It describes the actions a binary vulnerable to the WorstFit attack might perform, which can include one or more of the following:
The WorstFit attack is capable of executing code.
The WorstFit attack is capable of sending NTLM authentication requests to a malicious actor.
This WorstFit attack can be used to exploit path confusion (path traversal / directory traversal / filename spoofing etc.) vulnerabilities.
This WorstFit attack can be used to read and/or write files.
It refers to the specific attack tricks or scenarios required to achieve the previously mentioned primitives.
With the argument splitting technique, the attacker can split one argument into multiple arguments. This can be used to bypass command line argument escaping and achieve arbitrary argument injection.
For codepage 125x and 874, we can usually use U+FF02 (FULLWIDTH QUOTATION MARK) to split arguments.
subprocess.run(['program.exe', 'foo" inject "bar'])
--> arg[1]=foo arg[2]=inject arg[3]=bar
For codepage 932 (Japanese) and 949 (Korean), respectively we can use Yen Sign (¥, U+00A5) and Won Sign (₩, U+20A9) to split arguments.
subprocess.run(['program.exe', 'foo¥" bar'])
--> arg[1]=foo\ arg[2]=bar
When a file is opened with the vulnerable application, the attacker can inject arbitrary arguments to it’s command line. This is similar to the argument splitting technique, but specific to the open-with context, and ususally couldn’t be used under codepage 932 and 949.