Shells, terminals, and sudo mitm

In many situations, you can find yourself with a simple shell, able to read and write stdin/stdout, but some command that you are using requires a full terminal. Example: you got a netcat shell on a server or you're writing a web application with popen() calls, etc. If you need to execute a command through sudo, it will read and write directly from the associated terminal, and your shell will freeze. Highly annoying. Or maybe another command will hang. With a simple netcat shell, you probably just lost it; hitting Ctrl+C won't send a terminate signal to the process, it will kill your shell. On windows, well you should never use netcat, get yourself a meterpreter session, but on *nix, the meterpreter just isn't there yet. So it's very useful to have a way of obtaining a real terminal from a simple shell, that is, a terminal that just uses stdio. Here is one way to do that, in C using the forkpty() function:
And why not turn that into a super bindshell? This modified version will function as a kind of self-contained telnet server that doesn't require a login; you can use telnet to connect to it and use it like a normal terminal:
And now that we have a way of intercepting reads and writes to the terminal, we can extend this as a sort of super-script command, that will log both output and input.
One use for that would be as a man-in-the-middle to intercept passwords sent to sudo. But it would be easier to create an alias for the sudo command rather than try to completely man-in-the-middle every terminal. And this modification is one way to do that:

, , , ,

Comments are closed.