Add cmd vuln video

mCodingLLC · Apr 19, 2024 · e611b65 · e611b65
1 parent b6fe3c8
commit e611b65
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -12,7 +12,8 @@ James and his team are available for consulting, contracting, code reviews, and
 
 | N   | Code | Video | 
 |-----| --- |--- |
-| 137 | [src](videos/138_async_for_starlette) | [Async for loops in Python](https://youtu.be/dEZKySL3M9c) |
+| 139 | [src](videos/139_windows_cmd_vuln) | [New Windows Command Escape Vulnerability - Critical CVE ... or is it?](https://youtu.be/WNmNXc_EZdM) |
+| 138 | [src](videos/138_async_for_starlette) | [Async for loops in Python](https://youtu.be/dEZKySL3M9c) |
 | 137 | [src](videos/137_context_managers) | [The ins and outs of context managers and try-finally in Python](https://youtu.be/LBJlGwJ899Y) |
 | 136 | [src](videos/136_python_debugging) | [Python Debugging (PyCharm + VS Code)](https://youtu.be/COa-JHYuW3M) |
 | 135 | [src](videos/135_modern_logging) | [Modern Python logging](https://youtu.be/9L77QExPmI0) |

diff --git a/videos/139_windows_cmd_vuln/echo_args.bat b/videos/139_windows_cmd_vuln/echo_args.bat
@@ -0,0 +1,11 @@
+@echo off
+set index=1
+
+:loop
+if "%~1"=="" goto :end
+echo arg%index%: %1
+set /a index+=1
+shift
+goto :loop
+
+:end
diff --git a/videos/139_windows_cmd_vuln/main.py b/videos/139_windows_cmd_vuln/main.py
@@ -0,0 +1,54 @@
+import subprocess
+
+
+def teaser():
+    untrusted_input = "&calc.exe"
+    subprocess.run(["echo_args.bat", untrusted_input])
+
+
+def shell_ex():
+    subprocess.run(
+        ["python.exe", "-c", "import sys; print(sys.argv)", "&", "echo", "LOL"],
+        shell=False,
+    )
+    subprocess.run(
+        ["python.exe", "-c", "import sys; print(sys.argv)", "&", "echo", "LOL"],
+        shell=True,
+    )
+    subprocess.run(
+        ["cmd.exe", "/c", "python.exe", "-c", "import sys; print(sys.argv)", "&", "echo", "LOL"],
+        shell=False,
+    )
+
+
+def obviously_bad():
+    untrusted_input = "&calc.exe"
+    subprocess.run(["python.exe", "-m", "timeit", untrusted_input], shell=True)
+
+
+def maybe_ok():
+    untrusted_input = "&calc.exe"
+    subprocess.run(["python.exe", "-m", "timeit", untrusted_input], shell=False)
+
+
+def the_cve():
+    untrusted_input = "&calc.exe"
+    subprocess.run(["echo_args.bat", untrusted_input], shell=False)
+
+
+def literally_noone():
+    untrusted_input = "calc.exe"
+    subprocess.run(["cmd.exe", "/c",  untrusted_input], shell=False)
+
+
+def main():
+    teaser()
+    # shell_ex()
+    # obviously_bad()
+    # maybe_ok()
+    # the_cve()
+    # literally_noone()
+
+
+if __name__ == "__main__":
+    main()