First, I sorted the log file by a snippet shown below to analyze its behaviour.
After that I noticed that it showed a process of quick-sorting some characters('a'-'z'|'A'-'Z'|'0'-'9'|flag).
#!/usr/bin/env python2
import collections
import re
with open("./trace_8339a701aae26588966ad9efa0815a0a.log", "rb") as f:
d = {}
for line in set(f.readlines()):
line = line[len('[INFO]'):]
addr = line[:8]
code = re.sub(r"^\s+", '', line[8:])
d[addr] = code
od = collections.OrderedDict(sorted(d.items(), key=lambda x: x[0]))
disas = ''
asm = ''
base = 0x400770
for addr, code in od.iteritems():
rgx = re.search(r'0x(400[0-9a-f]+)', code)
if rgx:
left, right = code[:rgx.start(0)], code[rgx.end(0):]
val = int(rgx.group(), 16) - base
disas += "0x%08x\t%s0x%08x%s"%(int('0x'+addr, 16)-base, left, val, right)
asm += "%s0x%08x%s"%(left, val, right)
else:
disas += "0x%08x\t%s"%(int('0x'+addr, 16)-base, code)
asm += "{}".format(code)
with open('trace.disas', 'wb') as f:
f.write(disas)
with open('trace.s', 'wb') as f:
f.write(asm)
I passed this analysis summery to @nomeaning beacause I'm not good at PPC, sorry:P
I read its code and knew as shown below.
- First, it forks and the child do PTRACE_TRACEME, and execvp-es "./warmup".
- The parent ptraces child and audit syscalls but approve some syscalls.
- open
- exit
- read
- write
- alarm
- mmap
- mprotect
- If the child tried to syscacll open, the parent checks where it will be open.
- "/home/warmup/flag"(which was through realpath-ing) is OK but others will be blocked.
So, we can't access to memory area of the parent by the child and it seems SOOOO SECURE:(
@icchyr noticed that the case of bypassing the validation on open by through trial and error and got flag.
Why we got flag??
I've seen that the mapped area was mprotected as -WX:)