Browse Source

Merged in Lyrositor/cwe-ou/exploit-fix (pull request #24)

Fix remote code execution through Python.Cheat and Python.RunFile

An exploit fixed by boq. Original pull request: https://github.com/H-uru/Plasma/pull/218
This somewhat modifies the syntax used for running Python.Cheat; it's still easier to use it directly in Python, though.
lostlogins
Christian Walther 12 years ago
parent
commit
499432b4f0
  1. 50
      MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfConsole/pfConsoleCommands.cpp
  2. 88
      MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.cpp
  3. 8
      MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.h

50
MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfConsole/pfConsoleCommands.cpp

@ -7001,38 +7001,6 @@ PF_CONSOLE_CMD( KI, // Group name
PF_CONSOLE_GROUP( Python ) // Defines a main command group
PF_CONSOLE_CMD( Python, // Group name
RunFile, // Function name
"string filename", // Params
"Run the specified Python file program" ) // Help string
{
// now evaluate this mess they made
PyObject* mymod = PythonInterface::FindModule("__main__");
// make sure the filename doesn't have the .py extension (import doesn't need it)
char importname[200];
int i;
for (i=0; i<199; i++ )
{
char ch = ((const char*)params[0])[i];
// if we are at the end of the string or at a dot, truncate here
if ( ch == '.' || ch == 0 )
break;
else
importname[i] = ((const char*)params[0])[i];
}
importname[i] = 0;
// create the line to execute the file
char runline[256];
sprintf(runline,"import %s", importname);
PythonInterface::RunString(runline,mymod);
std::string output;
// get the messages
PythonInterface::getOutputAndReset(&output);
PrintString(output.c_str());
}
#include "../pfPython/cyMisc.h"
PF_CONSOLE_CMD( Python, // Group name
@ -7074,16 +7042,18 @@ PF_CONSOLE_CMD( Python,
"string functions, ...", // Params
"Run a cheat command" )
{
const char* extraParms = "";
std::string extraParms;
if (numParams > 1)
extraParms = params[1];
// now evaluate this mess they made
PyObject* mymod = PythonInterface::FindModule("__main__");
{
extraParms = "(";
extraParms.append(params[1]);
extraParms.append(",)");
}
else
extraParms = "()";
PythonInterface::RunFunctionSafe("xCheat", params[0], extraParms.c_str());
// create the line to execute the file
char runline[256];
sprintf(runline,"import xCheat;xCheat.%s('%s')", (const char*)params[0],extraParms);
PythonInterface::RunString(runline,mymod);
std::string output;
// get the messages
PythonInterface::getOutputAndReset(&output);

88
MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.cpp

@ -1718,6 +1718,20 @@ void PythonInterface::WriteToStdErr(const char* text)
}
}
PyObject* PythonInterface::ImportModule(const char* module)
{
PyObject* result = nil;
PyObject* name = PyString_FromString(module);
if (name != nil)
{
result = PyImport_Import(name);
Py_DECREF(name);
}
return result;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function : FindModule
@ -2061,6 +2075,78 @@ hsBool PythonInterface::RunPYC(PyObject* code, PyObject* module)
return true;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function : RunFunction
// PARAMETERS : module - module name to run 'name' in
// : name - name of function
// : args - tuple with arguments
//
//
PyObject* PythonInterface::RunFunction(PyObject* module, const char* name, PyObject* args)
{
if (module == NULL)
return NULL;
PyObject* function = PyObject_GetAttrString(module, const_cast<char*>(name));
PyObject* result = NULL;
if (function != nil)
{
result = PyObject_Call(function, args, NULL);
Py_DECREF(function);
}
return result;
}
PyObject* PythonInterface::ParseArgs(const char* args)
{
PyObject* result = NULL;
PyObject* scope = PyDict_New();
if (scope)
{
//- Py_eval_input makes this function accept only single expresion (not statement)
//- When using empty scope, functions and classes like 'file' or '__import__' are not visible
result = PyRun_String(args, Py_eval_input, scope, NULL);
Py_DECREF(scope);
}
return result;
}
bool PythonInterface::RunFunctionSafe(const char* module, const char* function, const char* args)
{
PyObject* moduleObj = ImportModule(module);
bool result = false;
if (moduleObj)
{
PyObject* argsObj = ParseArgs(args);
if (argsObj)
{
PyObject* callResult = RunFunction(moduleObj, function, argsObj);
if (callResult)
{
result = true;
Py_DECREF(callResult);
}
Py_DECREF(argsObj);
}
Py_DECREF(moduleObj);
}
if (!result)
{
PyErr_Print();
if (Py_FlushLine())
PyErr_Clear();
}
return result;
}
/////////////////////////////////////////////////////////////////////////////
//
// Function : GetpyKeyFromPython
@ -2073,4 +2159,4 @@ pyKey* PythonInterface::GetpyKeyFromPython(PyObject* pkey)
if (!pyKey::Check(pkey))
return nil;
return pyKey::ConvertFrom(pkey);
}
}

8
MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.h

@ -138,6 +138,8 @@ public:
// Writes 'text' to stderr specified in the python interface
static void WriteToStdErr(const char* text);
static PyObject* ImportModule(const char* module);
// Find module. If it doesn't exist then don't create, return nil.
static PyObject* FindModule(char* module);
@ -219,6 +221,12 @@ public:
//
static hsBool RunPYC(PyObject* code, PyObject* module);
static PyObject* RunFunction(PyObject* module, const char* name, PyObject* args);
static PyObject* ParseArgs(const char* args);
static bool RunFunctionSafe(const char* module, const char* function, const char* args);
/////////////////////////////////////////////////////////////////////////////
//
// Function : GetpyKeyFromPython

Loading…
Cancel
Save