Skip to content

Instantly share code, notes, and snippets.

@pe3zx
Created April 20, 2019 09:42
Show Gist options
  • Save pe3zx/7b6cc28ccb5ea3afadb8b40294ad7e92 to your computer and use it in GitHub Desktop.
Save pe3zx/7b6cc28ccb5ea3afadb8b40294ad7e92 to your computer and use it in GitHub Desktop.
Unpacking sudoers_timestamp struct
import sys
import binascii
import struct
from ctypes import Union, Structure, c_int, c_long, c_ushort, c_uint, c_short
from collections import namedtuple
from pprint import pprint
# struct timestamp_entry {
# unsigned short version; /* version number */
# unsigned short size; /* entry size */
# unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
# unsigned short flags; /* TS_DISABLED, TS_ANYUID */
# uid_t auth_uid; /* uid to authenticate as */
# pid_t sid; /* session ID associated with tty/ppid */
# struct timespec start_time; /* session/ppid start time */
# struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
# union {
# dev_t ttydev; /* tty device number */
# pid_t ppid; /* parent pid */
# } u;
# };
if sys.argv[1]:
sudoers_timestamp = namedtuple(
"sudoers_timestamp",
"version size type flags auth_uid sid start_time_sec start_time_nsec ts_sec ts_nsec ttydev ppid"
)
with open(sys.argv[1], 'rb') as f:
for data in iter(lambda: f.read(40), b''):
unpacked = sudoers_timestamp._make(struct.unpack("=HHHHIiililii", data))
pprint(unpacked._asdict())
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment