One Article Review
| Source |  SkullSecurity |
|---|---|
| Identifiant | 8494287 |
| Date de publication | 2024-05-05 00:00:00 (vue: 2024-05-06 00:05:44) |
| Titre | BSIDESSF 2024 Écritures: ne peut pas donner (exploitation CGI) BSidesSF 2024 Writeups: Can\\'t Give In (CGI exploitation) |
| Texte | The premise of the three challenges cant-give-in, cant-give-in-secure, and cant-give-in-securer are to learn how to exploit and debug compiled code that\'s loaded as a CGI module. You might think that\'s unlikely, but a surprising number of enterprise applications (usually hardware stuff - firewalls, network “security” appliances, stuff like that) is powered by CGI scripts. You never know! This challenge was inspired by one of my co-workers at GreyNoise asking how to debug a CGI script. I thought it\'d be cool to make a multi-challenge series in case others didn\'t know! This write-up is intended to be fairly detailed, to help new players understand their first stack overflow! Part 1: cant-give-in The vulnerability First, let\'s look at the vuln! All three challenges have pretty similar vulnerabilities, but here\'s what the first looks like: char *strlength = getenv("CONTENT_LENGTH"); if(!strlength) { printf("ERROR: Please send data!"); exit(0); } int length = atoi(strlength); read(fileno(stdin), data, length); if(!strcmp(data, "password=MyCoolPassword")) { printf("SUCCESS: authenticated successfully!"); } else { printf("ERROR: Login failed!"); } The way CGI works - a fact that I\'d forgotten since learning Perl like 20 years ago - is that the headers are processed by Apache and sent to the script as environmental variables, and the body (ie, POST data) is sent on stdin. In that script, we read the Content-Length from a variable, then read that many bytes of the POST body into a static buffer. That\'s a fairly standard buffer overflow, with the twist that it\'s in a CGI application! We can demonstrate the issue pretty easily by running the CGI directly (I\'m using dd to produce 200 characters without cluttering up the screen): |
| Envoyé | Oui |
| Condensat | #19 $rdi $rdi+680 $rip $rsp *0x401f04 *168 *strlength +++ +cflags +file +rwx /auth /cgi /challenge/src/auth /home/ctf/ /home/ctf/flag /home/ron/projects/ctf/ctf /libronsolve /tmp/encrypted /tmp/exploit /tmp/poc /tmp/solution /tmp/unencrypted 00000000 00000002 00416e10 004696d6 004a6000 004a6008 004a6010 011199 011419 0400 0ah 0fffffffffffff001h 0ffffffffffffffb8h 0ffffffffffffffffh 0x000000000040175e 0x00007fffffffd921 0x0a 0x2d4ff 0x40175e 0x401d90 0x401f04 0x40f782 0x41 0x4127ca 0x416e10 0x4242424242424242 0x439450 0x461f5f 0x4696d6 0x4696d7 0x4a6000 0x56 0x5656565656565656 0x5a5a5a5a5a5a5a5a 0x7ffe603f3a50 0x7fffffffd918: 13:31:39 13e800000002b8 140256014165888 168 172 176 177 200 2021 2021: 2024 2024/challenges/cant 208 21:16:31 22:02:05 263 272 276 2f656d6f682f0000 30ctf 408487713 4127c9: 439450 439460 439460: 439981: 443488015 4476d9: 455756 460d77: 465655 478436: 47910f: 488902 48e27d 585a5bc3 5A5BC3 5a5a5a5a5a5a5a5a 5ec3 5fc3pop 67616c662f667463 680 732b 7:tid 8888: 8bit :001 :002 :006 :007 :008 @/tmp/encrypted @/tmp/poc Best Could Find POP RAX RBX RDX RET aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaabbbbbbbbccccccccddddddddeeeeeeeeffffffffgggggggghhhhhhhhiiiiiiiijjjjjjjjkkkkkkkkllllllllmmmmmmmmnnnnnnnnooooooooppppppppqqqqqqqqrrrrrrrrssssssssttttttttuuuuuuuuvvvvvvvvwwwwwwwwxxxxxxxxyyyyyyyyzzzzzzzz about actually additional address after again again: against ago ah00094: ah00489: ah00558: aha alex all all: alloc along also always another answer any anymore anything anywhere apache apache/2 apparently appliances application application: applications apr arbitrary are are: argc=1 argument arguments arguments; argv=0x7fffffffdad8 around ascii asking asm assemble assembly assumes atoi auth authenticated b64 b802000000e8130000002f686f6d652f6374662f666c61672e747874005fbe00000000ba000000000f055750b8000000005f5eba240000000f05b801000000bf01000000ba240000000f05b83c000000bf000000000f05cccccccccccccccc back: backwards base64 based basically bbbbbbbb been before better big bin bin/auth binary bit bits block blocks blog body boundary boy break breaking breakpoint breakpoint” broken bs=1 bsidessf buffer build building built bunch but byte bytes c*8 c:32 call calling calls can cant capture care case catch certified cflags cgi cgi: cgid challenge challenges change changed changes char characters check chop chose chunk chunked chunking chunks clarify clean: cluttering cmp code codebase color=auto command compiled configured confuse confusing connecting content convention cool core:notice could count=200 count=2… cranky crash crashes crashes: crashing create created creating ctf curl data date: debug debugger debugging default definition demonstrate detailed determine didn diff different directive directly disable disassemble: dlopen do: docker dockerfile dockerfile: doing domain don done doozie: driver dump each easiest easily easy eax ebx echo edx either else encode encoding: encrypt encrypted encryption end ended endian endianness endp endpoint: engineer enough enterprise environmental error error: etc even event:notice every everything exactly except exec execstack executable executable: executed executing execve exit exited expect exploit exploit: exploitation exploiting exporting fact failed fairly fake fault ffd4 ffe4 figure file fileno final finally find finding firewalls first fish: flag flags: fno followed following foreground forever forget forgotten forwarding found fri friend from fs: fseek full fully fun function functions gadget gadgets gadgets… gamified gcc gdb generate genuine get getenv getting give given globally gmt goal goes going good grabbed great grep greynoise had hand happening happens: hardened harder hardware has have having headers heap+a9↑p help here honesty host how however http/1 http://localhost:8888/cgi httparty httpd httpd: ida idea identical if=/dev/urandom image immediately importantly in/challenge in/challenge/ in/challenge/src/auth in/challenge/src/makefile indifferent indoctrination inefficient inferior input: inspect inspired instance instruct instruction int intended internal io/library/ |
| Tags | Tool Vulnerability Threat |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.