Exploiting Environmental Variables...
Just like you enter commands like ls,cd into the terminal, you can store data in terminal. How? Through Terminal variables/ shell variables/ Environmental variables.
So a program calling an Environmental variable or depending on such variables is susceptible to exploitation as these variables' values can be changed to malicious shellcode and exported.
So what is a shell code?
A shell code is special set of characters representing commands that run those commands when the compiler compiles it.
So when the compiler prints or executes, a command is run, instead of just reading the data.
Shell-storm.org is a great source for shellcodes.
So an exercise to exploit Environmental Variables now. Narnia Level 1 is all about this.
ssh into narnia1 with the password obtained previously.
ssh narnia1@narnia.labs.overthewire.org -p 2226
Password: efeidiedae
cd /narnia/
cat narnia1.c
- Snap of /narnia/narnia1.c
- What is the vulnerability?
The Environmental variable EGG is stored in ret variable using getenv() function and ret() is executed.
ret=getenv("EGG");
ret();
So a shell-code to open /bin/sh with narnia2 privileges would get us the password for narnia2.
- Choose and copy the shell-code to your clipboard. I used this one here
- Store the shell-code to EGG variable as a print command from python and export it
- Execute ./narnia1
- Shell prompt will pop up on execution. Check whose privileges you have with "whoami" command. Crack the password for Narnia Level 2 with "cat /etc/narnia_pass/narnia2"
This particular shellcode used here is a copy of last Narnia level (narnia0) C code,Here I set the group Id or the effective ID as the real ID of the process and call /bin/sh
When it is executed, you get the shell with elevated privileges of narnia2(Refer Narnia0 post here for owning user,owning groups of narnia files or do "ls -l" from /narnia)
With elevated privileges, you get the password of the next level with a simple cat command. Neat Hack as they say :)