Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-24567 PoC — raw_call `value=` kwargs not disabled for static and delegate calls

Source
https://github.com/brains93/CVE-2024-24567-PoC-Python
Associated Vulnerability
Title:raw_call `value=` kwargs not disabled for static and delegate calls (CVE-2024-24567)
Description:Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. Vyper compiler allows passing a value in builtin raw_call even if the call is a delegatecall or a staticcall. But in the context of delegatecall and staticcall the handling of value is not possible due to the semantics of the respective opcodes, and vyper will silently ignore the value= argument. If the semantics of the EVM are unknown to the developer, he could suspect that by specifying the `value` kwarg, exactly the given amount will be sent along to the target. This vulnerability affects 0.3.10 and earlier versions.
Readme
# CVE-2024-24576-Poc-Python
A quick POC for the vulnerability disclosed here https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/

After you run the script it will ask for an arg to be passed to the BAT file. 
In the screenshot you can see that by adding " the underlying API that windows uses to call cmd can be escaped allowing for arbitrary command execution, in this case we opened calc.exe
![image](https://github.com/brains93/CVE-2024-24567-PoC-Python/assets/60553334/9401ec38-5f9a-4032-a588-4fb11d6e84b2)


Obviously this code in itself is not malicious this is just to demonstrate that even sanitized input (unless you remove all "s) if it is calling a BAT file could be abused in this way possibly affecting public facing web applications 

Video walkthrough https://youtu.be/xjL4pdf7pJ0

WIP
There are other languages marked as having the same issues. I have tested Ruby but it seems unaffected I will be testing more to see where any issues lie

Golang code still to be tested. 
Ruby code seems unaffected by the same exploit path

Credit: 
* @Frostb1te for Rust POC https://github.com/frostb1ten/CVE-2024-24576-PoC
* RyotaK Initial Disclosure
File Snapshot

 [4.0K]  /data/pocs/2afdeda8ce877812438a0f5d19652faa6328c688
├── [ 513]  24576.go
├── [ 478]  24576.py
├── [ 416]  24576.rb
├── [1.2K]  README.md
└── [  37]  test.bat

0 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →