v0.10.0

What's Changed

• Add options to configure x509 keypair signature algorithm
• Add support for generating RSA x509 keys
• Update Dockerfile base image to Alpine 3.20
• Drop nettle dependency
• Add vendored cargo feature for static sh4d0wup binaries
• Add windows support
• Update dependencies
  • Fix RUSTSEC-2024-0344
  • Fix RUSTSEC-2024-0332
  • Fix RUSTSEC-2024-0357
  • Fix RUSTSEC-2024-0336
  • Fix RUSTSEC-2024-0345

Release binary SHA256

4863ad04d042216a09d021b4d391824e5deb2d21538de203f5445bac187be3de

Reproduce release binary from source

git clone https://github.com/kpcyrd/sh4d0wup
cd sh4d0wup
git checkout v0.10.0
make build
sha256sum target/x86_64-unknown-linux-musl/release/sh4d0wup

Thanks

We'd like to thank @SantiagoTorres and @repi for their support on github sponsors.

v0.9.3

• Bump mio from 0.8.10 to 0.8.11 by @dependabot in #22
• Update dependencies by @kpcyrd in #23
• Update dependencies by @kpcyrd in #24

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.9.2

• Support new application/x-bzip2 mime-type
• Update dependencies
  • RUSTSEC-2024-0003 - Resource exhaustion vulnerability in h2 may lead to Denial of Service (DoS)
  • RUSTSEC-2024-0006 - shlex: Multiple issues involving quote API
  • RUSTSEC-2023-0065 - Tungstenite allows remote attackers to cause a denial of service
  • RUSTSEC-2023-0052 - webpki: CPU denial of service in certificate path building
  • RUSTSEC-2023-0072 - openssl: X509StoreRef::objects is unsound
  • RUSTSEC-2023-0075 - unsafe-libyaml: Unaligned write of u64 on 32-bit and 16-bit platforms

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.9.1

• Fix build issues with Rust 1.72.0
• Add a default key type for ssh keys (ed25519) and default key sizes for each key type (rsa => 4096, dsa => 1024, ecdsa => 256, ed25519 => 256)
  • It's now sufficient to run sh4d0wup keygen ssh to generate a burner ssh key
• Add --secret-key-only and --public-key-only flags to sh4d0wup keygen to ease scripting
• Updated dependencies

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.9.0

• Add -n switch to sh4d0wup build to dump deserialized plot with no processing
• Support generating git tag objects as binary artifact
• Support auto-detecting package urls for apt, pacman and apk by parsing the database object of the respective package repository
• Detect SHA512 fields in apt files and update them accordingly during tampering
• Improved Rust payload generation (including libc-free binaries)
• Fix -Wunused-result warning in generated C code
• Do not leave empty files on failed builds

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.8.0

• Add a --keep option for the check subcommand
• Improve apt compatibility
• Fix a bug with the pre-built items not being used, add better tests
• Refactor codegen to target more compilers to generate backdoors with

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.7.1

• Fix build for MacOS

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.7.0

• Add sh4d0wup front command to spawn a zero-config reverse proxy. This is useful for reverse engineering or if you quickly want to test something without starting a plot first.
• Add sh4d0wup infect elf-fwd-stdin command to generate elf binaries that spawn a subprocess and then forward some data that gets embedded at a build time. This can be used to execute shell or python scripts without writing them to disk.
• Re-introduce the shell script patching code as sh4d0wup infect sh. It allows to hook functions. Shell parsing is provided by yash-syntax which is experimental. Only shorthand functions like foo() { echo hello world; } are supported but not function foo() { echo hello world; }. This feature is available over the cli, in plot files for artifacts and to transform http responses.
• Git commit bruteforce was refactored from normal threads to tokio.
• Improve compatibility with http2 and non-root container images. It's now possible to easily match the host/authority of a request (this feature is sometimes refered to as vhosts).
• Allow more complex elf payload configurations, see contrib/plot-elf-galore.yaml

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.6.0

• It's now possible to strip the parent(s) from commits to trim the history and make it look like everything was added in one commit
• Support pre-generating pacman pkg databases
• Improve .deb infection compatibility and make artifact downloads follow redirects
• Some changes towards running sh4d0wup check inside a rootless podman container
• Change how artifact reuse with --cache-from works to kill a bug
• Improve the Arch Linux plot files

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.

v0.5.0

• Add a selectors: feature to only enable routes based on criterias of the request, like ip address or certain headers
• Add features to do partial collisions of git hashes. It uses a multi-threaded bruteforce on a commit header that isn't visibile when using git show. To take a commit from a repository, bruteforce a collision and write the new objects back into the repository use git cat-file commit HEAD | sh4d0wup tamper git-commit --stdin --collision-prefix dead --strip-header | git hash-object --stdin -t commit -w. The output is a commit hash, to create a new branch named new-main on that commit use git branch new-main dead.... It can also be used in a plot, see contrib/plot-git.yaml.
• Add sh4d0wup req command to emulate http requests, this allows debugging a plot configuration from the cli without starting the server. -r can be used to show the whole response, -c can be used to show only the content to stdout, -cC to get the content as hexdump. When using -r it also shows the http status and the response headers, but often there aren't any explicitly set so you would only see the http status line.
• Add -q option to reduce the default log level from INFO to WARN
• The path_template: variable still has access to sha256, sha1 and md5, but those are now calculated lazily on first use. This way we avoid calculating unused hashes during startup.
• Allow static routes to reference multiple artifacts: and use the rendered path_template: as the key for a lookup table. Hopefully this performs well and scales to large number of objects, routing in sh4d0wup works by walking through a list, so it becomes slow if you add to many routes (like thousands or tens of thousands). This feature allows you to use a hashmap in one of the list items.

Thanks

We'd like to thank @SantiagoTorres, @repi and @rgacogne for their support on github sponsors.