A quick POC for the vulnerability disclosed here https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/
After you run the script it will ask for an arg to be passed to the BAT file.
In the screenshot you can see that by adding " the underlying API that windows uses to call cmd can be escaped allowing for arbitrary command execution, in this case we opened calc.exe
Obviously this code in itself is not malicious this is just to demonstrate that even sanitized input (unless you remove all "s) if it is calling a BAT file could be abused in this way possibly affecting public facing web applications
Video walkthrough https://youtu.be/xjL4pdf7pJ0
WIP There are other languages marked as having the same issues. I have tested Ruby but it seems unaffected I will be testing more to see where any issues lie
Golang code still to be tested. Ruby code seems unaffected by the same exploit path
Credit:
- @Frostb1te for Rust POC https://github.com/frostb1ten/CVE-2024-24576-PoC
- RyotaK Initial Disclosure