Inspired by this thread: https://news.ycombinator.com/item?id=17636032
I intended to create an exploit where if you curl an endpoint it provides a bash script, and if you pipe that output it provides a different bash script. One commenter said that you could do this with a curl back to the hosting server.
UPDATE
My initial solution failed to fill the write buffer. From /r/golang, /u/eggsampler pointed out the isues and provided a quick implementation.
Due to the need to still fill the write buffer, the original exploit is more nefarious because it does not have a livecheck. In this version, while the livecheck makes it more straight forward from an implemenation standpoint, it is more obvious to the recipient that something strange is happening.
go run main.go
In a new tab:
curl localhost:5050/download
curl localhost:5050/download | bash
If the exploit works, you will get two separate outputs.
$ curl -s localhost:5050/download
# liveness check
curl -s localhost:5050/check?key=oJnNP;
echo "you are looking at safe code. You should just pipe this to bash."
vs
$ curl -s localhost:5050/download | bash
you have been pwnd. Never pipe curl to bash!