EPERM when deleting the stage2 file when launched with sudo

[vfsfitvnm]

For obvious reasons, the stage2*.bin file will be created as root when launching the script with sudo. In this case, the shellcode (that will run as non privileged user) won't be able to delete the stage2*.bin file (EPERM).

I guess that the file should be chowned so the owner becomes the non-root user.

A quick fix is adding this snippet as soon as the file is created.

if os.getuid() == 0:
    uid = int(os.environ.get("SUDO_UID"))
    guid = int(os.environ.get("SUDO_GID"))
    os.chown(stage2_path, uid, guid)

[DavidBuchanan314]

The target process may be owned by a different user altogether, so your proposed fix would not work in that case. I think we should read the uid of the target process via /proc/<PID>/loginuid, and leave the gid unchanged. I'll implement this at some point soon™

[vfsfitvnm]

The target process may be owned by a different user altogether, so your proposed fix would not work in that case. I think we should read the uid of the target process via /proc/<PID>/loginuid, and leave the gid unchanged. I'll implement this at some point soon™

You are correct, I didn't realize that. However, would you consider parsing /proc/<PID>/status instead of loginuid? It seems to be a more portable solution (loginuid does not work for daemons and it's not present on Android - not much relevant I guess).