From 62d274918b86372acc96b3176fad3631c2227954 Mon Sep 17 00:00:00 2001 From: Caleb Stewart Date: Tue, 21 Sep 2021 02:33:33 -0400 Subject: [PATCH] Removed Popen shell handling and catch OSError --- CHANGELOG.md | 2 ++ pwncat/platform/linux.py | 13 +++++++++---- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 82be32b..3f5220d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -21,12 +21,14 @@ and simply didn't have the time to go back and retroactively create one. - Forced `Stream.RAW` for all GTFOBins interaction ([#195](https://github.com/calebstewart/pwncat/issues/195)). - Added custom `which` implementation for linux when `which` is not available ([#193](https://github.com/calebstewart/pwncat/issues/193)). - Correctly handle `--listen` argument ([#201](https://github.com/calebstewart/pwncat/issues/201)) +- Added handler for `OSError` when attempting to detect the running shell ([#179](https://github.com/calebstewart/pwncat/issues/179)) ### Added - Added alternatives to `bash` to be used during _shell upgrade_ for a _better shell_ - Added a warning message when a `KeyboardInterrupt` is caught - Added `--verbose/-V` for argument parser - Added `OSError` for `bind` protocol to show appropriate error messages ### Changed +- Removed handling of `shell` argument to `Popen` to prevent `euid` problems ([#179](https://github.com/calebstewart/pwncat/issues/179)) - Changed some 'red' warning message color to 'yellow' - Leak private keys for all users w/ file-read ability as UID=0 ([#181](https://github.com/calebstewart/pwncat/issues/181)) - Raise `PermissionError` when underlying processes terminate unsuccessfully for `LinuxReader` and `LinuxWriter` diff --git a/pwncat/platform/linux.py b/pwncat/platform/linux.py index 17a6b77..417054b 100644 --- a/pwncat/platform/linux.py +++ b/pwncat/platform/linux.py @@ -1127,9 +1127,12 @@ class Linux(Platform): f"attempting to run {repr(command)} during execution of {self.command_running.args}!" ) - if shell: - # Ensure this works normally - command = shlex.join(["/bin/sh", "-c", command]) + # This breaks `euid` situations. Not all shells support -p, so I think just not + # using this is a better option. I'm leaving it here just in case removing it + # causes problems in the future. Tests seem positive so far. + # if shell: + # # Ensure this works normally + # command = shlex.join(["/bin/sh", "-c", command]) if cwd is not None: command = f"(cd {cwd} && {command})" @@ -1664,9 +1667,11 @@ class Linux(Platform): pid = self.getenv("$") # Grab the path to the executable representing the shell self.shell = self.Path("/proc", pid, "exe").readlink() - except (FileNotFoundError, PermissionError): + except (FileNotFoundError, PermissionError, OSError): # Fall back to SHELL even though it's not really trustworthy self.shell = self.getenv("SHELL") + if self.shell is None or self.shell == "": + self.shell = "/bin/sh" else: # Going interactive requires a pty