File Write Exploit Simulator
Simulates an arbitrary file write exploit. Written to demonstrate how being
able to stick arbitrary data in arbitrary files is one step away from code
execution.
Very much not production-quality code. Don't run this unless you know exactly
what you're doing. Put it nowhere near the internet.
For legal use only.
Features
- Arbitrary file write
- Arbitrary file read
- JSON logging
- Optional required HTTP basic auth
- Logged creds
- Questionable code quality
- TLS with a self-signed certificate
Quickstart
Make sure to have the Go compiler installed.
- Download and build
go install github.com/magisterquis/filewriteexploitsimulator@latest
- Start serving
filewriteexploitsimulator -write-root / -basic-auth kittens:zoomies
There'll be a log line with the TLS fingerprint, something like
{"time":"2024-04-18T00:46:17.41510871+02:00","level":"INFO","msg":"Starting HTTPS server","address":"0.0.0.0:4433","tls_fingerprint":"9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY="}
- Send someone a cURL comand
curl -u kittens:zoomies -svk --pinnedpubkey sha256//9nkpEPFYzXMxoVTGImPROp+qkk+B1QQIut2jX4qohgY= https://10.2.0.2:4433
Usage
Usage: filewriteexploitsimulator [options]
Simulates an arbitrary file write exploit. Not safe.
Options:
-basic-auth username:password
If set, required basic auth username:password
-debug
Enable debug logging
-listen address
Listen address (default "0.0.0.0:4433")
-log logfile
Optional logfile
-perms mode
Octal file mode, for file creation (default "0644")
-read-root directory
Root directory for file reads (default "/")
-request-timeout duration
Maximum HTTP request duration (default 10m0s)
-server-header header
HTTP Server header (default "filewriteexploitsimulator v0.0.0")
-write-root directory
Root directory for file writes
Arbitrary Read
Anything under the directory specified with -read-root
(by default /
) may
be read by passing the path to a file or directory as the path of a GET
request.
Arbitrary Write
If -write-root
is set to a directory files under that directory may be
written with a POST request. Missing directories won't be created.
For a true exploit simulation, run as root with -write-root /
.
Security
In practical terms, none.
A username and password can be set with -basic-auth
, but this should in no
way be trusted. On the other hand, it'd probably make a pretty neat demo
for a timing attack or stealing creds from logs or something.