search

DanaEpp / pwncat_pwnkit

pwncat module that automatically exploits CVE-2021-4034 (pwnkit)
MIT License
32 stars 6 forks source link

getting an error #1

Open wangdangel opened 2 years ago

wangdangel commented 2 years ago

(local) pwncat$ run pwnkit ╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1065 in compile │ │ │ │ 1062 │ │ command = [gcc, "-o", output, cflags, real_sources, ldflags] │ │ 1063 │ │ │ │ 1064 │ │ try: │ │ ❱ 1065 │ │ │ self.run(command, check=True) │ │ 1066 │ │ except pwncat.subprocess.CalledProcessError: │ │ 1067 │ │ │ self.run(["rm", "-f", output]) │ │ 1068 │ │ │ raise PlatformError("compilation failed") │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/init.py:786 in run │ │ │ │ 783 │ │ if popen_class is None: │ │ 784 │ │ │ popen_class = self.Popen │ │ 785 │ │ │ │ ❱ 786 │ │ p = popen_class( │ │ 787 │ │ │ args, │ │ 788 │ │ │ stdin=stdin, │ │ 789 │ │ │ stdout=stdout, │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1114 in Popen │ │ │ │ 1111 │ │ │ ) │ │ 1112 │ │ │ │ 1113 │ │ if isinstance(args, list): │ │ ❱ 1114 │ │ │ command = shlex.join(args) │ │ 1115 │ │ elif isinstance(args, str): │ │ 1116 │ │ │ command = args │ │ 1117 │ │ else: │ │ │ │ /usr/lib/python3.9/shlex.py:320 in join │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:320 in │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:329 in quote │ │ │ │ 326 │ """Return a shell-escaped version of the string s*.""" │ │ 327 │ if not s: │ │ 328 │ │ return "''" │ │ ❱ 329 │ if _find_unsafe(s) is None: │ │ 330 │ │ return s │ │ 331 │ │ │ 332 │ # use single quotes, and put single quotes into double quotes │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ TypeError: expected string or bytes-like object

During handling of the above exception, another exception occurred:

╭──────────────────────────────────────────────── Traceback (most recent call last) ─────────────────────────────────────────────────╮ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/init.py:591 in run │ │ │ │ 588 │ │ │ │ if line == "": │ │ 589 │ │ │ │ │ continue │ │ 590 │ │ │ │ │ │ ❱ 591 │ │ │ │ self.dispatch_line(line) │ │ 592 │ │ │ # We used to catch only KeyboardException, but this prevents a │ │ 593 │ │ │ # badly written command from completely killing our remote │ │ 594 │ │ │ # connection. │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/init.py:672 in dispatch_line │ │ │ │ 669 │ │ │ │ args = line │ │ 670 │ │ │ │ │ 671 │ │ │ # Run the command │ │ ❱ 672 │ │ │ command.run(self.manager, args) │ │ 673 │ │ │ │ │ 674 │ │ │ if prog_name: │ │ 675 │ │ │ │ command.parser.prog = prog_name │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/commands/run.py:67 in run │ │ │ │ 64 │ │ config_values.update(values) │ │ 65 │ │ │ │ 66 │ │ try: │ │ ❱ 67 │ │ │ result = manager.target.run(module_name, config_values) │ │ 68 │ │ │ │ │ 69 │ │ │ if args.module is not None: │ │ 70 │ │ │ │ manager.config.back() │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/manager.py:652 in run │ │ │ │ 649 │ │ if module.PLATFORM is not None and type(self.platform) not in module.PLATFORM: │ │ 650 │ │ │ raise pwncat.modules.IncorrectPlatformError(module_name) │ │ 651 │ │ │ │ ❱ 652 │ │ return module.run(self, kwargs) │ │ 653 │ │ │ 654 │ def find_module(self, pattern: str, base=None, exact: bool = False): │ │ 655 │ │ """Locate a module by a glob pattern. This is an generator │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/modules/init.py:239 in decorator │ │ │ │ 236 │ │ │ │ │ with session.task(description=self.name, status="...") as task: │ │ 237 │ │ │ │ │ │ # Collect results │ │ 238 │ │ │ │ │ │ results = [] │ │ ❱ 239 │ │ │ │ │ │ for item in result_object: │ │ 240 │ │ │ │ │ │ │ session.update_task(task, status=item.title(session)) │ │ 241 │ │ │ │ │ │ │ if not isinstance(item, Status): │ │ 242 │ │ │ │ │ │ │ │ results.append(item) │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/modules/pwnkit.py:94 in run │ │ │ │ 91 │ │ │ │ 92 │ │ # Compile pwnkit binary │ │ 93 │ │ try: │ │ ❱ 94 │ │ │ pwnkit = session.platform.compile( │ │ 95 │ │ │ │ [StringIO(pwnkit_source)], │ │ 96 │ │ │ │ cflags=["-shared", "-fPIC"], │ │ 97 │ │ │ │ output=str((scratch_path / "pwnkit" / "pwnkit.so")) │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1071 in compile │ │ │ │ 1068 │ │ │ raise PlatformError("compilation failed") │ │ 1069 │ │ finally: │ │ 1070 │ │ │ try: │ │ ❱ 1071 │ │ │ │ self.run(["rm", "-f", real_sources], check=True) │ │ 1072 │ │ │ except pwncat.subprocess.CalledProcessError: │ │ 1073 │ │ │ │ # Removing sources failed. Add them as tampers │ │ 1074 │ │ │ │ for source in real_sources: │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/init.py:786 in run │ │ │ │ 783 │ │ if popen_class is None: │ │ 784 │ │ │ popen_class = self.Popen │ │ 785 │ │ │ │ ❱ 786 │ │ p = popen_class( │ │ 787 │ │ │ args, │ │ 788 │ │ │ stdin=stdin, │ │ 789 │ │ │ stdout=stdout, │ │ │ │ /opt/pwncat/lib/python3.9/site-packages/pwncat/platform/linux.py:1114 in Popen │ │ │ │ 1111 │ │ │ ) │ │ 1112 │ │ │ │ 1113 │ │ if isinstance(args, list): │ │ ❱ 1114 │ │ │ command = shlex.join(args) │ │ 1115 │ │ elif isinstance(args, str): │ │ 1116 │ │ │ command = args │ │ 1117 │ │ else: │ │ │ │ /usr/lib/python3.9/shlex.py:320 in join │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:320 in │ │ │ │ 317 │ │ 318 def join(split_command): │ │ 319 │ """Return a shell-escaped string from split_command.""" │ │ ❱ 320 │ return ' '.join(quote(arg) for arg in split_command) │ │ 321 │ │ 322 │ │ 323 _find_unsafe = re.compile(r'[^\w@%+=:,./-]', re.ASCII).search │ │ │ │ /usr/lib/python3.9/shlex.py:329 in quote │ │ │ │ 326 │ """Return a shell-escaped version of the string s*.""" │ │ 327 │ if not s: │ │ 328 │ │ return "''" │ │ ❱ 329 │ if _find_unsafe(s) is None: │ │ 330 │ │ return s │ │ 331 │ │ │ 332 │ # use single quotes, and put single quotes into double quotes │ ╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯ TypeError: expected string or bytes-like object (local) pwncat$

DanaEpp commented 2 years ago

Thanks for the report @wangdangel . To help chase this down, can you please provide the following:

  1. The value of the crash settings in your pwncatrc
  2. What distribution and kernel version of your host
  3. What distribution and kernel version of the target
  4. If the target is something I can access (ie HTB/THM etc) please provide the link to the target

Thanks in advance!