-
Posts
1 -
Joined
-
Last visited
-
Feedback
0%
About Cycu
Informations
-
Gender
Male
-
Country
Poland
-
Nationality
Polish
Social Networks
-
Discord
kacperhl
- Website
Recent Profile Visitors
3519 profile views
Cycu's Achievements
-
Cycu started following Rodnia - Remote Code Execution
-
Hi! TL;DR Rodnia has RCE (Remote Code Execution) that allows the attacker to run malicious code on the targets PC’s simply by clicking an item in chat/private message. Part 1 I wanted to check how the link system works on this server so I ended up intercepting a random chat message containing a link from youtube. |Lro|l |empire|c| |Hmsg:redacted|hredacted|h : Live |cFF00C0FC|h|Hweb:httpsXxXwww.youtube.com/watch?v=redacted|hhttps://www.youtube.com/watch?v=redacted|h|r It can be concluded that a new hyperlink with the code “web”, that also contains a link “://” changed to “XxX”. “ So it’s time to replace the link from youtube with our own link. How To Part Removed by ASIKOO Surprisingly there is no link whitelist so it works without any issues. Time to look at their code. Part 2 This code appeared I thought “tragedy”. No regex checking links and other stuff. Immediately a light bulb turned on inside my head. I’ve also noticed that there is a “sysweb” type and decided to check it first as it didn’t require link entry confirmation. How To Part Removed by ASIKOO What do you think? Did it work? Did the server check if the client can send hyperlinks with the “sysweb” type meant for server messages? Well. . . no Part 3 It’s time to play with the os.system function. According to the documentation, this function allows you to invoke a command in a shell directly from python. So let’s try to run a calculator. How To Part Removed by ASIKOO No surprise, but what else can we do then? Well, my dear. . . everything. WE can literally run any command with administrator privileges. https://medium.com/@Proclus/reverse-bind-shells-for-everyoned-e7507853bf4e Part 4 I decided to check if I can chat with a hyperlink resembling an item that would be performed by RCE by clicking on it. So I sent the following message to chat, being sure that it would work. How To Part Removed by ASIKOO I was not wrong. IT was only at this point that I realized that it was a lethal weapon that could do a lot of harm. [Video] Conclusion This “small” error could lead to a mass takeover of PC’s, as surely many people would click on “Sell [Sword+9] 999% average damage from GM”. I hope that servers with similar systems will carefully check their code and will remember about such threats in the future. (Rodnia administration was informed about this in advance and they fixed this bug)
- 3 replies
-
- 14