Categorygithub.com/magisterquis/filewriteexploitsimulator
repositorypackage
0.0.0-20240603193011-bc89e634fa32
Repository: https://github.com/magisterquis/filewriteexploitsimulator.git
Documentation: pkg.go.dev
Overview
Dependencies
18
Dependents
0

# README

File Write Exploit Simulator

Simulates an arbitrary file write exploit. Written to demonstrate how being able to stick arbitrary data in arbitrary files is one step away from code execution.

Very much not production-quality code. Don't run this unless you know exactly what you're doing. Put it nowhere near the internet.

For legal use only.

Features

  • Arbitrary file write
  • Arbitrary file read
  • JSON logging
  • Optional required HTTP basic auth
  • Logged creds
  • Questionable code quality
  • TLS with a self-signed certificate
  • Optional not-TLS

Quickstart

Make sure to have the Go compiler installed.

  1. Download and build 
    go install github.com/magisterquis/filewriteexploitsimulator@latest
  2. Start serving 
    filewriteexploitsimulator -write-root / -basic-auth kittens:zoomies
    There'll be a log line with the TLS fingerprint, something like 
    {"time":"2024-04-18T00:46:17.41510871+02:00","level":"INFO","msg":"Starting HTTPS server","address":"0.0.0.0:4433","tls_fingerprint":"9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY="}
  3. Send someone a cURL comand 
    curl -u kittens:zoomies -svk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://10.2.0.2:4433

Usage

Usage: filewriteexploitsimulator [options]

Simulates an arbitrary file write exploit.  Not safe.

Options:
  -basic-auth username:password
    	If set, required basic auth username:password
  -debug
    	Enable debug logging
  -listen address
    	Listen address (default "0.0.0.0:4433")
  -log logfile
    	Optional logfile
  -no-tls
    	Serve HTTP, not HTTPS
  -perms mode
    	Octal file mode, for file creation (default "0644")
  -read-root directory
    	Root directory for file reads (default "/")
  -request-timeout duration
    	Maximum HTTP request duration (default 10m0s)
  -server-header header
    	HTTP Server header (default "filewriteexploitsimulator v0.0.0")
  -write-root directory
    	Root directory for file writes

Arbitrary Read

Anything under the directory specified with -read-root (by default /) may be read by passing the path to a file or directory as the path of a GET request.

Arbitrary Write

If -write-root is set to a directory files under that directory may be written with a POST request. Missing directories won't be created.

For a true exploit simulation, run as root with -write-root /.

Security

In practical terms, none.

A username and password can be set with -basic-auth, but this should in no way be trusted. On the other hand, it'd probably make a pretty neat demo for a timing attack or stealing creds from logs or something.

Network Listener

By default, TLS with a self-signed certificate is used. The certificate's fingerprint is logged with a message similar to

{
        "time":"2024-06-03T21:03:50.28970879+02:00",
        "level":"INFO",
        "msg":"Starting Server",
        "protocol":"HTTPS",
        "tls_fingerprint":"pSUroiq0g92Z3m08n7g/zPQyspRyjm2x/enFRndcdL0=",
        "address":"127.0.0.1:4433"
}

and may be used as a pinned certificate with curl with something like

curl -sk --pinnedpubkey sha256//pSUroiq0g92Z3m08n7g/zPQyspRyjm2x/enFRndcdL0= http://127.0.0.1:4433

Also by default, an IPv4 or IPv6 socket will be chosen based on the address. On Linux, even an IPv4 address may result in an IPv6 socket. To explicitly force IPv4 at compile-time, pass -ldflags '-X main.ListenNetwork=tcp4' to go build or go install.

It's also possible to listen on a Unix socket with -ldflags '-X main.ListenNetwork=unix' start the server with a path with something like -address ./s and connect with a curl command like curl --unix-socket ./s http://dummy/.