Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Arbitrary Command Execution in Windows and Unix Shells.

From: Bob Beck <beck () ualberta ca>
Date: Fri, 22 Aug 2008 10:43:01 -0600
Stupidity + Copy and Paste Considered Harmful



4. EXPLOIT

Copy-and-paste these examples into separate files:

    ;xclock
    vim: set iskeyword=;,@

Place your cursor on ``xclock'', and press K.  xclock appears.

    ;date>>pwned
    vim: set iskeyword=1-255

Place your cursor on ``date'' and press K.  File ``pwned'' is created in
the current working directory.

Please note: If modeline processing is disabled, set the 'iskeyword'
option manually.

See the thread on the Vim Developers' mailing list for some other
examples[2].


(yes indeed, vim doesn't completely sanitize it's input)

EXPLOIT:

echo '1 b3 1ee7' >> pwned

Copy and paste the above line into a unix shell or windows cmd window. File pwned is
created. Note, if the windowing system is not started, type the above command in
manually.

IMPACT:

 I can create this file and mail it to ANYONE! ZOMG!  Someone get me
Kaminsky's slide templates so I can get the PR machine going for this
discovery. 

And I thought XSS stuff was lame. Sheesh.

--
#!/usr/bin/perl
if ((not 0 && not 1) !=  (! 0 && ! 1)) {
   print "Larry and Tom must smoke some really primo stuff...\n"; 
}



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: