Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: ssh.checksec() #753

Closed
zachriggle opened this issue Sep 27, 2016 · 1 comment
Closed

Feature: ssh.checksec() #753

zachriggle opened this issue Sep 27, 2016 · 1 comment
Labels
feature
Milestone
3.5.0

Comments

@zachriggle
Copy link
Member

zachriggle commented Sep 27, 2016
edited
Loading

Given an active SSH connection, it Pwntools should be able to tell me about the remote system via e.g. ssh().checksec().

  • Operating System
    • Only Linux is supported, only if Python is installed
    • Detect distribution and version (via /etc/lsb-release or platform.linux_distribution)
      • Notably, linux_distribution gives me Jessie on some Ubuntu systems (??)
  • System-wide NX State
    • From /proc/cpuinfo
  • System-wide ASLR State
    • randomize_va_space
    • mmap_rnd_bits and mmap_rnd_compat_bits
  • Benign emulation checks
    • Running under qemu-system
    • Running under qemu-user
  • Susceptibility to CTF tricks
    • ulimit -s unlimited ASLR bypass goes away with Linux v4.4

The checks should also be usable locally without SSH. We can do this with inspect to marshal entire functions via preexec_fn in the ssh().process(...) arguments. This way we can just execute the functions locally -- but can use them remotely.
@zachriggle zachriggle added this to the Someday milestone Sep 27, 2016
@zachriggle
Copy link
Member Author

Actually, it looks like they backported the ulimit checks to lots of kernels, and each distro did their own thing. We'll have to actually check (which is easy, just upload an ELF).

@zachriggle zachriggle mentioned this issue Jan 9, 2017
Merged
zachriggle added a commit to zachriggle/pwntools that referenced this issue Jan 9, 2017
@zachriggle
Add ssh.checksec functionality
f036d8a 
Looks like this:

[x] Connecting to example.pwnme on port 22
[+] Connecting to example.pwnme on port 22: Done
[*] user@example.pwnme:
    Distro    Ubuntu 14.04
    OS:       linux
    Arch:     amd64
    Version:  3.11.0
    ASLR:     Enabled
    Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)

Fixes Gallopsled#753
zachriggle added a commit that referenced this issue Jan 9, 2017
@zachriggle
Add ssh.checksec functionality (#835)
fefd48f 
Looks like this:

[x] Connecting to example.pwnme on port 22
[+] Connecting to example.pwnme on port 22: Done
[*] user@example.pwnme:
    Distro    Ubuntu 14.04
    OS:       linux
    Arch:     amd64
    Version:  3.11.0
    ASLR:     Enabled
    Note:     Susceptible to ASLR ulimit trick (CVE-2016-3672)

Fixes #753
@zachriggle zachriggle modified the milestones: 3.5.0, Someday Mar 4, 2017
Kyle-Kyle pushed a commit to Kyle-Kyle/pwntools that referenced this issue Apr 25, 2021
@tabell
support for xbps install (Gallopsled#753)
609284c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature
Projects
None yet
Milestone
3.5.0
Development

No branches or pull requests
1 participant
@zachriggle