2024-11-25 Mon 17:08 Wu wei of web binary execution

So, how difficult it is in year 2024 to execute arbitrary binary with
some arguments through web?  This depends a lot on your resources but
for me it was surprisingly difficult using servers I already have.

It all started when I was watching scene from Mr Robot TV series in
which main protagonist decrypt a message using multiple arguably
simple methods [1].  One of them is ROT13 algorithm [2].  Even tho
today this encryption method has no practical use I decided to write
my own program in C, just for fun, that can perform any Caesar cipher
[3] including ROT13.  I called it Brutus [4].

Writing software was easy.  But because it was written in C and not
JavaScript or PHP it was not trivial to run Brutus from the web.  What
I have is an access to ordinary LAMP [5] server and Tilde Pink [6] ssh
account with Gemini and Gopher servers running on NetBSD.  So I had 3
different servers with different protocols: HTTP, Gemini and Gopher.
Out of those three only Gopher server had support for CGI [7] scripts
which is the most friction less way of running random binary.  And all
I needed was this:

       #!/bin/sh
       echo $1 | /home/irek/bin/brutus

You might spotted that there is a new navigation item titled "Brutus
(ROT13)" [8] on my Gopher home page [9].  When it is accessed with "7"
Gopher menu item type used for full text search it gets text as input.
Then request is send and my CGI script runs.  As result you will get
encrypted/decrypted ROT13 text.

To me this is an effortless way of running random binaries through web
interface.  It is the oldest of web protocols and may neglect modern
security standards but I found it to be true to the Wu wei [10]
because I did mostly nothing to make this work.

       When you arrive at non-action,
       nothing will be left undone.
       - Lao Tzu

Decript this message:

       Gb nggnva xabjyrqtr, nqq guvatf rirelqnl.
       Gb nggnva jvfqbz, erzbir guvatf rirelqnl.

to get another great quote by Lao Tzu ;)

[1] https://youtu.be/i9CBKGLVCME
[2] https://en.wikipedia.org/wiki/ROT13
[3] https://en.wikipedia.org/wiki/Caesar_cipher
[4] https://github.com/ir33k/brutus
[5] https://pl.wikipedia.org/wiki/LAMP
[6] https://tilde.pink/
[7] https://wikipedia.org/wiki/Common_Gateway_Interface
[8] gopher://tilde.pink/7/~irek/brutus.cgi
[9] gopher://tilde.pink/0/~irek
[10] https://wikipedia.org/wiki/Wu_wei

EOF

You are viewing proxied material from tilde.pink. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.