From eb24e1b852fad14b886e7cec6bc8b04ba06da8c7 Mon Sep 17 00:00:00 2001
From: Yeol <136407746+13m0n4de@users.noreply.github.com>
Date: Sat, 19 Oct 2024 01:58:24 +0800
Subject: [PATCH] =?UTF-8?q?feat(pwn/rop):=20=E6=B7=BB=E5=8A=A0=E6=BA=90?=
 =?UTF-8?q?=E7=A0=81=E5=92=8C=E9=95=9C=E5=83=8F=E6=9E=84=E5=BB=BA=E6=96=87?=
 =?UTF-8?q?=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 challenges/pwn/rop/build/Dockerfile   | 48 +++++++++++++++++++++++++++
 challenges/pwn/rop/build/init.sh      |  7 ++++
 challenges/pwn/rop/build/src/Makefile | 12 +++++++
 challenges/pwn/rop/build/src/rop.c    | 34 +++++++++++++++++++
 challenges/pwn/rop/build/xinetd.conf  | 17 ++++++++++
 5 files changed, 118 insertions(+)
 create mode 100644 challenges/pwn/rop/build/Dockerfile
 create mode 100644 challenges/pwn/rop/build/init.sh
 create mode 100644 challenges/pwn/rop/build/src/Makefile
 create mode 100644 challenges/pwn/rop/build/src/rop.c
 create mode 100644 challenges/pwn/rop/build/xinetd.conf

diff --git a/challenges/pwn/rop/build/Dockerfile b/challenges/pwn/rop/build/Dockerfile
new file mode 100644
index 0000000..4e36483
--- /dev/null
+++ b/challenges/pwn/rop/build/Dockerfile
@@ -0,0 +1,48 @@
+FROM ubuntu:20.04 AS builder
+
+RUN apt-get update && apt-get install -y gcc make
+
+WORKDIR /build
+
+COPY src/* ./
+
+RUN make
+
+FROM ghcr.io/svuctf/base-v2/xinetd:latest
+
+# Copy initialization script and xinetd configuration
+COPY --chmod=500 init.sh /init.sh
+COPY xinetd.conf /etc/xinetd.conf
+
+# Set up the CTF environment
+RUN chmod -R 750 /home/ctf && \
+    mkdir -p /home/ctf/lib64 && \
+    mkdir -p /home/ctf/dev && \
+    mkdir -p /home/ctf/bin && \
+    mkdir -p /home/ctf/lib/x86_64-linux-gnu && \
+    mkdir -p /home/ctf/lib32
+
+# Copy necessary libraries from builder stage
+COPY --from=builder /lib/x86_64-linux-gnu/libc.so.6 /home/ctf/lib/x86_64-linux-gnu/
+COPY --from=builder /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /home/ctf/lib64/
+
+# Copy the challenge binary
+COPY --from=builder --chmod=500 /build/rop /home/ctf/rop
+
+# Set up device nodes
+RUN mknod /home/ctf/dev/null c 1 3 && \
+    mknod /home/ctf/dev/zero c 1 5 && \
+    mknod /home/ctf/dev/random c 1 8 && \
+    mknod /home/ctf/dev/urandom c 1 9 && \
+    chmod 666 /home/ctf/dev/*
+
+# Copy necessary binaries abd binaries
+RUN cp /lib/ld-musl-x86_64.so.1 /home/ctf/lib/ && \
+    cp /bin/sh /home/ctf/bin && \
+    cp /bin/ls /home/ctf/bin && \
+    cp /bin/cat /home/ctf/bin && \
+    cp /bin/base64 /home/ctf/bin 
+
+RUN chown -R ctf:ctf /home/ctf 
+
+CMD ["xinetd", "-dontfork"]
diff --git a/challenges/pwn/rop/build/init.sh b/challenges/pwn/rop/build/init.sh
new file mode 100644
index 0000000..9aa1def
--- /dev/null
+++ b/challenges/pwn/rop/build/init.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+echo $GZCTF_FLAG > /home/ctf/flag
+chown -R ctf:ctf /home/ctf/flag
+unset GZCTF_FLAG
+
+/usr/sbin/chroot /home/ctf/ /rop
diff --git a/challenges/pwn/rop/build/src/Makefile b/challenges/pwn/rop/build/src/Makefile
new file mode 100644
index 0000000..7089287
--- /dev/null
+++ b/challenges/pwn/rop/build/src/Makefile
@@ -0,0 +1,12 @@
+CC = gcc
+CFLAGS = -Wall -Wextra -Wpedantic -no-pie -m64
+
+TARGET = rop
+
+all: $(TARGET)
+
+$(TARGET): $(TARGET).c
+	$(CC) $(CFLAGS) -o $@ $<
+
+clean:
+	rm -f $(TARGET)
diff --git a/challenges/pwn/rop/build/src/rop.c b/challenges/pwn/rop/build/src/rop.c
new file mode 100644
index 0000000..a342b57
--- /dev/null
+++ b/challenges/pwn/rop/build/src/rop.c
@@ -0,0 +1,34 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+char secret[] = "/bin/sh";
+
+void init() {
+    setvbuf(stdin, NULL, _IONBF, 0);
+    setvbuf(stdout, NULL, _IONBF, 0);
+    setvbuf(stderr, NULL, _IONBF, 0);
+}
+
+void banner() {
+    printf(" ___  _  _  __  __  ___  ____  ____ \n");
+    printf("/ __)( \\/ )(  )(  )/ __)(_  _)( ___)\n");
+    printf("\\__ \\ \\  /  )(__)(( (__   )(   )__) \n");
+    printf("(___/  \\/  (______)\\___) (__) (__) \n");
+    printf("\n");
+    printf("Welcome to the SVUCTF HELLOWORLD 2024!\n");
+    printf("\n");
+}
+
+void vuln() {
+    char buf[64];
+    system("echo \"Hello CTFer, what's your name?\"");
+    read(0, &buf, 256);
+}
+
+int main() {
+    init();
+    banner();
+    vuln();
+    return 0;
+}
diff --git a/challenges/pwn/rop/build/xinetd.conf b/challenges/pwn/rop/build/xinetd.conf
new file mode 100644
index 0000000..d54df8f
--- /dev/null
+++ b/challenges/pwn/rop/build/xinetd.conf
@@ -0,0 +1,17 @@
+service ctf
+{
+    disable     = no
+    id          = xinetd
+    socket_type = stream
+    protocol    = tcp
+    wait        = no
+    user        = root
+    type        = UNLISTED
+    port        = 70
+    bind        = 0.0.0.0
+    server      = /init.sh
+    # safety options
+    per_source  = 10 # the maximum instances of this service per source IP address
+    rlimit_cpu  = 20 # the maximum number of CPU seconds that the service may use
+    rlimit_as   = 100M # the Address Space resource limit for the service
+}