The SSH tube now keeps the environment variable's order. (#1464)

* The SSH tube now keeps the environment variables of processes it creates in order. The way of achieving that is through passing the env to the script as a list of tuples, since Python3's dictionaries are ordered by default, or you can use `OrderedDict`, the result would be that the spawned process on the remote machine will keep the environment variables in order. This is very important to exploits that are based on the stack's order and especially the environment variables. For instance, a common challenge is comparing argc == 0, and afterwards accessing the argv array, as an out-of-bounds array. The shellcode needs to be at a certain index consistently and cannot rely on the stack moving around. * Relocated the code.
Gallopsled · Mar 25, 2020 · 415f11b · 415f11b
1 parent 9cefacc
commit 415f11b
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/pwnlib/tubes/ssh.py b/pwnlib/tubes/ssh.py
@@ -910,14 +910,17 @@ def func(): pass
 
         func_src  = inspect.getsource(func).strip()
         setuid = True if setuid is None else bool(setuid)
+
+        # Converts the environment variables to a list of tuples to remain order.
+        env = list(env.items())
 
         script = r"""
 #!/usr/bin/env python2
 import os, sys, ctypes, resource, platform, stat
 from collections import OrderedDict
 exe   = %(executable)r
 argv  = %(argv)r
-env   = %(env)r
+env   = OrderedDict(%(env)r)
 
 os.chdir(%(cwd)r)