fix(enumerate): fix CVE-2019-14287 detection and restore pickle compatibility

Fixed CVE-2019-14287 detection logic.

Also reverted a previous accidental change that broke pickle serialization, preventing persistent storage from working properly.

Author: Chocapikk

pwncat/manager.py

@@ -923,34 +923,37 @@ def create_db_session(self):
         return self.db.open()
 
     def load_modules(self, *paths):
-        """Dynamically load modules from the specified paths
+        """
+        Dynamically load modules from the specified paths.
 
         If a module has the same name as an already loaded module, it will
-        take it's place in the module list. This includes built-in modules.
+        take its place in the module list. This includes built-in modules.
         """
 
-        for loader, module_name, _ in pkgutil.walk_packages(
-            paths, prefix="pwncat.modules."
-        ):
+        for loader, module_name, is_pkg in pkgutil.walk_packages(paths, prefix="pwncat.modules."):
+            # Locate the module spec
+            spec = importlib.util.find_spec(module_name)
+            if spec is None:
+                continue
 
-            if module_name not in sys.modules:
-                spec = importlib.util.find_spec(module_name)
-                if spec is None:
-                    continue
+            # Always check `sys.modules` under `spec.name`.
+            # If it's already loaded, reuse that module; if not, load anew.
+            if spec.name in sys.modules:
+                module = sys.modules[spec.name]
+            else:
                 module = importlib.util.module_from_spec(spec)
+                sys.modules[spec.name] = module
                 spec.loader.exec_module(module)
-            else:
-                module = sys.modules[module_name]
 
-            if getattr(module, "Module", None) is None:
+            # We only care about modules that actually define `Module`
+            if not hasattr(module, "Module"):
                 continue
 
             # Create an instance of this module
-            module_name = module_name.split("pwncat.modules.")[1]
-            self.modules[module_name] = module.Module()
+            short_name = module_name.split("pwncat.modules.", 1)[1]
+            self.modules[short_name] = module.Module()
+            self.modules[short_name].name = short_name
 
-            # Store it's name so we know it later
-            setattr(self.modules[module_name], "name", module_name)
 
     def log(self, *args, **kwargs):
         """Output a log entry"""

pwncat/modules/linux/enumerate/file/suid.py

@@ -76,4 +76,4 @@ def enumerate(self, session: "pwncat.manager.Session"):
                         )
                     )
         finally:
-            proc.wait()
+            proc.wait()

pwncat/modules/linux/enumerate/software/sudo/cve_2019_14287.py

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-from packaging import version
+from packaging.version import parse, InvalidVersion
 
 import pwncat
 from pwncat.facts import build_gtfo_ability
@@ -26,7 +26,11 @@ def enumerate(self, session: "pwncat.manager.Session"):
             return
 
         # This vulnerability was patched in 1.8.28
-        if version.parse(sudo_info.version) >= version.parse("1.8.28"):
+        try:
+            parsed_version = parse(sudo_info.version)
+            if parsed_version >= parse("1.8.28"):
+                return
+        except InvalidVersion:
             return
 
         # Grab the current user/group
@@ -74,4 +78,4 @@ def enumerate(self, session: "pwncat.manager.Session"):
                             source_uid=current_user.id,
                             user="\\#-1",
                             spec=command,
-                        )
+                        )

pwncat/platform/__init__.py

@@ -515,12 +515,11 @@ def __init__(
         target = self
 
         class RemotePath(base_path, Path):
-
-            _target = target
-            _stat = None
-
-            def __init__(self, *args):
-                base_path.__init__(*args)
+            def __new__(cls, *args, **kwargs):
+                obj = super().__new__(cls, *args, **kwargs)
+                obj._target = target
+                obj._stat = None
+                return obj
 
         self.Path = RemotePath
         """ A concrete Path object for this platform conforming to pathlib.Path """

pwncat/platform/linux.py

@@ -1635,14 +1635,12 @@ def context_changed(self):
 
         # Update self.shell just in case the user changed shells
         try:
-            # Get the PID of the running shell
-            pid = self.getenv("$")
-            # Grab the path to the executable representing the shell
-            self.shell = self.Path("/proc", pid, "exe").readlink()
-        except (FileNotFoundError, PermissionError, OSError):
-            # Fall back to SHELL even though it's not really trustworthy
+            pid = self.getenv("$").strip()
+            proc_exe_path = f"/proc/{pid}/exe"
+            self.shell = self.readlink(proc_exe_path)
+        except (FileNotFoundError, PermissionError, OSError, AttributeError):
             self.shell = self.getenv("SHELL")
-            if self.shell is None or self.shell == "":
+            if not self.shell:
                 self.shell = "/bin/sh"
 
         # Refresh the currently tracked user and group IDs