Bash x perl polyglot, download, replicate, crash (args/filename abuse) #171
Description
Entry Info
- Date:2026-01-15
- BGGP Challenge: 6, recycle
- Name: Charlotte Woodrow
- Contact Info: charlotte.woodrow@q3w3e3.dev
- Online Presence: q3w3e3 many places, puponsecurity on twitter
- Writeup Link: https://www.gaiaonline.com/journal/?mode=view&post_id=48177153&u=44309835 (backed up here: https://gist.github.com/q3w3e3/2c7809fa92c75c9cac9ca37ef5696ad7)
File Info
- Target File Type: Shell Script
- Target File Size: 26
- SHA256 Hash: ef549a7ccfe5af10910a6cafae7ad32b1e5e14f2bc40a4604d1ec86d1ba53a5e
File Contents
Please encode the file as Base64
YCQwO2NwICIkMCIgNjtraWxsIC0xMSAkJGA=
Environment Info
Tested in macos 14.6.1 (23G93), GNU bash, version 3.2.57(1)-release (arm64-apple-darwin23), curl 8.13.0 (aarch64-apple-darwin23.6.0) libcurl/8.13.0 OpenSSL/3.5.4 zlib/1.3.1 brotli/1.2.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.5 nghttp2/1.68.0
Target Software and Version
bash, 3.2 but should work with any bash.
Environment Setup
requires: posix shell (tested in bash, should work in any posix shell), and curl (tested with 8.13, should work with relatively old, not sure how old),
this file must be named curl -L binary.golf --request-target 5%2f5 -O, this can be done with touch "curl -L binary.golf --request-target 5%2f5 -O"
Additional Info
Download, Replicate, Crash, Polyglot (perl, sh)
Example env/execution/verification of replication:
bggp6_2 %xxd curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
00000000: 6024 303b 6370 2022 2430 2220 363b 6b69 `$0;cp "$0" 6;ki
00000010: 6c6c 202d 3131 2024 2460 ll -11 $$`
bggp6_2 %ls
curl -L binary.golf --request-target 5%2f5 -O
bggp6_2 %sh curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
Warning: No remote file name, uses "curl_response"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 162 100 162 0 0 4024 0 --:--:-- --:--:-- --:--:-- 4050
100 58 100 58 0 0 554 0 --:--:-- --:--:-- --:--:-- 554
zsh: segmentation fault sh curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
bggp6_2 %cat curl_response
Another #BGGP5 download!! @binarygolf https://binary.golf
bggp6_2 %sha256sum 6 curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
ef549a7ccfe5af10910a6cafae7ad32b1e5e14f2bc40a4604d1ec86d1ba53a5e 6
ef549a7ccfe5af10910a6cafae7ad32b1e5e14f2bc40a4604d1ec86d1ba53a5e curl -L binary.golf --request-target 5%2f5 -O
bggp6_2 %rm curl_response 6
bggp6_2 %perl curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
Warning: No remote file name, uses "curl_response"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 162 100 162 0 0 3227 0 --:--:-- --:--:-- --:--:-- 3240
100 58 100 58 0 0 456 0 --:--:-- --:--:-- --:--:-- 2416
zsh: segmentation fault perl curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
bggp6_2 %cat curl_response
Another #BGGP5 download!! @binarygolf https://binary.golf
bggp6_2 %sha256sum 6 curl\ -L\ binary.golf\ --request-target\ 5%2f5\ -O
ef549a7ccfe5af10910a6cafae7ad32b1e5e14f2bc40a4604d1ec86d1ba53a5e 6
ef549a7ccfe5af10910a6cafae7ad32b1e5e14f2bc40a4604d1ec86d1ba53a5e curl -L binary.golf --request-target 5%2f5 -O
bggp6_2 %
NOTE: If this is an update to an existing entry, please include a link to your entry below this text. Reminder that authors can only update an entry once during BGGP.