alema/us
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reverted to the old exec way

Browse Source 
this branch will contain a version of us which doesn't use a subshell as
a proxy but directly applies the privilege escalation to the command
This commit is contained in:
Alessandro Mauri 2021-04-03 18:03:13 +02:00
parent a666081599
commit 72c217d74a
2 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
TODO
View File

@ -4,4 +4,13 @@
* SHELL -> to the target user's SHELL * SHELL -> to the target user's SHELL
* HOME -> to the target user's HOME * HOME -> to the target user's HOME
- Reconsider executing programs in a subshell - fork before exec, that is because processes might try to kill us or the
command but since they may run under elevated privileges they will get
permission denied error. If we remain the parent processes, unprivileged
proceses can send signals to us and we will relay them to our children
running at the same privilege as us. This is useful when:
- The child command hangs and we want to cose it, kinda
problematic but we could run kill with us as well
- The parent shell dies and children need to be killed, then
since one of their children (us) has higher privileges
they can't kill us and we would end up as zombies

44
us.c
View File

@ -103,22 +103,35 @@ int main (int argc, char *argv[])
shell = "/bin/sh"; shell = "/bin/sh";
/* Set argc and argv */ /* Set argc and argv */
char *command = NULL; int c_argc = argc - optind;
int size, popind = optind; char **c_argv;
if (argc - optind) { if (c_argc) {
for (size = 0; optind < argc; optind++) c_argv = malloc(sizeof(char *) * (c_argc + 1));
size += strlen(argv[optind]) + 1; if (!c_argv) {
command = malloc(sizeof(char) * size + 1);
if (!command) {
fprintf(stderr, "malloc: %s\n", strerror(errno)); fprintf(stderr, "malloc: %s\n", strerror(errno));
exit(errno); exit(errno);
} }
memset(command, 0, size + 1); for (int i = 0; optind < argc; optind++, i++) {
for (optind = popind; optind < argc; optind++) { c_argv[i] = strdup(argv[optind]);
strcat(command, argv[optind]); if (!c_argv[i]) {
strcat(command, " "); fprintf(stderr, "strdup: %s\n", strerror(errno));
exit(errno);
}
}
} else {
c_argc = 1;
c_argv = malloc(sizeof(char *) * (c_argc + 1));
if (!c_argv) {
fprintf(stderr, "malloc: %s\n", strerror(errno));
exit(errno);
}
c_argv[0] = strdup(shell);
if (!c_argv[0]) {
fprintf(stderr, "strdup: %s\n", strerror(errno));
exit(errno);
} }
} }
c_argv[c_argc] = NULL;
/* Authenticate */ /* Authenticate */
if (authenticate(uname) != PAM_SUCCESS) if (authenticate(uname) != PAM_SUCCESS)
@ -135,17 +148,16 @@ int main (int argc, char *argv[])
/* Execute the command */ /* Execute the command */
int err; int err;
if (command) err = execvp(c_argv[0], c_argv);
err = execl(shell, shell, "-c", command, (char *)NULL);
else
err = execl(shell, shell, (char *)NULL);
if (err == -1) if (err == -1)
fprintf(stderr, "execl: %s\n", strerror(errno)); fprintf(stderr, "execl: %s\n", strerror(errno));
/* Cleanup and return */ /* Cleanup and return */
fail_end: fail_end:
/* Free up the copied argv */ /* Free up the copied argv */
free(command); for (int i=0; c_argv[i]; i++)
free(c_argv[i]);
free(c_argv);
return errno; return errno;
} }