Skip to content

Instantly share code, notes, and snippets.

@moratorium08

moratorium08/Dockerfile

Last active December 1, 2018 15:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save moratorium08/cb5a3de6d8249c512fb26b433955d3fc to your computer and use it in GitHub Desktop.
Save moratorium08/cb5a3de6d8249c512fb26b433955d3fc to your computer and use it in GitHub Desktop.
Download ZIP
Ideal
Raw
Dockerfile
FROM ubuntu:16.04
RUN apt-get update && apt-get -y upgrade
RUN apt-get install -y socat git ocaml-nox python2.7 make libc6-i386
RUN groupadd -r user && useradd -r -g user user
RUN git clone https://github.com/esumii/min-caml /home/user/min-caml
WORKDIR /home/user/min-caml
RUN /home/user/min-caml/to_x86
COPY ./flag /home/user/min-caml/flag
RUN chmod 444 /home/user/min-caml/flag
RUN chmod 444 /home/user/min-caml/libmincaml.S
RUN chmod 444 /home/user/min-caml/stub.c
COPY ./ideal.patch /home/user/min-caml/ideal.patch
RUN patch -p1 --ignore-whitespace < ideal.patch
RUN make bc
COPY ./executor.py /home/user/min-caml
RUN chmod 555 ./executor.py
RUN chmod 555 ./min-caml
USER user
EXPOSE 31000
CMD ["socat","-T","60","TCP-LISTEN:31000,fork,reuseaddr", "EXEC:stdbuf -i0 -o0 -e0 /home/user/min-caml/executor.py"]
Raw
executor.py
#!/usr/bin/env python2.7
from __future__ import print_function
import sys
import os
import binascii
cmpl = 'gcc -pie -fPIE -nostdlib -m32 -z noexecstack %s.s libmincaml.S stub.c -o %s'
def gen_filename():
tmp = '/tmp/'
return tmp + binascii.hexlify(os.urandom(16))
def main():
print('input your source code size: ', end='')
size = int(input())
if size > 3000:
print('too big')
return
if size <= 0:
print('invalid size')
return
print('ok. next input your source code ')
code = sys.stdin.read(size)
sys.stderr.write(code)
filename = gen_filename()
print('your source code name: %s' % filename)
with open(filename + '.ml', 'w') as f:
f.write(code)
# os.close(2)
commands = [
'./min-caml ' + filename,
cmpl % (filename, filename),
filename,
]
for command in commands:
print('executing: %s' % command)
ret = os.system(command)
if ret != 0:
break
commands = [
'rm ' + filename + '.ml',
'rm ' + filename + '.s',
'rm ' + filename,
]
for command in commands:
ret = os.system(command)
main()
Raw
ideal.patch
diff --git a/parser.mly b/parser.mly
index 055a982..23dca40 100644
--- a/parser.mly
+++ b/parser.mly
@@ -129,8 +129,10 @@ exp: /* (*
{ Tuple($1) }
| LET LPAREN pat RPAREN EQUAL exp IN exp
{ LetTuple($3, $6, $8) }
+/* Goodbye
| simple_exp DOT LPAREN exp RPAREN LESS_MINUS exp
{ Put($1, $4, $7) }
+*/
| exp SEMICOLON exp
{ Let((Id.gentmp Type.Unit, Type.Unit), $1, $3) }
| ARRAY_CREATE simple_exp simple_exp
diff --git a/stub.c b/stub.c
index 1fbc8dd..b0931d8 100644
--- a/stub.c
+++ b/stub.c
@@ -1,25 +1,13 @@
-#include <stdio.h>
-#include <stdlib.h>
-
extern void min_caml_start(char *, char *);
+long min_caml_hp = 0;
+char data[4000000];
-/* "stderr" is a macro and cannot be referred to in libmincaml.S, so
- this "min_caml_stderr" is used (in place of "__iob+32") for better
- portability (under SPARC emulators, for example). Thanks to Steven
- Shaw for reporting the problem and proposing this solution. */
-FILE *min_caml_stderr;
-
-int main() {
+void _start() {
char *hp, *sp;
-
- min_caml_stderr = stderr;
- sp = alloca(1000000); hp = malloc(4000000);
- if (hp == NULL || sp == NULL) {
- fprintf(stderr, "malloc or alloca failed\n");
- return 1;
- }
- fprintf(stderr, "sp = %p, hp = %p\n", sp, hp);
+ int x;
+ hp = data;
+ sp = &x;
min_caml_start(sp, hp);
-
- return 0;
+ *((int *)0) = 1; // exit
}
+
diff --git a/x86/libmincaml.S b/x86/libmincaml.S
index 4610d0e..2b29b43 100644
--- a/x86/libmincaml.S
+++ b/x86/libmincaml.S
@@ -14,102 +14,6 @@
#define ALIGNSTACK2
#define ALIGNSTACK3
#endif
-.text
-.globl min_caml_print_newline
-min_caml_print_newline:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK1
- pushl $10
- call U(putchar)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_print_int
-min_caml_print_int:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- pushl %eax
- pushl $format_int
- call U(printf)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_print_byte
-min_caml_print_byte:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK1
- pushl %eax
- call U(putchar)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_prerr_int
-min_caml_prerr_int:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK3
- pushl %eax
- pushl $format_int
- pushl U(min_caml_stderr)
- call U(fprintf)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_prerr_byte
-min_caml_prerr_byte:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- pushl U(min_caml_stderr)
- pushl %eax
- call U(fputc)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_prerr_float
-min_caml_prerr_float:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK0
- subl $8, %esp
- movsd %xmm0, (%esp)
- pushl $format_float
- pushl U(min_caml_stderr)
- call U(fprintf)
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_read_int
-min_caml_read_int:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK3
- subl $4, %esp
- leal -4(%ebp), %eax
- pushl %eax
- pushl $format_int
- call U(scanf)
- movl -4(%ebp), %eax
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_read_float
-min_caml_read_float:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK0
- subl $8, %esp
- leal -8(%ebp), %eax
- pushl %eax
- pushl $format_float
- call U(scanf)
- movsd -8(%ebp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
.globl min_caml_create_array
min_caml_create_array:
pushl %ebp
@@ -158,36 +62,6 @@ create_float_array_cont:
decl %ecx
movsd %xmm0, (%eax,%ecx,8)
jmp create_float_array_loop
-.globl min_caml_abs_float
-min_caml_abs_float:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- subl $8, %esp
- movsd %xmm0, (%esp)
- call U(fabs)
- fstpl (%esp)
- movsd (%esp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_sqrt
-min_caml_sqrt:
- sqrtsd %xmm0, %xmm0
- ret
-.globl min_caml_floor
-min_caml_floor:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- subl $8, %esp
- movsd %xmm0, (%esp)
- call U(floor)
- fstpl (%esp)
- movsd (%esp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
.globl min_caml_int_of_float
min_caml_int_of_float:
.globl min_caml_truncate
@@ -198,64 +72,3 @@ min_caml_truncate:
min_caml_float_of_int:
cvtsi2sd %eax, %xmm0
ret
-.globl min_caml_cos
-min_caml_cos:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- subl $8, %esp
- movsd %xmm0, (%esp)
- call U(cos)
- fstpl (%esp)
- movsd (%esp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_sin
-min_caml_sin:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- subl $8, %esp
- movsd %xmm0, (%esp)
- call U(sin)
- fstpl (%esp)
- movsd (%esp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
-.globl min_caml_atan
-min_caml_atan:
- pushl %ebp
- movl %esp, %ebp
- ALIGNSTACK2
- subl $8, %esp
- movsd %xmm0, (%esp)
- call U(atan)
- fstpl (%esp)
- movsd (%esp), %xmm0
- movl %ebp, %esp
- popl %ebp
- ret
-.data
-format_int:
- .asciz "%d"
-format_float:
- .asciz "%lf"
-.balign 8
-float_0:
- .long 0x0
- .long 0x0
-float_1:
- .long 0x0
- .long 0x3ff00000
-.balign 16
-.globl min_caml_fnegd
-min_caml_fnegd:
- .long 0
- .long 0x80000000
- .long 0
- .long 0
-.globl min_caml_hp
-min_caml_hp:
- .long 0x0
Raw
Problem Statement
# Ideal
## Statement
副作用も、libcもいなくなったとき残るのは、型安全で純粋な素晴らしい世界のはずだった......
```
nc external.pwn.ctf-day3.tsg.ne.jp 31000
```
接続すると、min-camlのプログラムをサーバーに提出でき、サーバーはmin-camlコンパイラでコンパイルして実行をしてくれます。シェルを取れるようなプログラムを提出してフラグを得てください。ただし、min-camlコンパイラには問題を成立させるための以下に示すパッチが入っています。
## パッチの概要
* glibcを呼び出すような関数をlibmincaml.Sから削除
* stub.cをglibcを用いないように書き換え
* Arrayの代入構文を削除
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment