Description
Environment
- Windows 7 x64
- radare2 version: built with debug su
radare2 3.1.0-git 19775 @ windows-x86-64 git.3.0.1-19-g92982e44f
commit: 92982e44f8cd4a1908829200787d6a6ca50929bb build: 23.10.2018__22:56:48,08
Story
While working on some new sample, I was writing a script for decoding embed strings. It has some getting pointers, reading encrypted string, string deciphering and adding a comment to the place, where the string is. Script is looked as the following:
r2 = r2pipe.open(r'path-to-a-binary')
ea = 0x14002a1f0
end_ea = 0x14002ae10
while ea < end_ea:
va = r2.cmdj('pxqj 8 @ 0x%x' % ea) # read qword of string pointer
if not va:
break
va = va[0]
s = r2.cmd('px0 @ 0x%x' % va) # should be optimized, in case there is 2GB string :)
if not s:
break
s = bytes.fromhex(s) + b'==='
if not s:
print('- cannot get str at %08x' % ea)
break
try:
print('trying to decrypt: %08x' % va)
decr = decrypt_str(s)
print('%08x: "%r"' % (va, decr.decode('utf8')))
r2.cmd('CCa 0x%x "%s"' % (va, decr.decode('utf8'))) # <<< problem command
except:
print('cannot decode string at %08x "%s": %s' % (va, s, traceback.format_exc()))
ea += 8While running this script I got the assertion failure:
That was strange, because a stack trace showed that this code is inside rading from console:
Digging deeper into this, I realized that some of the comments which was passed to CCa command had have \n inside. So, that means a comment string was splitted by radare by \n and interpreted as a separate command. The following code finfirmed my thoughts:
the string after \n is lol and was interpreted by radare2 as list files and directories command.
This means if user automatically decrypts some string and wanted to store it as a comment, he can occasionnaly run some valid radare2 command and pwn itself. For example he can write some shellcode and execute it or spawn some shell command.