incentive/psopeeps-newserv
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
00bbd6a0a3ff2503d3fa8f06a898b8cea0ae564f
psopeeps-newserv/PSODolphinConfig.py
T
Martin Michelsen 00bbd6a0a3 add script to make it easy to run psogc against newserv
2018-11-11 10:59:39 -08:00

100 lines
3.5 KiB
Python
Raw Blame History

#!/bin/env python3
import os
import sys
import time
import stat
import pwd
import subprocess
def change_user(username):
try:
user_info = pwd.getpwnam(username)
except KeyError:
print("user %s does not exist" % (username,))
raise
os.setregid(user_info.pw_gid, user_info.pw_gid)
os.setreuid(user_info.pw_uid, user_info.pw_uid)
def main(argv):
dolphin_path = './Dolphin.app/Contents/MacOS/Dolphin'
try:
username = os.environ['SUDO_USER']
print(username)
except KeyError:
print('$SUDO_USER not set; use sudo -E')
# 1. open tap0 and configure it
print("starting and configuring tap0")
tap0_fd = os.open('/dev/tap0', os.O_RDWR)
os.set_inheritable(tap0_fd, True)
subprocess.check_call(['ifconfig', 'tap0', argv[1]], stderr=subprocess.DEVNULL)
subprocess.check_call(['ifconfig', 'tap0', 'up'], stderr=subprocess.DEVNULL)
# 2. fork a Dolphin process, dropping privileges first
print("starting dolphin")
dolphin_proc = subprocess.Popen([dolphin_path],
preexec_fn=lambda: change_user(username), pass_fds=(tap0_fd,))
time.sleep(1)
# 3. create a temp file for dolphin to open instead of /dev/tap0
print("creating temp file")
tmpfile_fd = os.open("/tmp/dnet", os.O_CREAT | os.O_RDWR, stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
os.close(tmpfile_fd)
os.chmod("/tmp/dnet", stat.S_IRWXU | stat.S_IRWXG | stat.S_IRWXO)
# 4. modify dolphin's memory to make it upen the temp file
print("redirecting /dev/tap0 for dolphin")
addresses_str = subprocess.check_output(['memwatch', str(dolphin_proc.pid), 'find', '\"/dev/tap0\"'], stderr=subprocess.DEVNULL)
for line in addresses_str.splitlines():
tokens = line.split()
if len(tokens) != 3:
continue
print("redirecting /dev/tap0 to /tmp/dnet at %s in dolphin" % (tokens[1],))
subprocess.check_call(["memwatch", str(dolphin_proc.pid), "access", tokens[1], "rwx"], stderr=subprocess.DEVNULL)
subprocess.check_call(["memwatch", str(dolphin_proc.pid), "write", tokens[1], "\"/tmp/dnet\""], stderr=subprocess.DEVNULL)
subprocess.check_call(["memwatch", str(dolphin_proc.pid), "access", tokens[1], "r-x"], stderr=subprocess.DEVNULL)
# step 5: use lsof to find out when dolphin opens /tmp/dnet
print("waiting for temp file to open")
dolphin_tap0_fd = -1
while dolphin_tap0_fd < 0:
time.sleep(1)
result = subprocess.check_output(["lsof", "-p", str(dolphin_proc.pid)], stderr=subprocess.DEVNULL)
for line in result.splitlines():
if b'/tmp/dnet' not in line:
continue
fd_str = line.split()[3]
dolphin_tap0_fd = int(fd_str[0:-len(fd_str.lstrip(b'0123456789'))])
print("found open tap fd %d in dolphin" % (dolphin_tap0_fd,))
# step 6: use memwatch to move the tap0 fd into place
print("replacing temp fd %d with tap fd %d in dolphin" % (dolphin_tap0_fd,
tap0_fd))
assembly_contents = b"""start:
mov rax, 0x000000000200005A # dup2(from_fd, to_fd)
mov rdi, %d
mov rsi, %d
syscall
# close the original fd. if dup2 failed, this will break the connection and
# dolnet will notice. note that rdi is preserved during the syscall so we
# don't need to reload it
mov rax, 0x0000000002000006 # close(fd)
syscall
ret
""" % (tap0_fd, dolphin_tap0_fd)
subprocess.run(["memwatch", str(dolphin_proc.pid), "--", "run", "-"], input=assembly_contents, stderr=subprocess.DEVNULL)
# ok we're done - dolphin is running as a non-privileged user with tap0 open
return 0
if __name__ == '__main__':
sys.exit(main(sys.argv))
Reference in New Issue View Git Blame Copy Permalink