Allow empty argv in ssh.process() (Gallopsled#2217) (Gallopsled#2234)

* Fix bug at ssh.py:process() - empty argv[0] Error

Before this, process.py relied on `os.execve` which disallows an empty
argv or argv[0] == "".
This commit replaces `os.execve` with  `ctypes.CDLL(None).execve` to
call the C-Library function directly which allows an empty argv.

* Add Gallopsled#2225 to stable changelog

* Better ctypes syntax

* Add error message if cytpes.execve fails.

* Updata CHANGELOG.md

* ssh.py: python2 compatibility for os.environb

* Add check that "=" not in misc.normalize_argv_env

This check checks prevents the use of "=" in the
key of an environment variable, which is generally
impossible.

* ssh.process: Seperate cases for empty argv[0]

This commit seperates the cases for an empty argv[0]
from normal cases.

* ssh.py delete leftover comment

---------

Co-authored-by: Youheng Lü <[email protected]>
Co-authored-by: Arusekk <[email protected]>
Co-authored-by: peace-maker <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -73,13 +73,15 @@ The table below shows which release corresponds to each branch, and what date th
 - [#2219][2219] Fix passing arguments on the stack in shellcraft syscall template
 - [#2212][2212] Add `--libc libc.so` argument to `pwn template` command
 - [#2257][2257] Allow creation of custom templates for `pwn template` command
+- [#2225][2225] Allow empty argv in ssh.process()
 
 [2202]: https://github.com/Gallopsled/pwntools/pull/2202
 [2117]: https://github.com/Gallopsled/pwntools/pull/2117
 [2221]: https://github.com/Gallopsled/pwntools/pull/2221
 [2219]: https://github.com/Gallopsled/pwntools/pull/2219
 [2212]: https://github.com/Gallopsled/pwntools/pull/2212
 [2257]: https://github.com/Gallopsled/pwntools/pull/2257
+[2225]: https://github.com/Gallopsled/pwntools/pull/2225
 
 ## 4.11.0 (`beta`)
 
@@ -95,7 +97,7 @@ The table below shows which release corresponds to each branch, and what date th
 [2186]: https://github.com/Gallopsled/pwntools/pull/2186
 [2129]: https://github.com/Gallopsled/pwntools/pull/2129
 
-## 4.10.1 (`stable`)
+## 4.10.1 (`stable`) 
 
 - [#2214][2214] Fix bug at ssh.py:`download` and `download_file` with relative paths
 - [#2241][2241] Fix ssh.process not setting ssh_process.cwd attribute

pwnlib/tubes/ssh.py

@@ -882,6 +882,23 @@ def process(self, argv=None, executable=None, tty=True, cwd=None, env=None, time
             >>> io = s.process(['cat'], timeout=5)
             >>> io.recvline()
             b''
+
+            >>> # Testing that empty argv works
+            >>> io = s.process([], executable='sh')
+            >>> io.sendline(b'echo $0')
+            >>> io.recvline()
+            b'$ \n'
+            >>> # Make sure that we have a shell
+            >>> io.sendline(b'echo hello')
+            >>> io.recvline()
+            b'$ hello\n'
+
+            >>> # Testing that empty argv[0] works
+            >>> io = s.process([''], executable='sh')
+            >>> io.sendline(b'echo $0')
+            >>> io.recvline()
+            b'$ \n'
+
         """
         if not argv and not executable:
             self.error("Must specify argv or executable")
@@ -945,7 +962,7 @@ def func(): pass
     os.environ.clear()
     environ.update(env)
 else:
-    env = os.environ
+    env = environ
 
 def is_exe(path):
     return os.path.isfile(path) and os.access(path, os.X_OK)
@@ -1034,8 +1051,35 @@ def is_exe(path):
 %(func_src)s
 %(func_name)s(*%(func_args)r)
 
-os.execve(exe, argv, env)
-""" % locals()  # """
+""" % locals()  
+
+        if len(argv) > 0 and len(argv[0]) > 0:
+            script += r"os.execve(exe, argv, env) " 
+
+        # os.execve does not allow us to pass empty argv[0]
+        # Therefore we use ctypes to call execve directly
+        else:
+            script += r"""
+# Transform envp from dict to list
+env_list = [key + b"=" + value for key, value in env.items()]
+
+# ctypes helper to convert a python list to a NULL-terminated C array
+def to_carray(py_list):
+    py_list += [None] # NULL-terminated
+    return (ctypes.c_char_p * len(py_list))(*py_list)
+
+c_argv = to_carray(argv)
+c_env = to_carray(env_list)
+
+# Call execve
+libc = ctypes.CDLL('libc.so.6')
+libc.execve(exe, c_argv, c_env)
+
+# We should never get here, since we sanitized argv and env,
+# but just in case, indicate that something went wrong.
+libc.perror(b"execve")
+raise OSError("execve failed")
+""" % locals()
 
         script = script.strip()
 
@@ -1054,7 +1098,7 @@ def is_exe(path):
             execve_repr = "execve(%r, %s, %s)" % (executable,
                                                   argv,
                                                   'os.environ'
-                                                  if (env in (None, os.environ))
+                                                  if (env in (None, getattr(os, "environb", os.environ))) 
                                                   else env)
             # Avoid spamming the screen
             if self.isEnabledFor(logging.DEBUG) and len(execve_repr) > 512:

pwnlib/util/misc.py

@@ -229,6 +229,10 @@ def normalize_argv_env(argv, env, log, level=2):
         for k,v in env_items:
             if not isinstance(k, (bytes, six.text_type)):
                 log.error('Environment keys must be strings: %r' % k)
+            # Check if = is in the key, Required check since we sometimes call ctypes.execve directly
+            # https://github.com/python/cpython/blob/025995feadaeebeef5d808f2564f0fd65b704ea5/Modules/posixmodule.c#L6476
+            if b'=' in packing._encode(k):
+                log.error('Environment keys may not contain "=": %r' % (k))
             if not isinstance(v, (bytes, six.text_type)):
                 log.error('Environment values must be strings: %r=%r' % (k,v))
             k = packing._need_bytes(k, level, 0x80)  # ASCII text is okay