[local exploits] - Alice 2.2 Arbitrary Code Execution Exploi
Posted on 06 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Alice 2.2 Arbitrary Code Execution Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Alice 2.2 Arbitrary Code Execution Exploit by Rew in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================== Alice 2.2 Arbitrary Code Execution Exploit ========================================== Title: Alice 2.2 Arbitrary Code Execution Exploit Date: Dec 5, 2010 Author: Rew Email: rew [splat] leethax.info Link: http://alice.org/index.php Version: 2.2 (Windows) Tested on: WinXP CVE: NA (0day) This was a fun one to exploit. Let me explain... Alice saves programs (worlds) in a custom ".a2w" format. This is essentially just a zip file containing some XML and images. A little poking around reveals a python script called "script.py" in there too. I've never seen Alice put code in it, so I'm not sure what it's real purpose is, but it gets executed every time the program starts. (Ok seriously, whose smart idea was that!?) When I discovered this, I figured, "Cool, a simple os.system() should do the trick.", but there's a problem; Alice relies on Jython (http://jython.org/) to interpret the Python code, but the Jython Devs seem to have made a mistake in their code. In jython-1.2Libjavaos.py, line 23 runs... from __future__ import division I guess this is supposed to fix some python bug, however in our case it results in all OS shell commands dying with a syntax error. :/ Yes, there are others (popen2, commands, etc), but in Jython they all ultimately call the os library. I thought for a while about what could be done using only built-in python function, but all I could come up with was arbitrary file reads/writes. This could still lead to code execution (easier on linux because you can write to the startup shell script), but it's not as clean. Then it hit me. Why not just use the file functions to fix the developers mistake, and then call os.system()? And what do you know, it worked!! Here's how 1. Use Python to open up jython-2.1Libjavaos.py 2. Comment out line 23 and write it back to the file 3. Call os.system(), thus h4cking th3 pl4n3t 4. Repair our modifications so we remain undetected :) Quite funny I think. We have to fix the developers mistake to exploit the program. Attached is a PoC that will run calc.exe. It may be a little unreliable if there are any file permission issues or the directory has somehow changed. If that happens, tweak it and it will work. Enjoy, Rew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz8WUQACgkQy2WYMxSouUziYQCfcDlB5rWT541euew8pZW2BA03 FhUAn0y6pBrAJXLcLiEfINR5hT4MfL52 =zMAG -----END PGP SIGNATURE----- Exploit: 1337db.com/sploits/15068.a2w # <a href='http://1337db.com/'>1337db.com</a> [2010-12-06]</pre></body></html>
