easy to bypass in linux 64 bit

p-e-w / maybe

:open_file_folder: :rabbit2: :tophat: See what a program does before deciding whether you really want it to happen (NO LONGER MAINTAINED)

6.35k stars 163 forks source link

easy to bypass in linux 64 bit #35

Open hc0d3r opened 8 years ago

hc0d3r commented 8 years ago

using int 0x80 in a elf-64 binary, its easy to bypass, example:

test.asm

section .text
    global _start
section .rodata
    x db '/tmp/abcd',0x0

_start:
    mov eax, 5
    mov ebx, x
    mov ecx, 64
    mov edx, 0644
    int 0x80

    xor eax, eax
    inc eax
    int 0x80

$ nasm -f elf64 test.asm
$ ld -o test test.o
$ rm -f abcd
$ [ -e "abcd" ] && echo file found
$ maybe ./test
maybe has not detected any file system operations from ./test.
$ [ -e "abcd" ] && echo file found
file found

Potherca commented 8 years ago

Do you have a suggestion for a fix?

p-e-w commented 7 years ago

That's odd indeed... I was under the impression that syscall was just an alias for int 0x80. If that technique worked in general, all ptrace sandboxes would be ineffective, so the fault must lie either with maybe or with python-ptrace.