-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Title: Alice 2.2 Arbitrary Code Execution Exploit Date: Dec 5, 2010 Author: Rew Email: rew [splat] leethax.info Link: http://alice.org/index.php Version: 2.2 (Windows) Tested on: WinXP CVE: NA (0day) This was a fun one to exploit. Let me explain... Alice saves programs (worlds) in a custom ".a2w" format. This is essentially just a zip file containing some XML and images. A little poking around reveals a python script called "script.py" in there too. I've never seen Alice put code in it, so I'm not sure what it's real purpose is, but it gets executed every time the program starts. (Ok seriously, whose smart idea was that!?) When I discovered this, I figured, "Cool, a simple os.system() should do the trick.", but there's a problem; Alice relies on Jython (http://jython.org/) to interpret the Python code, but the Jython Devs seem to have made a mistake in their code. In jython-1.2\Lib\javaos.py, line 23 runs... from __future__ import division I guess this is supposed to fix some python bug, however in our case it results in all OS shell commands dying with a syntax error. :/ Yes, there are others (popen2, commands, etc), but in Jython they all ultimately call the os library. I thought for a while about what could be done using only built-in python function, but all I could come up with was arbitrary file reads/writes. This could still lead to code execution (easier on linux because you can write to the startup shell script), but it's not as clean. Then it hit me. Why not just use the file functions to fix the developers mistake, and then call os.system()? And what do you know, it worked!! Here's how 1. Use Python to open up jython-2.1\Lib\javaos.py 2. Comment out line 23 and write it back to the file 3. Call os.system(), thus h4cking th3 pl4n3t 4. Repair our modifications so we remain undetected :) Quite funny I think. We have to fix the developers mistake to exploit the program. Attached is a PoC that will run calc.exe. It may be a little unreliable if there are any file permission issues or the directory has somehow changed. If that happens, tweak it and it will work. Enjoy, Rew -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkz8WUQACgkQy2WYMxSouUziYQCfcDlB5rWT541euew8pZW2BA03 FhUAn0y6pBrAJXLcLiEfINR5hT4MfL52 =zMAG -----END PGP SIGNATURE----- Exploit: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15696.a2w (Off_with_her_head.a2w)