release v2

giantbranch · giantbranch · commit 5c958fc85751 · 2018-09-23T23:10:41.000+08:00
diff --git a/README.md b/README.md
@@ -35,6 +35,11 @@ The flag will be generated by the initialize.py and it store in flags.txt
 
 The port information corresponding to the pwn program is also inside  flags.txt.
 
+## Update
+
+2018.09.17 version v1
+2018.09.23 version v2：Use the catflag program instead of /bin/sh, which is more secure
+
 ## Reference
 
 https://github.com/Eadom/ctf_xinetd
diff --git a/README_CN.md b/README_CN.md
@@ -29,6 +29,11 @@ docker-compose up --build -d
 
 flag会由`initialize.py`生成，并写入flags.txt中，并且pwn程序对应的端口信息也在里面
 
+## 更新
+
+2018.09.17 version v1
+2018.09.23 version v2：使用catflag程序代替/bin/sh，这会更加安全
+
 ## 参考
 
 https://github.com/Eadom/ctf_xinetd
diff --git a/catflag b/catflag
diff --git a/catflag.c b/catflag.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+ 
+int main()
+{
+    FILE *fp = NULL;
+    char buff[255];
+    fp = fopen("/flag.txt", "r");
+    fgets(buff, 255, (FILE*)fp);
+    printf("%s\n", buff);
+    fclose(fp);
+}
diff --git a/initialize.py b/initialize.py
@@ -57,7 +57,8 @@ def generateDockerfile(filelist, flags):
     # copy bin
     copybin = ""
     for filename in filelist:
-        copybin += "COPY " + PWN_BIN_PATH + "/" + filename  + " /home/" + filename + "/" + filename + "\n"    
+        copybin += "COPY " + PWN_BIN_PATH + "/" + filename  + " /home/" + filename + "/" + filename + "\n"
+        copybin += "COPY ./catflag" + " /home/" + filename + "/bin/sh\n"    
     # print copybin
 
     # chown & chmod
@@ -72,16 +73,20 @@ def generateDockerfile(filelist, flags):
     # print chown_chmod
 
     # copy lib,/bin 
-    dev = '''mkdir /home/%s/dev && mknod /home/%s/dev/null c 1 3 && mknod /home/%s/dev/zero c 1 5 && mknod /home/%s/dev/random c 1 8 && mknod /home/%s/dev/urandom c 1 9 && chmod 666 /home/%s/dev/* && '''
-    ness_bin = '''mkdir /home/%s/bin && cp /bin/sh /home/%s/bin && cp /bin/ls /home/%s/bin && cp /bin/cat /home/%s/bin'''
+    # dev = '''mkdir /home/%s/dev && mknod /home/%s/dev/null c 1 3 && mknod /home/%s/dev/zero c 1 5 && mknod /home/%s/dev/random c 1 8 && mknod /home/%s/dev/urandom c 1 9 && chmod 666 /home/%s/dev/* && '''
+    dev = '''mkdir /home/%s/dev && mknod /home/%s/dev/null c 1 3 && mknod /home/%s/dev/zero c 1 5 && mknod /home/%s/dev/random c 1 8 && mknod /home/%s/dev/urandom c 1 9 && chmod 666 /home/%s/dev/* '''
+    # ness_bin = '''mkdir /home/%s/bin && cp /bin/sh /home/%s/bin && cp /bin/ls /home/%s/bin && cp /bin/cat /home/%s/bin'''
+    # ness_bin = '''cp /bin/sh /home/%s/bin && cp /bin/ls /home/%s/bin && cp /bin/cat /home/%s/bin'''
     copy_lib_bin_dev = "RUN "
     for x in xrange(0, len(filelist)):
         copy_lib_bin_dev += "cp -R /lib* /home/" + filelist[x]  + " && "        
         copy_lib_bin_dev += dev % (filelist[x], filelist[x], filelist[x], filelist[x], filelist[x], filelist[x])
         if x == len(filelist) - 1:
-            copy_lib_bin_dev += ness_bin % (filelist[x], filelist[x], filelist[x], filelist[x])                
+            # copy_lib_bin_dev += ness_bin % (filelist[x], filelist[x], filelist[x])
+            pass                
         else:    
-            copy_lib_bin_dev += ness_bin % (filelist[x], filelist[x], filelist[x], filelist[x]) + " && "
+            # copy_lib_bin_dev += ness_bin % (filelist[x], filelist[x], filelist[x]) + " && "
+            copy_lib_bin_dev += " && "
 
     # print copy_lib_bin_dev
 
