Seccomp provide powerful tools for seccomp analysis. This project is targeted to (but not limited to) analyze seccomp sandbox in CTF pwn challenges. Some features might be CTF-specific, but still useful for analyzing seccomp in real-case.
Features
- Dump – Automatically dumps seccomp-bpf from execution file(s).
- Disasm – Converts bpf to human readable format.
- Simple decompile.
- Display syscall names and arguments when possible.
- Colorful!
- Asm – Write seccomp rules is so easy!
- Emu – Emulates seccomp rules.
- Supports multi-architectures.
Installation
Available on RubyGems.org!
$ gem install seccomp-tools
If you failed when compiling, try:
sudo apt install gcc ruby-dev
and install seccomp-tools again.
Also Read – SQLMap : Automatic SQL Injection & Database Takeover Tool
Command Line Interface
$ seccomp-tools –help
==>Usage: seccomp-tools [–version] [–help] []
==>List of commands:
# asm Seccomp bpf assembler.
# disasm Disassemble seccomp bpf.
# dump Automatically dump seccomp bpf from execution file(s).
# emu Emulate seccomp rules.
# See ‘seccomp-tools –help’ to read about a specific subcommand.
==>$ seccomp-tools dump –help
# dump – Automatically dump seccomp bpf from execution file(s).
==>Usage: seccomp-tools dump [exec] [options]
# -c, –sh-exec Executes the given command (via sh).
# Use this option if want to pass arguments or do pipe things to the execution file.
# e.g. use -c "./bin > /dev/null" to dump seccomp without being mixed with stdout.
# -f, –format FORMAT Output format. FORMAT can only be one of Default: disasm
# -l, –limit LIMIT Limit the number of calling “prctl(PR_SET_SECCOMP)”.
# The target process will be killed whenever its calling times reaches LIMIT.
# Default: 1
-o, –output FILE Output result into FILE instead of stdout.
# If multiple seccomp syscalls have been invoked (see –limit),
# results will be written to FILE, FILE_1, FILE_2.. etc.
# For example, “–output out.bpf” and the output files are out.bpf, out_1.bpf, …
Dump
Dumps the seccomp bpf from an execution file. This work is done by the ptrace syscall.
NOTICE: beware of the execution file will be executed.
$ file spec/binary/twctf-2016-diary
spec/binary/twctf-2016-diary: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, for GNU/Linux 2.6.24, BuildID[sha1]=3648e29153ac0259a0b7c3e25537a5334f50107f, not stripped
$ seccomp-tools dump spec/binary/twctf-2016-diary
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000000 A = sys_number
0001: 0x15 0x00 0x01 0x00000002 if (A != open) goto 0003
0002: 0x06 0x00 0x00 0x00000000 return KILL
0003: 0x15 0x00 0x01 0x00000101 if (A != openat) goto 0005
0004: 0x06 0x00 0x00 0x00000000 return KILL
0005: 0x15 0x00 0x01 0x0000003b if (A != execve) goto 0007
0006: 0x06 0x00 0x00 0x00000000 return KILL
0007: 0x15 0x00 0x01 0x00000038 if (A != clone) goto 0009
0008: 0x06 0x00 0x00 0x00000000 return KILL
0009: 0x15 0x00 0x01 0x00000039 if (A != fork) goto 0011
0010: 0x06 0x00 0x00 0x00000000 return KILL
0011: 0x15 0x00 0x01 0x0000003a if (A != vfork) goto 0013
0012: 0x06 0x00 0x00 0x00000000 return KILL
0013: 0x15 0x00 0x01 0x00000055 if (A != creat) goto 0015
0014: 0x06 0x00 0x00 0x00000000 return KILL
0015: 0x15 0x00 0x01 0x00000142 if (A != execveat) goto 0017
0016: 0x06 0x00 0x00 0x00000000 return KILL
0017: 0x06 0x00 0x00 0x7fff0000 return ALLOW
$ seccomp-tools dump spec/binary/twctf-2016-diary -f inspect
“\x20\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x02\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x01\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3B\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x38\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x39\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x3A\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x55\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x01\x42\x01\x00\x00\x06\x00\x00\x00\x00\x00\x00\x00\x06\x00\x00\x00\x00\x00\xFF\x7F”
$ seccomp-tools dump spec/binary/twctf-2016-diary -f raw | xxd
00000000: 2000 0000 0000 0000 1500 0001 0200 0000 ……………
00000010: 0600 0000 0000 0000 1500 0001 0101 0000 …………….
00000020: 0600 0000 0000 0000 1500 0001 3b00 0000 …………;…
00000030: 0600 0000 0000 0000 1500 0001 3800 0000 …………8…
00000040: 0600 0000 0000 0000 1500 0001 3900 0000 …………9…
00000050: 0600 0000 0000 0000 1500 0001 3a00 0000 …………:…
00000060: 0600 0000 0000 0000 1500 0001 5500 0000 …………U…
00000070: 0600 0000 0000 0000 1500 0001 4201 0000 …………B…
00000080: 0600 0000 0000 0000 0600 0000 0000 ff7f …………….
Development
I recommend to use rbenv for your Ruby environment.
Setup
- Install bundler
$ gem install bundler
- Clone the source
$ git clone https://github.com/david942j/seccomp-tools && cd seccomp-tools
- Install dependencies
$ bundle install
Run Tests
$ bundle exec rake
Screenshots
Dump
Emu
 analyze seccomp sandbox in CTF pwn challenges){kind=link}