Share
## https://sploitus.com/exploit?id=35BA945A-6823-5B28-BB36-9BD7EA5ADB59
# terminal-poc-corpus

A **defensive, machine-readable corpus** of publicly-disclosed terminal-emulator
attack payloads: escape-sequence injection / reflection (answerback, title-report,
DECRQSS, DSR, font-query echoback), clipboard read/write (OSC 52), hyperlink and
URL-scheme abuse (OSC 8), window operations, screen-dump-to-file, decoder bugs
(Sixel, ReGIS), and display-deception classes (Trojan-Source bidi, homoglyphs,
bracketed-paste bypass).

It exists because the conformance suites (esctest, vttest, terminalguide) carry no
security or attribution metadata, and the security PoCs themselves are scattered
across CVEs, blog posts, and mailing-list archives. This collects them in one
CVE-tagged, attributed, machine-readable, **safe** format.

> **Read [SAFETY.md](SAFETY.md) first.** Payloads are stored hex-encoded (reading
> the repo is safe), canary-forked (a fired payload only writes a harmless marker),
> and meant to run in a **sandbox VM only** via the harness. This is a test suite,
> not a weapon.

## Layout

```
SAFETY.md                     the safety model (read this first)
schema/poc.schema.json        JSON Schema every meta.yaml is validated against
index.json                    generated flat manifest of all PoCs (Exploit-DB style)
poc//
    meta.yaml                 attribution + classification (validated by the schema)
    payload.hex               hex-encoded, canary-forked payload (never raw bytes)
    expected.md               safe behaviour + the canary to check
harness/run.py                sandbox-only runner: decode -> feed -> check canary
tools/validate.py             validate every meta.yaml against the schema
tools/build_index.py          regenerate index.json from poc/*/meta.yaml
```

## A PoC record (`meta.yaml`)

Fields: `id, title, class, cve[], affected[], author, source_url, archive_url,
date, severity, mechanism, references[], payload_encoding, expected_effect,
canary, modified, original_ref, notes`. See `schema/poc.schema.json` and the
worked example in `poc/title-report-echoback-2003/`.

## Using it

Regenerate/validate locally (these only read text, no payloads are decoded):

```
python3 tools/validate.py
python3 tools/build_index.py > index.json
```

Run the corpus against a terminal **inside the sandbox VM only**:

```
POC_CANARY_DIR=... harness/run.py --terminal  [poc/ ...]
```

The harness runs an always-firing positive control first and fails loud if the
canary machinery is not working, so a green "not vulnerable" result is trustworthy.

## Contributing

Public disclosures only. Every entry needs a source, a web-archive link, and an
author. A payload that would do anything harmful must be canary-forked
(`modified: true`) and pass the sanitization review before it is added.

## License

AGPL-3.0-or-later. See [LICENSE](LICENSE).