mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-30 20:39:39 +02:00
Dynamic (#77)
This commit is contained in:
parent
55247b7fcd
commit
991c84a1eb
1464 changed files with 225448 additions and 1985 deletions
12
tests/dynamic_fixtures/escape/raw_socket_bind/benign/main.c
Normal file
12
tests/dynamic_fixtures/escape/raw_socket_bind/benign/main.c
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
/*
|
||||
* Phase 20 (Track E.5) — benign counterpart for raw_socket_bind.
|
||||
*/
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
int main(void) {
|
||||
printf("__NYX_SINK_HIT__\n");
|
||||
printf("benign:raw_socket_bind\n");
|
||||
printf("__NYX_PROBE_DONE__\n");
|
||||
return 0;
|
||||
}
|
||||
48
tests/dynamic_fixtures/escape/raw_socket_bind/vuln/main.c
Normal file
48
tests/dynamic_fixtures/escape/raw_socket_bind/vuln/main.c
Normal file
|
|
@ -0,0 +1,48 @@
|
|||
/*
|
||||
* Phase 20 (Track E.5) — escape fixture: bind a raw socket.
|
||||
*
|
||||
* Creating an `AF_INET` `SOCK_RAW` socket requires `CAP_NET_RAW`. Under
|
||||
* Phase 17 hardening, `--cap-drop=ALL` / the unprivileged user namespace
|
||||
* means the calling process lacks the capability; the seccomp filter also
|
||||
* denies `socket(AF_INET, SOCK_RAW, ...)` because raw sockets are not in
|
||||
* the default-deny allowlist.
|
||||
*
|
||||
* Sentinel: when the raw socket is created the harness drops a flag file
|
||||
* at `/tmp/nyx_escape_raw_socket_sentinel`. When chroot redirects the
|
||||
* write into the workdir, the host path stays absent.
|
||||
*/
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#define SENTINEL_PATH "/tmp/nyx_escape_raw_socket_sentinel"
|
||||
|
||||
int main(void) {
|
||||
printf("__NYX_SINK_HIT__\n");
|
||||
fflush(stdout);
|
||||
|
||||
int s = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
|
||||
if (s >= 0) {
|
||||
printf("escape:raw_socket:created\n");
|
||||
close(s);
|
||||
|
||||
int fd = open(SENTINEL_PATH, O_WRONLY | O_CREAT | O_TRUNC, 0644);
|
||||
if (fd >= 0) {
|
||||
ssize_t _ignored = write(fd, "NYX_ESCAPE_SUCCESS\n", 19);
|
||||
(void)_ignored;
|
||||
close(fd);
|
||||
printf("escape:raw_socket:sentinel_written\n");
|
||||
} else {
|
||||
printf("escape:raw_socket:sentinel_failed\n");
|
||||
}
|
||||
} else {
|
||||
printf("escape:raw_socket:socket_failed\n");
|
||||
}
|
||||
|
||||
printf("__NYX_PROBE_DONE__\n");
|
||||
return 0;
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue