Signing-key abuse and update exploitation framework
GPL-3.0 License
Bot releases are hidden (Show)
We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd 8 months ago
application/x-bzip2
mime-typeX509StoreRef::objects
is unsoundWe'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd about 1 year ago
ed25519
) and default key sizes for each key type (rsa
=> 4096, dsa
=> 1024, ecdsa
=> 256, ed25519
=> 256)
sh4d0wup keygen ssh
to generate a burner ssh key--secret-key-only
and --public-key-only
flags to sh4d0wup keygen
to ease scriptingWe'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd over 1 year ago
-n
switch to sh4d0wup build
to dump deserialized plot with no processinggit tag
objects as binary artifactWe'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd over 1 year ago
We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd almost 2 years ago
We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd almost 2 years ago
sh4d0wup front
command to spawn a zero-config reverse proxy. This is useful for reverse engineering or if you quickly want to test something without starting a plot first.sh4d0wup infect elf-fwd-stdin
command to generate elf binaries that spawn a subprocess and then forward some data that gets embedded at a build time. This can be used to execute shell or python scripts without writing them to disk.sh4d0wup infect sh
. It allows to hook functions. Shell parsing is provided by yash-syntax which is experimental. Only shorthand functions like foo() { echo hello world; }
are supported but not function foo() { echo hello world; }
. This feature is available over the cli, in plot files for artifacts and to transform http responses.vhosts
).contrib/plot-elf-galore.yaml
We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd almost 2 years ago
sh4d0wup check
inside a rootless podman containerWe'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.
Published by kpcyrd almost 2 years ago
selectors:
feature to only enable routes based on criterias of the request, like ip address or certain headersgit show
. To take a commit from a repository, bruteforce a collision and write the new objects back into the repository use git cat-file commit HEAD | sh4d0wup tamper git-commit --stdin --collision-prefix dead --strip-header | git hash-object --stdin -t commit -w
. The output is a commit hash, to create a new branch named new-main
on that commit use git branch new-main dead...
. It can also be used in a plot, see contrib/plot-git.yaml
.sh4d0wup req
command to emulate http requests, this allows debugging a plot configuration from the cli without starting the server. -r
can be used to show the whole response, -c
can be used to show only the content to stdout, -cC
to get the content as hexdump. When using -r
it also shows the http status and the response headers, but often there aren't any explicitly set so you would only see the http status line.-q
option to reduce the default log level from INFO
to WARN
path_template:
variable still has access to sha256
, sha1
and md5
, but those are now calculated lazily on first use. This way we avoid calculating unused hashes during startup.artifacts:
and use the rendered path_template:
as the key for a lookup table. Hopefully this performs well and scales to large number of objects, routing in sh4d0wup works by walking through a list, so it becomes slow if you add to many routes (like thousands or tens of thousands). This feature allows you to use a hashmap in one of the list items.We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.