PDA

View Full Version : Alice 2.2 Arbitrary Code Execution PoC


Rew
12-05-2010, 09:54 PM
This is going to be a hard one to fix because it's more or a feature than a bug. I think it still deserves some serious thought though because it allows arbitrary code to run when the user presses "Play".

Inside all .a2w files there is a file calle "script.py". It gets executed every time the world starts. (Whos brilliant idea was that?!) Interestingly enough, exploiting this is not as easy as just throwing in an os.system() call because the Jython library that handles shell functions throws a syntax error and dies before our code runs. I puzzled on this for a while and finnaly the answer dawned on me. You can use built-iin python functions to edit the bad file (commenting out the bad line), and then safely call os.system() to jump outside of Alice. I'm attaching a ready-to-go .a2w PoC. (Tested on Alice 2.2, WinXP) You might have to tweak it slightly for your environment.



- Rew

arty-fishL
12-06-2010, 11:41 AM
This is alice jython scripting, its an unfinished feature that the Alice developers were going to add. You can enable it properly in the Alice config file, there are some threads in this forum about that. I also made a Scripter which has many more features. The OS module is broken, but yes it can be fixed by just editing it with jython.

arty-fishL
12-06-2010, 11:50 AM
Also, you dont need this:
#!/usr/bin/python
Alice doesnt care