From fcda518504a4bbfebe9af99377e991a38985afc2 Mon Sep 17 00:00:00 2001 From: thomashaw Date: Tue, 6 Jun 2017 14:59:51 +0100 Subject: [PATCH] setuid root binary fixes --- .../manifests/install_setuid_root_binary.pp | 48 +++++++++++++++++-- 1 file changed, 43 insertions(+), 5 deletions(-) diff --git a/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp b/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp index a32573001..08581999e 100644 --- a/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp +++ b/modules/build/puppet/secgen_functions/manifests/install_setuid_root_binary.pp @@ -2,16 +2,45 @@ # -- Modules calling this function must provide a Makefile and any .c files within it's /files directory define secgen_functions::install_setuid_root_binary ( + $challenge_name, # Challenge name, used for the wrapper-directory $source_module_name, # Name of the module that calls this function $gcc_output_binary_name, # Temporary name of the binary output by gcc when when /bin/make runs the Makefile $challenge_binary_name, # Renamed binary on copy to challenge directory, could differ from above - $storage_directory, # Storage directory + $account, # User account (leak here if $storage_directory is not supplied) $flag, # ctf flag string + $storage_dir = [''], # Optional: Storage directory (takes precedent if supplied, e.g. nfs / smb share dir) + $strings_to_leak = [''], # Optional: strings to leak (could contain instructions or a message) ) { + # Use either storage directory or account's home directory. storage_directory takes precedent + if $storage_dir[0] != '' { + $storage_directory = $storage_dir[0] + $leaked_filenames = ["$challenge_name-instructions"] + } elsif $account { + $username = $account['username'] + $storage_directory = "/home/$username" + $leaked_filenames = $account['leaked_filenames'] + + ::accounts::user { $username: + shell => '/bin/bash', + password => pw_hash($account['password'], 'SHA-512', 'mysalt'), + managehome => true, + home_mode => '0755', + } + } else { + err('dc16_amadhj::install: Either storage_directory or account is required') + fail + } + $compile_directory = "$storage_directory/tmp" + $challenge_directory = "$storage_directory/$challenge_name" $modules_source = "puppet:///modules/$source_module_name" + # Create challenge directory + file { $challenge_directory: + ensure => directory, + } + # Move contents of the module's files directory into compile directory file { $compile_directory: ensure => directory, @@ -24,10 +53,11 @@ define secgen_functions::install_setuid_root_binary ( exec { "gcc_$gcc_output_binary_name-$compile_directory": cwd => $compile_directory, command => "/usr/bin/make", + require => File[$challenge_directory, $compile_directory] } - # Move the compiled binary into the storage directory - file { "$storage_directory/$challenge_binary_name": + # Move the compiled binary into the challenge directory + file { "$challenge_directory/$challenge_binary_name": ensure => present, owner => 'root', group => 'root', @@ -37,7 +67,7 @@ define secgen_functions::install_setuid_root_binary ( } # Drop the flag file on the box and set permissions - file { "$storage_directory/flag": + file { "$challenge_directory/flag": ensure => present, content => $flag, mode => '0600', @@ -47,6 +77,14 @@ define secgen_functions::install_setuid_root_binary ( # Remove compile directory exec { "remove_$compile_directory": command => "/bin/rm -rf $compile_directory", - require => File["$storage_directory/$challenge_binary_name", "$storage_directory/flag"] + require => File["$challenge_directory/$challenge_binary_name", "$challenge_directory/flag"] + } + + # Leak messages / instructions in a text file in the storage directory / home directory + ::secgen_functions::leak_files { "$challenge_directory-strings_to_leak": + storage_directory => $challenge_directory, + leaked_filenames => $leaked_filenames, + strings_to_leak => $strings_to_leak, + leaked_from => $source_module_name, } }