Exploit for OS Command Injection in Cacti CVE-2022-46169

## https://sploitus.com/exploit?id=826AFADF-3EC2-57A3-BEF5-BEDE65478290
# CVE-2022-46169 Reproduction Template

## Project Structure
- `cve-repro/`: Rust PoC code (Cargo project).
- `docs/`: Reports, notes.
- `isos/`: ISOs, assets.

## Overview

This is a minimal Rust project to reproduce CVE-2022-46169, a use-after-free in `std::path::Path::strip_prefix()` on 32-bit platforms.

## Reproduction Steps

### 1. Install Rust Nightly (vulnerable version)
```
rustup install nightly-2022-11-15  # or earlier pre-1.66.0
rustup default nightly-2022-11-15
rustup target add i686-pc-windows-msvc  # or i686-unknown-linux-gnu for Linux
```

### 2. Build PoC for vulnerable target
```
cargo +nightly build --target i686-pc-windows-msvc --bin poc
```

### 3. Run
```
cargo +nightly run --target i686-pc-windows-msvc --bin poc
```
Expected: Crash/UB (double-free panic or segfault) due to UAF in strip_prefix iteration.

## Vulnerable Conditions
- Rust nightly before patch (1.66.0 fixes it).
- 32-bit target (pointer size dependent).
- Specific Path with multiple `..` components.

## Fixed Version Test
Switch to stable:
```
rustup default stable
cargo run
```
No crash.

See [Rust Advisory RSA-2022-0041](https://rust-lang.github.io/security-advisory/RSA-2022-0041.html) for details.