Jump to content

Cycu

Premium
  • Posts

    1
  • Joined

  • Last visited

  • Feedback

    0%

1 Follower

About Cycu

Informations

  • Gender
    Male
  • Country
    Poland
  • Nationality
    Polish

Social Networks

Recent Profile Visitors

3519 profile views

Cycu's Achievements

Collaborator

Collaborator (7/16)

  • Conversation Starter
  • Reacting Well
  • Dedicated
  • Week One Done
  • One Month Later

Recent Badges

7

Reputation

  1. Hi! TL;DR Rodnia has RCE (Remote Code Execution) that allows the attacker to run malicious code on the targets PC’s simply by clicking an item in chat/private message. Part 1 I wanted to check how the link system works on this server so I ended up intercepting a random chat message containing a link from youtube. |Lro|l |empire|c| |Hmsg:redacted|hredacted|h : Live |cFF00C0FC|h|Hweb:httpsXxXwww.youtube.com/watch?v=redacted|hhttps://www.youtube.com/watch?v=redacted|h|r It can be concluded that a new hyperlink with the code “web”, that also contains a link “://” changed to “XxX”. “ So it’s time to replace the link from youtube with our own link. How To Part Removed by ASIKOO Surprisingly there is no link whitelist so it works without any issues. Time to look at their code. Part 2 This code appeared I thought “tragedy”. No regex checking links and other stuff. Immediately a light bulb turned on inside my head. I’ve also noticed that there is a “sysweb” type and decided to check it first as it didn’t require link entry confirmation. How To Part Removed by ASIKOO What do you think? Did it work? Did the server check if the client can send hyperlinks with the “sysweb” type meant for server messages? Well. . . no Part 3 It’s time to play with the os.system function. According to the documentation, this function allows you to invoke a command in a shell directly from python. So let’s try to run a calculator. How To Part Removed by ASIKOO No surprise, but what else can we do then? Well, my dear. . . everything. WE can literally run any command with administrator privileges. https://medium.com/@Proclus/reverse-bind-shells-for-everyoned-e7507853bf4e Part 4 I decided to check if I can chat with a hyperlink resembling an item that would be performed by RCE by clicking on it. So I sent the following message to chat, being sure that it would work. How To Part Removed by ASIKOO I was not wrong. IT was only at this point that I realized that it was a lethal weapon that could do a lot of harm. [Video] Conclusion This “small” error could lead to a mass takeover of PC’s, as surely many people would click on “Sell [Sword+9] 999% average damage from GM”. I hope that servers with similar systems will carefully check their code and will remember about such threats in the future. (Rodnia administration was informed about this in advance and they fixed this bug)
×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.