What is the exploit?
In CPythonLauncher::RunMemoryTextFile a string is used to compile c_pcFileData, so the exploit starts here:
"exec(compile("
Hackers can easily search for the string in memory & compile scripts using the memory adress of c_pcFileData
This looks like an intentional backdoor left by one of the game devs or maybe even the leaker of the files "Rain"
Why?
It's hard to believe anyone would trouble to concatenate so many strings instead of just using Py_CompileString
If you pay attention the rest of the code is fine and uses the python api instead of some weird shells
Seems like there are still many exploits in m2
Hope you learned something new today, now here is the fix you paid for:
//ScriptLib/PythonLauncher.cpp search for:
bool CPythonLauncher::RunMemoryTextFile(const char* c_szFileName, UINT uFileSize, const VOID* c_pvFileData)
//replace with this:
bool CPythonLauncher::RunMemoryTextFile(const char* c_szFileName, UINT uFileSize, const VOID* c_pvFileData)
{
const CHAR* c_pcFileData = (const CHAR*)c_pvFileData;
std::string stConvFileData;
stConvFileData.reserve(uFileSize);
for (UINT i = 0; i < uFileSize; ++i)
{
if (c_pcFileData[i] != 13)
stConvFileData += c_pcFileData[i];
}
const CHAR* c_pcConvFileData = stConvFileData.c_str();
PyObject* pCompiledCode = Py_CompileString(c_pcConvFileData, c_szFileName, Py_file_input);//fix
if (!pCompiledCode)
return false;
PyObject* pResult = PyEval_EvalCode((PyCodeObject*)pCompiledCode, m_poDic, m_poDic);
Py_DECREF(pCompiledCode);//ref c
if (!pResult)
return false;
Py_DECREF(pResult);
if (Py_FlushLine())
PyErr_Clear();
return true;
}