This begs us to ask, can we find a config entry to execute, that is also exploitable. To find this config entry it needs to satisfy all the following:
- The config is Text or an Array of Text
- The text is compilable SQF
- The sqf code executed contains some method of arbitrary execution
I quickly created a script to scan the config for entries that could satisfy these items. Sadly, I lost the code, but I saved the data I dumped. Here is the raw dump from the config of possible exploitable config entries: http://haste.lystic.net/tasilatiku.pl.
All of these options execute some function or variable. Now, I need to see if any of these functions have exploits, or if any of these variables are undefined. Luckily, there is one that stand out due to the large number of config entries it was contained in.
configFile >> “RscHCWPSpeedMode” >> “items” >> “Full” >> “Params” >> “expression”
This config entry contains an arbitrary execution, BIS_HC_path_menu is not defined.
This worked! Our code is executed! Sweet. Now we need to find a way to use this vulnerability to execute SQF code.