* ARCH_??? */, 0x7fff75484820) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f072f759000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=152575, ...}, AT_EMPTY_PATH) = 0
mmap(NULL, 152575, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f072f733000
close(3)                                = 0
	$ python3 recover_pass.py
	<SimulationManager with 1 active>
	Traceback (most recent call last):
	File "/home/akira/tmp/hoge/recover_pass.py", line 28, in <module>
	sm.explore(find=TARGET_ADDR, avoid=FAIL_ADDR, n=1)
	File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/sim_manager.py", line 330, in explore
	self.run(stash=stash, n=n, **kwargs)
	File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/sim_manager.py", line 360, in run
	self.step(stash=stash, **kwargs)
	File "/home/akira/tmp/hoge/myenv/lib/python3.10/site-packages/angr/misc/hookset.py", line 96, in __call__
	#!/usr/bin/env python2
	import socket
	import struct
	import subprocess

	HOST,PORT = "136.243.194.45", 1024

	def ru(a, n=4096):
	d = ""
	while not d.endswith(a):
	$ find . \| grep x86_64 \| grep S$
	./sysdeps/x86_64/rshift.S
	./sysdeps/x86_64/add_n.S
	./sysdeps/x86_64/__longjmp.S
	./sysdeps/x86_64/stpcpy.S
	./sysdeps/x86_64/dl-tlsdesc.S
	./sysdeps/x86_64/submul_1.S
	./sysdeps/x86_64/wcsrchr.S
	./sysdeps/x86_64/dl-trampoline.S
	./sysdeps/x86_64/mempcpy.S
	$ gp
	Enumerating objects: 5, done.
	Counting objects: 20% (1/5)
	Counting objects: 40% (2/5)
	Counting objects: 60% (3/5)
	Counting objects: 80% (4/5)
	Counting objects: 100% (5/5)
	Counting objects: 100% (5/5), done.
	Delta compression using up to 32 threads
	Compressing objects: 33% (1/3)
	$ ./benchmark.sh
	delete: s3://bucket1/many/1
	delete: s3://bucket1/many/10
	delete: s3://bucket1/many/100
	delete: s3://bucket1/many/1000
	delete: s3://bucket1/many/101
	delete: s3://bucket1/many/103
	delete: s3://bucket1/many/102
	delete: s3://bucket1/many/104
	delete: s3://bucket1/many/105
	$ sudo docker build . --network=host -f ./debian-Dockerfile
	[+] Building 0.0s (0/1) docker:default
	[+] Building 0.2s (2/3) docker:default
	=> [internal] load .dockerignore 0.0s
	=> => transferring context: 99B 0.0s
	=> [internal] load build definition from debian-Dockerfile 0.0s
	=> => transferring dockerfil
	Microsoft (R) COFF/PE Dumper Version 14.37.32824.0
	Copyright (C) Microsoft Corporation. All rights reserved.


	Dump of file hello-win.exe

	PE signature found

	File Type: EXECUTABLE IMAGE
	$ ./run.sh
	+ gcc -o ./make_core ./make_core.c
	+ sudo bash -c 'echo core.%t > /proc/sys/kernel/core_pattern'
	+ echo 0
	+ sudo tee /proc/sys/kernel/randomize_va_space
	0

	+ ulimit -c unlimited
	+ ./make_core
	555555554000-555555555000 r--p 00000000 103:01 43157706 /home/akira/ghq/github.com/akawashiro/misc/core/make_core
	$ readelf -l libadd_injected.so

	Elf file type is DYN (Shared object file)
	Entry point 0x0
	There are 12 program headers, starting at offset 64

	Program Headers:
	Type Offset VirtAddr PhysAddr
	FileSiz MemSiz Flags Align
	LOAD 0x0000000000000000 0x0000000000000000 0x0000000000000000
	> sudo strace mknod /dev/myDevice c 63 1
	execve("/usr/bin/mknod", ["mknod", "/dev/myDevice", "c", "63", "1"], 0x7ffd1d54fda0 /* 26 vars */) = 0
	brk(NULL) = 0x5563dcfdb000
	arch_prctl(0x3001 /* ARCH_??? */, 0x7fff75484820) = -1 EINVAL (Invalid argument)
	mmap(NULL, 8192, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x7f072f759000
	access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
	openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY\|O_CLOEXEC) = 3
	newfstatat(3, "", {st_mode=S_IFREG\|0644, st_size=152575, ...}, AT_EMPTY_PATH) = 0
	mmap(NULL, 152575, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f072f733000
	close(3) = 0