You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
---BEGIN BGGPx---
Submit Date: 2024-07-08
BGGP Challenge Number: 5
Author: bah
Contact Info (Optional): bahorn in the BGGP discord
Online Presence (Website/Social Media): b.horn.uk
Target File Type: ELF, for amd64 Linux
File Size: 620 bytes
SHA256 Hash: c7888d2f0346d460c875f7a70a4b0ff4ba6060187a7b1e7cd5000d8b4563e562
Target Environment (How do we run the file?):
Just chmod +x the file, and it should work if you are on a supported distro, like the ones I tested on:
* Ubuntu Linux 22.04, on the host and in docker containers for Ubuntu 24.04 and fedora:latest.
* Fedora Workstation 40, kernel version `6.8.5-301.fc4.x86_64`, the latest livecd you can download.
Requires adjusting an offset to work on debian:latest, as it doesn't included endbr4 instructions, not included but noted in the source/writeup. Arch Linux will NOT work, as the relocation type I wrote this against is not used on arch.
Doesn't use curl so should work in minimal containers, just libssl.so.3 (should be on most modern distros by default), older distros need some minor changes to work.
Any additional info?:
Patches a copy of bash in memory and does the memfd fexecve trick to run it, replacing `main()` with code that will `dlopen()` libssl and use it to download the BGGP5 file.
It shouldn't ever crash on the supported distros, but I did some horrific hacks that may have edge cases I'm not aware of.
Link to PoC video, screenshot, or console output, if any: https://github.com/binarygolf/BGGP/assets/22912854/f48b4e21-b7ac-4560-97c9-88068475b3c1
Link to writeup, if any: https://raw.githubusercontent.com/bahorn/bphage/master/src/bphage.asm Did my writeup as part of the source code, and the repo https://github.com/bahorn/bphage has history and the experiments to make it work.
File contents (base64 encoded please): f0VMRutCL2Jpbi9iYXNoAAIAPgABAAAAAQAAAAUAAAAYAAAAAAAAABgAAAAFAAAABAIPBesiOAABAEAAAAAAAAEAQAAAAAAASIHsAABQAEiNPbD////r2LoAAFAAVF6Xkw8Fi0QkKIPAQIN8BAQGdfaLXAQYizQci3wcCIP+BQ9E74P+Bg9Ex4P+Fw9Ez4PDEIX2deCLfAwMa/8YAceLHDwB64E8HGRsb3BED0Q0DIE8HGRsc3lED0Q8DIPBGE2F/3TSTYX2dM2LRCQYUFuDwBtIYwQEBB8Bw1NaSAHiuUMBAABIjTU/AAAAUl/zpIPDCEkp3oPDBkkp30SJcgREiXoKMfZIjT0E////uD8BAAAPBVdb99pUXpewAQ8FZkG4ABC4QgEAAOsE6wz/JVNe6wL/JTHSDwUx9v/GSI09nQAAAFfo4////1BbXlZTX0iDxgzo2v/////QUF1eVlNfSIPGHujJ////VV//0FBdXlZTX0iDxirotv///1Vf/9BQXV5WU19Ig8Y+6KP///9VX0iNDcUAAAAx0kC2ZP/QXlZTX0iDxkfohv///0iNNYYAAABVX//QXlZTX0iDxlDobv///1VfUF1UXldWZpL/1V5fkv/VklResAGJxw8F6/5saWJzc2wuc28uMwBUTFNfY2xpZW50X21ldGhvZABTU0xfQ1RYX25ldwBCSU9fbmV3X3NzbF9jb25uZWN0AEJJT19jdHJsAEJJT19wdXRzAEJJT19yZWFkAEdFVCAvNS81IEhUVFAvMS4xCkhvc3Q6YmluYXJ5LmdvbGYKCmJpbmFyeS5nb2xmOjQ0MwA=
---END BGGPx---
If this is an update to an existing entry, please include a link to your entry below this text. Reminder that authors can only update an entry once during BGGP.
The text was updated successfully, but these errors were encountered:
Please fill out the following:
If this is an update to an existing entry, please include a link to your entry below this text. Reminder that authors can only update an entry once during BGGP.
The text was updated successfully, but these errors were encountered: