Merged in Lyrositor/cwe-ou/exploit-fix (pull request #24)

Fix remote code execution through Python.Cheat and Python.RunFile

An exploit fixed by boq. Original pull request: https://github.com/H-uru/Plasma/pull/218
This somewhat modifies the syntax used for running Python.Cheat; it's still easier to use it directly in Python, though.

MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfConsole/pfConsoleCommands.cpp

@@ -7001,38 +7001,6 @@ PF_CONSOLE_CMD( KI,								// Group name
 
 PF_CONSOLE_GROUP( Python ) // Defines a main command group
 
-PF_CONSOLE_CMD( Python,							// Group name
-				RunFile,							// Function name
-				"string filename",					// Params
-				"Run the specified Python file program" )		// Help string
-{
-	// now evaluate this mess they made
-	PyObject* mymod = PythonInterface::FindModule("__main__");
-	// make sure the filename doesn't have the .py extension (import doesn't need it)
-	char importname[200];
-	int i;
-	for (i=0; i<199; i++ )
-	{
-		char ch = ((const char*)params[0])[i];
-		// if we are at the end of the string or at a dot, truncate here
-		if ( ch == '.' || ch == 0 )
-			break;
-		else
-			importname[i] = ((const char*)params[0])[i];
-	}
-	importname[i] = 0;
-
-	// create the line to execute the file
-	char runline[256];
-	sprintf(runline,"import %s", importname);
-	PythonInterface::RunString(runline,mymod);
-	std::string output;
-	// get the messages
-	PythonInterface::getOutputAndReset(&output);
-	PrintString(output.c_str());
-}
-
-
 #include "../pfPython/cyMisc.h"
 
 PF_CONSOLE_CMD( Python,							// Group name
@@ -7074,16 +7042,18 @@ PF_CONSOLE_CMD( Python,
 				"string functions, ...",	// Params
 				"Run a cheat command" )
 {
-	const char* extraParms = "";
+	std::string extraParms;
 	if (numParams > 1)
-		extraParms = params[1];
+	{
-	// now evaluate this mess they made
+		extraParms = "(";
-	PyObject* mymod = PythonInterface::FindModule("__main__");
+		extraParms.append(params[1]);
+		extraParms.append(",)");
+	}
+	else
+		extraParms = "()";
+
+	PythonInterface::RunFunctionSafe("xCheat", params[0], extraParms.c_str());
 
-	// create the line to execute the file
-	char runline[256];
-	sprintf(runline,"import xCheat;xCheat.%s('%s')", (const char*)params[0],extraParms);
-	PythonInterface::RunString(runline,mymod);
 	std::string output;
 	// get the messages
 	PythonInterface::getOutputAndReset(&output);

MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.cpp

@@ -1718,6 +1718,20 @@ void PythonInterface::WriteToStdErr(const char* text)
 	}
 }
 
+PyObject* PythonInterface::ImportModule(const char* module) 
+{
+	PyObject* result = nil;
+	PyObject* name = PyString_FromString(module);
+
+	if (name != nil) 
+	{
+		result = PyImport_Import(name);
+		Py_DECREF(name);
+	}
+
+	return result;
+}
+
 /////////////////////////////////////////////////////////////////////////////
 //
 //  Function   : FindModule
@@ -2061,6 +2075,78 @@ hsBool PythonInterface::RunPYC(PyObject* code, PyObject* module)
 	return true;
 }
 
+/////////////////////////////////////////////////////////////////////////////
+//
+//  Function   : RunFunction
+//  PARAMETERS : module - module name to run 'name' in
+//             : name - name of function
+//             : args - tuple with arguments
+//
+//
+PyObject* PythonInterface::RunFunction(PyObject* module, const char* name, PyObject* args)
+{
+	if (module == NULL)
+		return NULL;
+
+	PyObject* function = PyObject_GetAttrString(module, const_cast<char*>(name));
+
+	PyObject* result = NULL;
+	if (function != nil) 
+	{
+		result = PyObject_Call(function, args, NULL);
+		Py_DECREF(function);
+	}
+
+	return result;
+}
+
+PyObject* PythonInterface::ParseArgs(const char* args)
+{
+	PyObject* result = NULL;
+	PyObject* scope = PyDict_New();
+	if (scope) 
+	{
+		//- Py_eval_input makes this function accept only single expresion (not statement)
+		//- When using empty scope, functions and classes like 'file' or '__import__' are not visible
+		result = PyRun_String(args, Py_eval_input, scope, NULL);
+		Py_DECREF(scope);
+	}
+   
+	return result;
+}
+
+bool PythonInterface::RunFunctionSafe(const char* module, const char* function, const char* args) 
+{
+	PyObject* moduleObj = ImportModule(module);
+	bool result = false;
+	if (moduleObj) 
+	{
+		PyObject* argsObj = ParseArgs(args);
+		if (argsObj) 
+		{
+			PyObject* callResult = RunFunction(moduleObj, function, argsObj);
+			if (callResult) 
+			{
+				result = true;
+				Py_DECREF(callResult);
+			}
+
+			Py_DECREF(argsObj);
+		}
+		Py_DECREF(moduleObj);
+	}
+
+	if (!result)
+	{
+		PyErr_Print();
+
+		if (Py_FlushLine())
+			PyErr_Clear();
+	}
+
+	return result;
+}
+
 /////////////////////////////////////////////////////////////////////////////
 //
 //  Function   : GetpyKeyFromPython
@@ -2073,4 +2159,4 @@ pyKey* PythonInterface::GetpyKeyFromPython(PyObject* pkey)
 	if (!pyKey::Check(pkey))
 		return nil;
 	return pyKey::ConvertFrom(pkey);
-}
+}

MOULOpenSourceClientPlugin/Plasma20/Sources/Plasma/FeatureLib/pfPython/cyPythonInterface.h

@@ -138,6 +138,8 @@ public:
 	// Writes 'text' to stderr specified in the python interface
 	static void WriteToStdErr(const char* text);
 
+	static PyObject* ImportModule(const char* module);
+
 	// Find module. If it doesn't exist then don't create, return nil.
 	static PyObject* FindModule(char* module);
 
@@ -219,6 +221,12 @@ public:
 	//
 	static hsBool RunPYC(PyObject* code, PyObject* module);
 
+	static PyObject* RunFunction(PyObject* module, const char* name, PyObject* args);
+
+	static PyObject* ParseArgs(const char* args);
+
+	static bool RunFunctionSafe(const char* module, const char* function, const char* args);
+
 	/////////////////////////////////////////////////////////////////////////////
 	//
 	//  Function   : GetpyKeyFromPython