Mercurial > repo
view paste/paste.16022 @ 169:cc236fe22acf
<elliott> pastelogs weboflies
author | HackBot |
---|---|
date | Wed, 04 Apr 2012 03:25:39 +0000 |
parents | |
children |
line wrap: on
line source
2011-11-03.txt:19:57:23: <ais523\unfoog> Vorpal: weboflies 2011-11-03.txt:20:05:45: <Vorpal> ais523\unfoog, how much of a FPS drop do you get from weboflies typically with opengl stuff? 2011-11-03.txt:20:06:16: <ais523\unfoog> the joyous thing is, that weboflies only has a performance penalty on syscalls 2011-11-03.txt:20:25:25: <ais523\unfoog> gcc -o weboflies -O2 -g --std=gnu99 -Wall -Wextra -Wno-missing-field-initializers -Wno-missing-braces weboflies.c ktt.c -lrt -lpng 2011-11-03.txt:20:26:40: <ais523\unfoog> weboflies has a command line 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1910:70: error: ‘struct user_regs_struct’ has no member named ‘ebx’ 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1913:70: error: ‘struct user_regs_struct’ has no member named ‘ebx’ 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1928:21: error: ‘struct user_regs_struct’ has no member named ‘ecx’ 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1931:22: error: ‘struct user_regs_struct’ has no member named ‘esi’ 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1932:44: error: ‘struct user_regs_struct’ has no member named ‘esi’ 2011-11-03.txt:20:28:56: <elliott> weboflies.c:1934:22: error: ‘struct user_regs_struct’ has no member named ‘orig_eax’ 2011-11-03.txt:20:28:58: <elliott> weboflies.c:1940:22: error: ‘struct user_regs_struct’ has no member named ‘esi’ 2011-11-03.txt:20:29:00: <elliott> weboflies.c:1944:70: error: ‘struct user_regs_struct’ has no member named ‘esi’ 2011-11-03.txt:20:29:02: <elliott> weboflies.c:1950:20: error: ‘struct user_regs_struct’ has no member named ‘esi’ 2011-11-03.txt:20:29:04: <elliott> weboflies.c:1978:16: error: ‘struct user_regs_struct’ has no member named ‘orig_eax’ 2011-11-03.txt:20:29:06: <elliott> weboflies.c:2002:20: error: ‘struct user_regs_struct’ has no member named ‘orig_eax’ 2011-11-03.txt:20:32:40: <ais523\unfoog> this is how weboflies has genuinely caused filesystem leaks in the past 2011-11-03.txt:20:33:48: <ais523\unfoog> but weboflies' processes are often quite hard to get rid of 2011-11-03.txt:20:56:55: <ais523\unfoog> the weboflies core, which I'm writing at the moment, would need to be connected to some sort of interface to actually read it 2011-11-03.txt:22:03:49: <elliott> [elliott@dinky weboflies]$ find . 2011-11-03.txt:22:03:49: <elliott> ./weboflies.c 2011-11-03.txt:22:04:09: <Vorpal> ./weboflies.c 2011-11-03.txt:22:04:10: <Vorpal> ./weboflies 2011-11-03.txt:22:30:15: <elliott> [elliott@dinky ~]$ ldd ~/Code/weboflies/build.sh 2011-11-03.txt:22:30:39: <elliott> [elliott@dinky ~]$ ldd ~/Code/weboflies/build.sh 2011-11-03.txt:22:30:39: <elliott> ldd: warning: you do not have execution permission for `/home/elliott/Code/weboflies/build.sh' 2011-11-04.txt:03:55:25: <elliott> [elliott@dinky weboflies]$ sudo ./weboflies ls 2011-11-04.txt:03:55:25: <elliott> = WARNING: mount("/home/ais523/weboflies/nethack/nethack", "/tmp/var/games/nethack", 0, MS_BIND, 0): No such file or directory 2011-11-04.txt:03:57:54: <elliott> ewarn(mount("/home/ais523/weboflies/nethack/nethack", "/tmp/var/games/nethack", 0, MS_BIND, 0)); 2011-11-04.txt:03:59:10: <elliott> [elliott@dinky weboflies]$ sudo ./weboflies ls 2011-11-04.txt:09:48:01: <elliott> note: it was "sudo ./weboflies true"; true is 64-bit, but I tried it on Web of Lies itself and it still failed, so I suspect it's a generic problem 2011-11-04.txt:09:48:13: <elliott> weboflies isn't suid :) 2011-11-04.txt:09:57:39: <elliott> ais523: I could run weboflies under gd... what am I saying, of course I can't 2011-11-04.txt:09:58:18: <elliott> [elliott@dinky weboflies]$ sudo gdb ./weboflies 2011-11-04.txt:10:02:29: <elliott_> i killed the gdb'd weboflies 2011-11-04.txt:10:03:25: <ais523> this is weboflies! 2011-11-04.txt:10:03:51: <ais523> (note that a kill -9 on weboflies itself is nearly always a bad idea) 2011-11-04.txt:10:05:30: <elliott_> [elliott@dinky weboflies]$ sudo ./weboflies true 2011-11-04.txt:10:05:34: <elliott_> 781 pts/0 00:00:00 weboflies 2011-11-04.txt:10:05:34: <elliott_> 782 pts/1 00:00:00 weboflies 2011-11-04.txt:10:05:35: <elliott_> 783 pts/1 00:00:00 weboflies 2011-11-04.txt:10:05:46: <elliott_> [elliott@dinky weboflies]$ ls -l /proc | grep 783 2011-11-04.txt:10:06:04: <elliott_> [elliott@dinky weboflies]$ ls -l /proc/783/fd 2011-11-04.txt:10:06:09: <elliott_> [elliott@dinky weboflies]$ ls -ld /proc/783/fd 2011-11-04.txt:10:07:35: <elliott_> [elliott@dinky weboflies]$ ls -ld /proc/781{,/fd} 2011-11-04.txt:10:07:35: <elliott_> [elliott@dinky weboflies]$ ls -ld /proc/782{,/fd} 2011-11-04.txt:10:08:19: <elliott_> [elliott@dinky weboflies]$ ls /proc/self/fd 2011-11-04.txt:10:08:27: <elliott_> [elliott@dinky weboflies]$ ls -ld /proc/self{,/fd} 2011-11-04.txt:10:08:50: <elliott_> [elliott@dinky weboflies]$ ls -ldH /proc/self{,/fd} 2011-11-04.txt:10:12:55: <elliott_> I was thinking weboflies could chown its /proc/blah/fd before dropping perms :) 2011-11-04.txt:10:17:06: <elliott_> [elliott@dinky weboflies]$ /bin/true --help 2011-11-04.txt:10:18:58: <elliott_> ais523: any ideas wrt weboflies? 2011-11-04.txt:19:34:17: <ais523> (that's for the syscall getdents; you're not supposed to use it directly, rather using a wrapper, but you can do a few things with it that you can't via the wrapper, such as listing amazingly large directories, and ofc weboflies is at the receiving end of syscalls so it has to understand getdents, not the libc equivalents) 2011-11-04.txt:19:38:11: <elliott_> gcc -o weboflies -m32 -O2 -g --std=gnu99 -Wall -Wextra -Wno-missing-field-initializers -Wno-missing-braces weboflies.c ktt.c -lrt -lpng 2011-11-04.txt:19:48:37: <ais523> I think it's only just new enough to run weboflies, which requires something along the lines of 2.6.30 2011-11-04.txt:19:54:41: <ais523> actually, I think weboflies does connect to a pty 2011-11-05.txt:18:18:37: <ais523> basically, there are three processes: weboflies, fakeinit, process under test 2011-11-05.txt:18:18:50: <ais523> weboflies forks fakeinit as root; fakeinit forks the process after dropping perms, so as nonroot 2011-11-05.txt:18:19:36: <ais523> and weboflies then can't read the process under test's perms on any computers but mine 2011-11-05.txt:18:48:32: <elliott> [elliott@dinky weboflies]$ ls -lhd /proc/7583{,/fd} 2011-11-05.txt:18:48:32: <elliott> [elliott@dinky weboflies]$ ls -lhd /proc/7584{,/fd} 2011-11-05.txt:18:50:35: <ais523> CLONE_PTRACE basically means "debugged-ness propagates over the clone"; weboflies injects it into other process's clone calls 2011-11-05.txt:18:54:29: <elliott> [elliott@dinky weboflies]$ ls -lhd /proc/7739{,/fd} 2011-11-05.txt:18:54:29: <elliott> [elliott@dinky weboflies]$ ls -lhd /proc/7740{,/fd} 2011-11-05.txt:18:54:54: <ais523> elliott: OK, so now we have to figure out what weboflies is doing differently 2011-11-05.txt:18:57:00: <elliott> ais523: am i meant to be reading weboflies.c here, or are you? :-) 2011-11-05.txt:18:58:37: <Phantom_Hoover> What does weboflies do? 2011-11-05.txt:19:40:44: <elliott> ais523: any ideas about weboflies? 2011-11-05.txt:19:46:35: <ais523> such a pity that weboflies repels debuggers 2011-11-05.txt:20:00:17: <elliott> [elliott@dinky Temp]$ qemu-img create weboflies.qemu2 4G 2011-11-05.txt:20:00:17: <elliott> Formatting 'weboflies.qemu2', fmt=raw size=4294967296 2011-11-05.txt:20:00:17: <elliott> -rw-r--r-- 1 elliott users 4.0G Nov 5 19:59 weboflies.qemu2 2011-11-05.txt:20:00:36: <elliott> [elliott@dinky Temp]$ qemu-img create -f qcow2 weboflies.qcow2 4G 2011-11-05.txt:20:00:36: <elliott> Formatting 'weboflies.qcow2', fmt=qcow2 size=4294967296 encryption=off cluster_size=65536 2011-11-05.txt:20:00:36: <elliott> [elliott@dinky Temp]$ ls -lh weboflies.qcow2 2011-11-05.txt:20:00:36: <elliott> -rw-r--r-- 1 elliott users 193K Nov 5 19:59 weboflies.qcow2 2011-11-05.txt:20:00:54: <ais523> for some weboflies test, I was using a sparse ext4 2011-11-05.txt:21:42:05: <elliott> [elliott@dinky Temp]$ qemu -m 1024 -hda weboflies.qcow2 -cdrom ~/Downloads/archlinux-2011.08.19-netinstall-i686.iso -boot c 2011-11-05.txt:22:59:04: <elliott> ais523: weboflies would work in Xen, right? 2011-11-05.txt:23:02:20: <elliott> ais523: [elliott@dinky Temp]$ qemu -m 1024 -hda weboflies.qcow2man -net nic -net user,hostfwd=tcp::2222:22 2011-11-05.txt:23:46:03: <ais523> elliott: well, weboflies works just /fine/ inside the VM 2011-11-05.txt:23:49:02: <ais523> hmm, I just tried running weboflies on su, to see what would happen 2011-11-05.txt:23:53:33: <ais523> and this is running 32-bit su, as weboflies only runs 32-bit programs 2011-11-05.txt:23:54:21: <ais523> elliott: anyway, if you want to run weboflies, now you have a VM it works in ;) 2011-11-05.txt:23:58:10: <elliott> ais523: I did (weboflies) 2011-11-14.txt:22:29:52: <elliott> ais523: hmm, weboflies-related question: can you use a new filesystem namespace as a chroot? 2011-11-14.txt:22:30:52: <ais523> but I've never dared call it from inside weboflies, because I'm not quite that crazy 2011-12-15.txt:19:45:13: <elliott> ais523: but how will you calculate weboflies' eigenratio? 2011-12-15.txt:19:49:47: <ais523> elliott: heh, I have to keep remembering to check EFAULT in weboflies 2011-12-15.txt:19:55:04: <elliott> Vorpal: /proc/<pid>/fd failed to stop being owned by root on weboflies' complicated permissions drop 2012-01-08.txt:14:52:28: <elliott> Yes, so does weboflies. 2012-03-04.txt:19:22:45: <ais523> should be secure against non-malicious accidents; it just increases the attack surface somewhat for people trying to exploit suid weboflies, or whatever, and who'd be mad enough to suid it? 2012-03-04.txt:19:26:42: <ais523> suiding weboflies? 2012-03-04.txt:19:41:04: <ais523> that's exactly what I was doing with the fake framebuffer in weboflies anyway 2012-03-04.txt:19:47:47: <elliott> anyway, I don't see why weboflies couldn't just pretend to the running program that it's root 2012-03-04.txt:19:49:55: <ais523> $ sudo ./weboflies ls /dev/input 2012-03-04.txt:19:51:02: <ais523> $ sudo ./weboflies Xvfb :1 2012-03-04.txt:19:55:32: <ais523> elliott: that's what weboflies does do on unknown syscalls 2012-03-04.txt:19:56:26: <elliott> <ais523> elliott: that's what weboflies does do on unknown syscalls 2012-03-04.txt:20:06:44: <ais523> ais523@desert:~/weboflies$ ln -s Xvfb_screen0 /tmp/Xvfb_screen0.xwd 2012-03-04.txt:20:06:45: <ais523> ais523@desert:~/weboflies$ convert /tmp/Xvfb_screen0.xwd /tmp/t.png 2012-03-04.txt:20:06:47: <ais523> ais523@desert:~/weboflies$ eog /tmp/t.png 2012-03-04.txt:20:06:57: <ais523> so Xvfb is definitely working outside weboflies 2012-03-05.txt:15:05:03: <ais523> I was trying to figure out htf a process inside weboflies could detect X outside it, apparently that was how 2012-03-05.txt:15:06:39: <ais523> do weboflies nc localhost 9999, and you get an error message back that it couldn't determine the IP address that localhost referred to 2012-03-05.txt:15:06:50: <ais523> because there isn't an /etc/hosts inside weboflies, and it has no other sort of DNS 2012-03-05.txt:15:34:51: <ais523> other anyway: I'm annoyed that X seems to segfault inside weboflies but not outside (both Xorg and Xvfb, which appear to be doing the same thing when they segfault) 2012-03-05.txt:15:35:13: <ais523> then all I'll have to do is get core dumps working inside weboflies… 2012-03-05.txt:16:22:25: <ais523> I can't even figure out why weboflies would make a program segfault 2012-03-05.txt:16:25:21: <Phantom_Hoover> weboflies? 2012-03-05.txt:16:26:18: <ais523> yes, weboflies 2012-03-05.txt:16:26:54: <elliott> Phantom_Hoover: you know weboflies 2012-03-05.txt:16:27:01: <elliott> <ais523> I can't even figure out why weboflies would make a program segfault 2012-03-05.txt:16:27:16: <elliott> ais523: ooh, you should post your weboflies problems on SO, the reactions would be priceless 2012-03-05.txt:16:27:20: <ais523> elliott: you /do/ know what happens if you put gdb and weboflies together, right? 2012-03-05.txt:16:31:19: <ais523> and if weboflies doesn't have a syscall implemented, it forwards it to the actual kernel 2012-03-05.txt:16:37:22: <fizzie> ais523: Anyway, can you get core dumps out of weboflies'd processes? It sounds not impossible for those to be gdb'able, depending on how things go. 2012-03-05.txt:16:43:54: <fizzie> ais523: What was the basic weboflies mechanism, anyway? ptrace with PTRACE_SYSCALL? 2012-03-05.txt:16:44:39: <ais523> btw, weboflies works inside strace (but not strace -f, nor does strace work inside weboflies) 2012-03-05.txt:16:44:46: <ais523> I wonder if /ltrace/ works inside weboflies? 2012-04-04.txt:02:50:00: <elliott> shachaf: That's what weboflies does. 2012-04-04.txt:03:24:39: <elliott> OK, lemme figure out where weboflies.c is.