kpcyrd/boxxy-rs

"If you implement boundaries and nobody is around to push them, do they even

Have you ever wondered how your sandbox looks like from the inside?

boxxy-rs

"If you implement boundaries and nobody is around to push them, do they even exist?". Tempted to test if you can escape it, if only you had a shell to give it a try? boxxy is a library that can be linked into a debug build of an existing program and drop you into an interactive shell. From there you can step through various stages of your sandbox and verify it actually contains™.

Development

cargo run --example boxxy

Linking with rust

Just put a dev-dependencies in your Cargo.toml and copy examples/boxxy.rs to your examples/ folder. Modify to include your sandbox.

[dev-dependencies]
boxxy = "0.*"

Linking with C

There is an example program, check the Makefile to see how it's built.

make cboxxy

Calling into machinecode

 [%]> # just RET to prompt
 [%]> jit ww==
 [%]> # print ohai and exit
 [%]> jit 6xpeuAEAAABIice6BQAAAA8FuDwAAABIMf8PBejh////b2hhaQo=

You can use the objdump utility to generate shellcode from assembly:

make sc/ohai && cargo run --example objdump sc/ohai

Invoking from php

See autoboxxy for tooling to load boxxy from php, even if shell_exec and friends are disabled by php.ini.

Static binary

You may need to build a fully static binary, this is possible using the x86_64-unknown-linux-musl target.

cargo build --release --example boxxy --target x86_64-unknown-linux-musl
strip target/x86_64-unknown-linux-musl/release/examples/boxxy

Debugging systemd security

There is a special ipc binary that automatically swaps its stdio interface with an unix domain socket so it can be used to debug security settings of a systemd unit.

Prepare ipc-boxxy:

cargo build --release --example ipc-boxxy
install -Dm755 target/release/examples/ipc-boxxy /usr/local/bin/ipc-boxxy

Prepare systemd unit:

sudo tee /etc/systemd/system/[email protected] <<EOF
[Unit]
Description=ipc boxxy debugger

[Service]
User=root
ExecStart=/usr/local/bin/ipc-boxxy /run/boxxy-%i.sock

NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX
MemoryDenyWriteExecute=true
CapabilityBoundingSet=
InaccessiblePaths=-/etc/ssh

EOF

Attach to shell:

sudo target/debug/ipc-listener /run/boxxy-foo.sock 'systemctl start [email protected]'

You can run arbitrary commands with exec:

exec bash -i

AWS lambda

The example folder contains a reimplementation of lambdash, it automatically deploys boxxy as an aws lambda and allows you to execute commands on it. The client supports cross account access, but needs a preconfigured role that the lambda should use. You need to build a static binary first.

cargo run --features=aws --example lambdash -- \
    --assume-role arn:aws:iam::133713371337:role/AdminRole \
    --role arn:aws:iam::133337133337:role/lambda-test-role
    eu-west-1 boxxy

Examples

There are vulnerable sandboxes (examples/vuln-*) as a challenge that can be exploited using the boxxy shell (no need to compile any exploits).

DO NOT POST SPOILERS

Start a challenge using eg. cargo run --example vuln-chroot

Warning

The shell is a basic interface for human input, do not write actual scripts, there be dragons.

Do not include boxxy in production builds.

License

This project is free software released under the LGPL3+ license.

Issues

Collection of the latest Issues

kpcyrd

kpcyrd

Comment Icon0

The argument handling for more complex commands like caps is quite messy, this should be refactored to structopt.

kpcyrd

kpcyrd

Comment Icon0

We do not show . and .. in the ls -la output. This means it's not possible to get the permissions of the current directory and we would have to run ls -la ... This isn't possible for / though.

kpcyrd

kpcyrd

Comment Icon0

There's already a way to execute shellcode, but an interface to run individual syscalls might be a good idea regardless, especially in LD_PRELOAD scenarios.

kpcyrd

kpcyrd

Comment Icon0

There is currently no way to access file descriptors. It might be useful to have the common f* functions available (fchdir, fdopen, fexecve, etc).

We currently don't support any variables, to keep it as simple as possible every command that returns a file descriptor would just print a number and every command that expects a file descriptor would accept a number as the first argument.

We might have to leak the file descriptor to prevent a close when dropping the handle, in that case one would need to run close 123 explicitly.

Blocks #24

kpcyrd

kpcyrd

enhancement
Comment Icon1

If you have replaced the regular interface ({rev,ipc}shell), the stdio of processes started with exec is still attached to the original process, so you can't get the output when starting processes.

You can work around this by with ncat:

This shouldn't be needed though.

kpcyrd

kpcyrd

enhancement
Comment Icon0

It might be useful to have a minimal ssh client to escalate into a different process tree if needed.

Information - Updated Sep 21, 2022

Stars: 66
Forks: 7
Issues: 10

Repositories & Extras

Rocket is an async web framework for Rust with a focus on usability, security,

Visiting localhost:8000/hello/John/58, for example, will trigger the hello

Rocket is an async web framework for Rust with a focus on usability, security,

Know the exact crate versions used to build your Rust executable

Audit binaries for known bugs or security vulnerabilities in production, at scale, with zero bookkeeping

Know the exact crate versions used to build your Rust executable

macOS/iOS Security framework for Rust

MIT license (LICENSE-MIT or

macOS/iOS Security framework for Rust

Reference implementation of the Stacks blockchain in Rust

Reference implementation of the Proof of Transfer (PoX) mining that anchors to Bitcoin security

Reference implementation of the Stacks blockchain in Rust

osu! server written in Rust

Fully asynchronous, high concurrency, high performance, and high security

osu! server written in Rust

Nakamoto is a privacy-preserving Bitcoin light-client implementation in Rust,

with a focus on low resource utilization, modularity and security

Nakamoto is a privacy-preserving Bitcoin light-client implementation in Rust,

A WIP Rust implementation of Messaging Layer Security based on draft 9+

Messaging Layer Security based on draft 9+

A WIP Rust implementation of Messaging Layer Security based on draft 9+

Rust Language Security

execrices: RUSTSEC-2021-0001

Rust Language Security

security-keys-rust

Many thanks to the authors of the openpgp-card Rust crate

security-keys-rust

Owlyshield open source security platform

An OSS security platform written in rust with security threat detection

Owlyshield open source security platform

Reference implementation of the Stacks blockchain in Rust

Reference implementation of the Proof of Transfer (PoX) mining that anchors to Bitcoin security

Reference implementation of the Stacks blockchain in Rust

This crate has not been security reviewed yet, use at your own risk

(ece crate is a Rust implementation of Message Encryption for Web Push

This crate has not been security reviewed yet, use at your own risk
Facebook Instagram Twitter GitHub Dribbble
Privacy