buildat/extensions/sandbox_test/try_exploit.lua
2014-10-02 13:42:04 +03:00

405 lines
11 KiB
Lua

-- Buildat: extension/sandbox_test/try_exploit.lua
-- http://www.apache.org/licenses/LICENSE-2.0
-- Copyright 2014 Perttu Ahola <celeron55@gmail.com>
local log = buildat.Logger("try_exploit.lua")
local magic = require("buildat/extension/urho3d").safe
local uistack = require("buildat/extension/uistack")
local dump = buildat.dump
local M = {}
-- Have a list of things to search for
local bad_names = {
-- Maybe someone is dumb enough to put these with their real names in a table?
"getmetatable",
"setmetatable",
"getfenv",
"setfenv",
-- Used in metatables
"__index",
"__newindex",
"__eq",
"__lt",
"__add",
"__sub",
"__mul",
"__div",
"__gc",
"__call",
-- Tolua++ or something metatable content
".get",
".call",
".set",
"tolua_ubox",
"userdata",
-- Used by buildat itself in metatables
"unsafe",
-- Dunno, but sounds unsafe
"internal",
}
local bad_values_set = {
-- NOTE: Make sure you use [] for the keys
-- Sandbox shouldn't be able to iterate through this
[__buildat_sandbox_environment] = "__buildat_sandbox_environment",
-- If these are leaked, sandbox is doomed
[getmetatable] = "getmetatable",
[setmetatable] = "setmetatable",
[getfenv] = "getfenv",
[setfenv] = "setfenv",
[io] = "io",
[io.open] = "io.open",
[io.popen] = "io.popen",
}
-- Have a list of field names to check in case of disabled iteration
local interesting_field_names = {
"meta",
"class_meta",
"CreateChild",
"root",
"text",
"x",
}
for _, v in ipairs(bad_names) do -- All bad names are interesting
table.insert(interesting_field_names, v)
end
-- Functions that are known to shutdown the whole application if called without
-- parameters
local function_blacklist = {
"run_script_file",
"send_packet",
"disconnect",
"sub_tick",
"__gc",
}
local bad_names_set = {}
for _, v in ipairs(bad_names) do bad_names_set[v] = true end
local interesting_field_names_set = {}
for _, v in ipairs(interesting_field_names) do interesting_field_names_set[v] = true end
local function_blacklist_set = {}
for _, v in ipairs(function_blacklist) do function_blacklist_set[v] = true end
local function path_str(path)
local result = ""
for _, v in ipairs(path) do
if result ~= "" then result = result.."." end
if type(v) == 'string' then
result = result..v
else
result = result..dump(v)
end
end
return result
end
function M.search(value, checked_values_set, result_list, current_path, opts)
opts = opts or {}
if value == nil then
return
end
if checked_values_set[value] then
return
end
log:verbose("search: "..path_str(current_path))
checked_values_set[value] = true
if #current_path >= 20 then
table.insert(result_list, "Path too long: "..
path_str(current_path))
return
end
-- The root is never bad (it is the environment itself, which would be bad
-- as a value in any other position)
if not opts.root_always_good or #current_path ~= 1 then
-- Check if this value is bad
if bad_values_set[value] then
table.insert(result_list, "Bad value found: "..
path_str(current_path).." = "..bad_values_set[value])
end
end
-- Try static list of field names first
for _, field_name in ipairs(interesting_field_names) do
-- Try getting value with disabled error handling
local v = nil
function f()
v = value[field_name]
end
pcall(f) -- Ignore errors
-- Handle value without disabled error handling
if v ~= nil then
table.insert(current_path, field_name)
if bad_names_set[field_name] then
table.insert(result_list, "Bad name found: "..
path_str(current_path))
end
M.search(v, checked_values_set, result_list, current_path)
table.remove(current_path)
end
end
-- Iterate using __next
if getmetatable(value) and getmetatable(value).__next then
-- Use meta.__next
local metapairs = function(t)
return getmetatable(value).__next, t, nil
end
for field_name, v in metapairs(value) do
if v ~= nil then
table.insert(current_path, field_name)
if bad_names_set[field_name] then
table.insert(result_list, "Bad name found: "..
path_str(current_path))
end
M.search(v, checked_values_set, result_list, current_path)
table.remove(current_path)
end
end
end
-- Iterate through raw table value
if type(value) == 'table' then
-- Don't use meta.__next
local rawpairs = function(t)
return next, t, nil
end
for field_name, v in rawpairs(value) do
if v ~= nil then
table.insert(current_path, field_name)
if bad_names_set[field_name] then
table.insert(result_list, "Bad name found: "..
path_str(current_path))
end
M.search(v, checked_values_set, result_list, current_path)
table.remove(current_path)
end
end
end
-- If it's a function or callable, call it and check the results
if type(value) == 'function' or
(getmetatable(value) and getmetatable(value).__call) then
-- Don't call if blacklisted
if not function_blacklist_set[current_path[#current_path]] then
log:verbose("search: "..path_str(current_path).."(self)")
local ret = nil
function f()
-- Call with itself as parameter; that should give the most bang
-- for the buck
ret = {value(value)}
end
pcall(f) -- Ignore errors
if ret ~= nil then
for i = 1, table.getn(ret) do
local ret_v = ret[i]
table.insert(current_path, "()["..i.."]")
M.search(ret_v, checked_values_set, result_list, current_path)
table.remove(current_path)
end
end
end
end
end
function M.run()
-- Prepare result tables
local checked_values_set = {}
local result_list = {}
--
-- Search recursively through the base sandbox environment
-- Note that the sandbox actually can't even index its own environment
--
local start_path = {"__buildat_sandbox_environment"}
M.search(__buildat_sandbox_environment, checked_values_set,
result_list, start_path, {root_always_good=true})
--
-- Search past global sandbox wrapper environments so we can see what kind
-- of stuff the server environment has pulled in
--
local start_path = {"__buildat_old_sandbox_global_wrappers"}
M.search(__buildat_old_sandbox_global_wrappers,
checked_values_set, result_list, start_path)
--
-- Create a sandbox, run a function in it which grabs its environment, and
-- run a search through it
--
local wrapper_number_was = __buildat_latest_sandbox_global_wrapper_number
local local_getfenv = getfenv
local local_pcall = pcall
local new_sandbox = {}
function f()
-- Require all the things
-- TODO: Get this list automatically from the filesystem
local extnames = {
"cereal",
"experimental",
"magic_sandbox",
"__menu",
"sandbox_test",
"test",
"uistack",
"urho3d"
}
local loaded_extensions = {}
local function try_require_extension(n)
local function g()
loaded_extensions[n] = require("buildat/extension/"..n)
end
-- There can be errors for example when the extension doesn't return
-- a safe interface
pcall(g)
end
for _, extname in ipairs(extnames) do
try_require_extension(extname)
end
-- Make results global so they stay in the environment for checking
sandbox.make_global({
loaded_extensions = loaded_extensions,
})
-- Get the environment (which isn't available for iteration normally)
new_sandbox.env = local_getfenv(1)
end
__buildat_run_function_in_sandbox(f)
-- Check that one wrapper was made, and include it in the search
local wrapper_number_is = __buildat_latest_sandbox_global_wrapper_number
assert(wrapper_number_is == wrapper_number_was + 1)
assert(__buildat_latest_sandbox_global_wrapper)
new_sandbox.wrapper = __buildat_latest_sandbox_global_wrapper
-- Search
local start_path = {"new_sandbox"}
M.search(new_sandbox, checked_values_set, result_list, start_path)
--
-- Handle results
--
local num_checked_values = 0
for k, v in pairs(checked_values_set) do
num_checked_values = num_checked_values + 1
end
for _, result in ipairs(result_list) do
log:error("Result: "..result)
end
local message = ""
if #result_list == 0 then
message = message.."No exploit found."
else
message = message..#result_list.." exploits found."
end
message = message.." Checked "..num_checked_values.." values."
log:info("Result: "..message)
M.show_result_dialog(message)
end
function M.search_single_value(value)
-- Prepare result tables
local checked_values_set = {}
local result_list = {}
--
-- Search value
--
local start_path = {"value"}
M.search(value, checked_values_set, result_list, start_path)
--
-- Handle results
--
-- Don't show anything if nothing is bad
if #result_list == 0 then
return
end
local num_checked_values = 0
for k, v in pairs(checked_values_set) do
num_checked_values = num_checked_values + 1
end
for _, result in ipairs(result_list) do
log:error("Result: "..result)
end
local message = #result_list.." exploits found."..
" Checked "..num_checked_values.." values."
log:warning("Result: "..message)
M.show_result_dialog(message)
error("Value is exploitable")
end
local result_dialog_handle = nil
function M.show_result_dialog(message)
-- Don't stack multiple dialogs
if result_dialog_handle then
result_dialog_handle.append(message)
return
end
local root = uistack.main:push({desc="show_result_dialog"})
local style = magic.cache:GetResource("XMLFile", "__menu/res/main_style.xml")
root.defaultStyle = style
local window = root:CreateChild("Window")
window:SetStyleAuto()
window:SetName("show_result_dialog window")
window:SetLayout(LM_VERTICAL, 10, magic.IntRect(10, 10, 10, 10))
window:SetAlignment(HA_LEFT, VA_CENTER)
local message_text = window:CreateChild("Text")
message_text:SetName("message_text")
message_text:SetStyleAuto()
message_text.text = message
message_text:SetTextAlignment(HA_LEFT)
local ok_button = window:CreateChild("Button")
ok_button:SetStyleAuto()
ok_button:SetName("Button")
ok_button:SetLayout(LM_VERTICAL, 10, magic.IntRect(0, 0, 0, 0))
ok_button.minHeight = 20
local ok_button_text = ok_button:CreateChild("Text")
ok_button_text:SetName("ButtonText")
ok_button_text:SetStyleAuto()
ok_button_text.text = "Ok"
ok_button_text:SetTextAlignment(HA_CENTER)
ok_button:SetFocus(true)
result_dialog_handle = {
append = function(text)
if #message_text.text < 1000 then
message_text.text = message_text.text.."\n"..text
end
end,
}
magic.SubscribeToEvent(ok_button, "Released",
function(self, event_type, event_data)
log:info("ok_button: Released")
uistack.main:pop(root)
result_dialog_handle = nil
end)
root:SubscribeToStackEvent("KeyDown", function(event_type, event_data)
local key = event_data:GetInt("Key")
if key == KEY_ESC then
log:info("KEY_ESC pressed at show_result_dialog level")
uistack.main:pop(root)
result_dialog_handle = nil
end
end)
end
return M
-- vim: set noet ts=4 sw=4: