Another %cmdcmdline% bug...

[OperatorGK]

Hi!
I know you have discovered a bug with %cmdcmdline% 2 years ago in this topic: viewtopic.php?f=3&t=4312&start=15, but I found new.
TL;DR: Long enough %cmdcmdline% behave oddly with substrings.
All we know that %cmdcmdline% size is limited, so lets prepare a space for it:

Code: Select all

@echo off 
rem #Create string long enough
set /a size=1
set s=0
:loop
set /a size=size*2
set s=%s%%s%
if %size% LSS 2048 goto :loop
cmd /K rem %s%

This code creates a variable with length of 2048 and starts cmd.exe with long enough %cmdcmdline%. Long enough to double it, so enter this in cmd window:

Code: Select all

echo %cmdcmdline:0=11%

Now length of %cmdcmdline% is greater than 4096. Normal variables just refuse to replace or substring them over 8192 limit, but try enter this in command line:

Code: Select all

echo %cmdcmdline:1=22%

CMD.EXE freezes.

EDITED: Changed some incorrect statements.

[dbenham]

I'm pretty sure this is not a new bug - it is just another possible effect of buffer overrun. Once you start clobbering sensitive memory, there is no telling what might happen.


Dave Benham

[OperatorGK]

Have %cmdcmdline% pre-defined position in cmd.exe memory? If so, it is buffer overflow vulnerability and we can change some internal cmd.exe variables with that!