Alice 2.2 - Arbitrary Code Execution Exploit

2010-12-06T00:00:00
ID EDB-ID:15696
Type exploitdb
Reporter Rew
Modified 2010-12-06T00:00:00

Description

Alice 2.2 - Arbitrary Code Execution Exploit. Local exploit for windows platform

                                        
                                            -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Title: Alice 2.2 Arbitrary Code Execution Exploit
Date: Dec 5, 2010
Author: Rew
Email: rew [splat] leethax.info
Link: http://alice.org/index.php
Version: 2.2 (Windows)
Tested on: WinXP
CVE: NA (0day)

This was a fun one to exploit.  Let me explain...

Alice saves programs (worlds) in a custom ".a2w" format.  This is
essentially just a zip file containing some XML and images.  A little
poking around reveals a python script called "script.py" in there too.
I've never seen Alice put code in it, so I'm not sure what it's real
purpose is, but it gets executed every time the program starts.  (Ok
seriously, whose smart idea was that!?)  When I discovered this, I
figured, "Cool, a simple os.system() should do the trick.", but there's
a problem;  Alice relies on Jython (http://jython.org/) to interpret the
Python code, but the Jython Devs seem to have made a mistake in their
code.  In jython-1.2\Lib\javaos.py, line 23 runs...

from __future__ import division

I guess this is supposed to fix some python bug, however in our case it
results in all OS shell commands dying with a syntax error.  :/  Yes,
there are others (popen2, commands, etc), but in Jython they all
ultimately call the os library.  I thought for a while about what could
be done using only built-in python function, but all I could come up
with was arbitrary file reads/writes.  This could still lead to code
execution (easier on linux because you can write to the startup shell
script), but it's not as clean.  Then it hit me.  Why not just use the
file functions to fix the developers mistake, and then call os.system()?
 And what do you know, it worked!!  Here's how

1. Use Python to open up jython-2.1\Lib\javaos.py
2. Comment out line 23 and write it back to the file
3. Call os.system(), thus h4cking th3 pl4n3t
4. Repair our modifications so we remain undetected :)

Quite funny I think.  We have to fix the developers mistake to exploit
the program.  Attached is a PoC that will run calc.exe.  It may be a
little unreliable if there are any file permission issues or the
directory has somehow changed.  If that happens, tweak it and it will work.

Enjoy,
Rew

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkz8WUQACgkQy2WYMxSouUziYQCfcDlB5rWT541euew8pZW2BA03
FhUAn0y6pBrAJXLcLiEfINR5hT4MfL52
=zMAG
-----END PGP SIGNATURE-----

Exploit: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/15696.a2w (Off_with_her_head.a2w)