This exploit leverages a custom file format (.a2w) in Alice 2.2 to execute arbitrary Python code via a bundled script. It bypasses Jython's os.system() restriction by modifying javaos.py to remove a problematic import, enabling command execution (e.g., calc.exe).
Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target:Alice 2.2 (Windows)
No auth needed
Prerequisites:Victim must open a malicious .a2w file · Jython installation path must be writable