Alice 2.2 – Arbitrary Code Execution

• Exploit Database
• 18 阅读

• 作者： Rew
  日期： 2010-12-06
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15696/

• -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA1
  
  Title: Alice 2.2 Arbitrary Code Execution Exploit
  Date: Dec 5, 2010
  Author: Rew
  Email: rew [splat] leethax.info
  Link: http://alice.org/index.php
  Version: 2.2 (Windows)
  Tested on: WinXP
  CVE: NA (0day)
  
  This was a fun one to exploit.Let me explain...
  
  Alice saves programs (worlds) in a custom ".a2w" format.This is
  essentially just a zip file containing some XML and images.A little
  poking around reveals a python script called "script.py" in there too.
  I've never seen Alice put code in it, so I'm not sure what it's real
  purpose is, but it gets executed every time the program starts.(Ok
  seriously, whose smart idea was that!?)When I discovered this, I
  figured, "Cool, a simple os.system() should do the trick.", but there's
  a problem;Alice relies on Jython (http://jython.org/) to interpret the
  Python code, but the Jython Devs seem to have made a mistake in their
  code.In jython-1.2\Lib\javaos.py, line 23 runs...
  
  from __future__ import division
  
  I guess this is supposed to fix some python bug, however in our case it
  results in all OS shell commands dying with a syntax error.:/Yes,
  there are others (popen2, commands, etc), but in Jython they all
  ultimately call the os library.I thought for a while about what could
  be done using only built-in python function, but all I could come up
  with was arbitrary file reads/writes.This could still lead to code
  execution (easier on linux because you can write to the startup shell
  script), but it's not as clean.Then it hit me.Why not just use the
  file functions to fix the developers mistake, and then call os.system()?
   And what do you know, it worked!!Here's how
  
  1. Use Python to open up jython-2.1\Lib\javaos.py
  2. Comment out line 23 and write it back to the file
  3. Call os.system(), thus h4cking th3 pl4n3t
  4. Repair our modifications so we remain undetected :)
  
  Quite funny I think.We have to fix the developers mistake to exploit
  the program.Attached is a PoC that will run calc.exe.It may be a
  little unreliable if there are any file permission issues or the
  directory has somehow changed.If that happens, tweak it and it will work.
  
  Enjoy,
  Rew
  
  -----BEGIN PGP SIGNATURE-----
  Version: GnuPG v1.4.11 (GNU/Linux)
  Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
  
  iEYEARECAAYFAkz8WUQACgkQy2WYMxSouUziYQCfcDlB5rWT541euew8pZW2BA03
  FhUAn0y6pBrAJXLcLiEfINR5hT4MfL52
  =zMAG
  -----END PGP SIGNATURE-----
  
  Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15696.a2w (Off_with_her_head.a2w)