pure in memory shell code injection in linux userland
play

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, - PowerPoint PPT Presentation

Dec 04, 2023 •149 likes •510 views

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my

  1. Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec’18, Vienna, Austria

  2. Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my employer or of its clients.

  3. about(me); $ fjnger -l $USER Login name: reenz0h In real life: reenz0h Directory: /home/sweeTHome Shell: /usr/bin/ipython Last login Fri Jun 29 22:21 on rawttyS0 from ::1 Unread mail since T ue Feb 14 23:40:24 2017 Plan: * Senior Security Researcher / Red T eamer @ Big Company * Former (sys|net) engineer * Speaker/Trainer * Organizer of x33fcon security conference, Gdynia, Poland * Founder/CEO of Sektor7 research company

  4. agenda(DeepSec); * Problem Description * Common Code Execution w/ Artifacts * Communication Channels (IB/OOB) w/ compromised system * In-Memory-Only Methods - Live Demos * OPSEC considerations * References

  5. #defjne PROBLEM; * Scenario: - breached into a Linux system; - access to interactive shell w/ or w/o allocated PTY; - post-exploitation activities w/ additional tools; * Objective: - run extra tools w/o touching disk; - use only what is available on compromised system; - optionally bypass noexec fmag set on partitions;

  6. #redefjne PROBLEM; Living ofg the land… MacGyver style

  7. send_payload(victim); Communication channels (methods to deliver payloads): * “Out-Of-Band”: network protocols/sockets (uni|multi|broad|any-cast), internal/extrenal devices * “In-Band”: TTY as a data link

  8. In-Memory-Only Methods

  9. shellcode(DEMO); The following shellcode will be used during DEMO sessions.

  10. mount(tmpfs); NAME tmpfs - a virtual memory fjlesystem DESCRIPTION The tmpfs facility allows the creation of fjlesystems whose contents reside in virtual memory. Since the fjles on such fjlesystems typically reside in RAM, fjle access is extremely fast.

  11. mount(tmpfs);

  12. execve(gdb); DESCRIPTION [...] GDB can do four main kinds of things (plus other things in support of these) to help you catch bugs in the act: · Start your program, specifying anything that might afgect its behavior. · Make your program stop on specifjed conditions. · Examine what has happened, when your program has stopped. · Change things in your program, so you can experiment with correcting the efgects of one bug and go on to learn about another.

  13. execve(gdb); DEMO

  14. gdb(POC);

  15. execve(python); Use CTYPES to run your shellcode in memory: * load libc; * mmap() new W+X memory region for shellcode * copy shellcode into mmap’ed bufger * make the bufger ‘callable’ * make the call * profjt...

  16. execve(python); DEMO

  17. python(POC);

  18. dd(procfs); NAME dd - convert and copy a fjle DESCRIPTION Copy a fjle, converting and formatting according to the operands. ------------------------------------------------------------------------------------------------ NAME proc - process information pseudo-fjlesystem DESCRIPTION The proc fjlesystem is a pseudo-fjlesystem which provides an interface to kernel data structures.

  19. dd(procfs); This translates to: “Make dd modify itself on the fmy” But… 2 problems: stdin and stdout; ASLR

  20. dd(procfs); Problem #1: dd closes stdin and stdout Solution: dup()

  21. dd(procfs); Problem #2: ASLR

  22. dd(procfs); Solution: change execution domain (aka personality ) DESCRIPTION Linux supports difgerent execution domains, or personalities, for each process. Among other things, execution domains tell Linux how to map signal numbers into signal actions. The execution domain system allows Linux to provide limited support for binaries compiled under other UNIX-like operating systems. […] ADDR_NO_RANDOMIZE (since Linux 2.6.12) With this fmag set, disable address-space-layout randomization.

  23. dd(procfs); T urning ASLR ofg at runtime (from userland):

  24. dd(procfs); Write-What(Shellcode)-Where? PLT? Risky ...

  25. dd(procfs); DEMO

  26. dd(POC);

  27. call(MOAR_POWER); Shellcode is kinda cool, but coding complicated stufgs in asm is a PITA. We want to run an executable (ELF object). So…

  28. mkfjfo(); Fails… mmap() cannot fjnd target fjle to load.

  29. memfd_create(); SYNOPSIS #include <sys/memfd.h> int memfd_create(const char *name, unsigned int flags); DESCRIPTION memfd_create() creates an anonymous fjle and returns a fjle descriptor that refers to it. The fjle behaves like a regular fjle, and so can be modifjed, truncated, memory-mapped, and so on. However, unlike a regular fjle, it lives in RAM and has a volatile backing storage. Once all references to the fjle are dropped, it is automatically released. [...] The memfd_create() system call fjrst appeared in Linux 3.17; glibc support was added in version 2.27.

  30. memfd_create(); Shellcode:

  31. memfd_create(); DEMO

  32. memfd_create(POC);

  33. opsec(); * Logs * Process list * Swappiness - mlock(), mlockall(), mmap() - CAP_IPC_LOCK || root + ulimits - sysctl vm.swappiness / /proc/sys/vm/swappiness - root - cgroups (memory .swappiness) - root || priviledge to modify cgroup + does not guarantee that under heavy load memory manager will not swap the process to disk anyway (ie. root cgroup allows swapping and needs memory)

  34. bottom_line(); Be like MacGyver

  35. exit(“Thank you”); Questions? twitter: @x33fcon https://www.x33fcon.com https://www.sektor7.net

  36. call(references); * The Design and Implementation of Userland Exec by the grugq https://grugq.github.io/docs/ul_exec.txt * Advanced Antiforensics : SELF by Pluf & Ripe http://phrack.org/issues/63/11.html * Implementation of SELF in python by mak https://github.com/mak/pyself * Linux based inter-process code injection without ptrace(2) by Rory McNamara https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without- ptrace2.html

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil

Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil

ptrace() Injection de code Applications pratiques Playing with ptrace() for fun and profit Injection de code sous GNU/Linux Nicolas Bareil nicolas.bareil@eads.net EADS Corporate Research Center - DCR/STI/C SSI Lab SSTIC 2006 Nicolas Bareil

1.25k views • 44 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David

Background Userland Simulator Implementation Challenges/Futures Summary Linux on Sun Logical Domains David S. Miller Red Hat Inc. linux.conf.au, MEL8OURNE, 2008 David S. Miller Red Hat Inc. Linux on Sun LDOMs Background Userland

515 views • 36 slides
Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation: http://www.gnu.org/software/bash/manual/bashref.html Bash is an acronym for Bourne - Again SHell. The Bourne shell is the traditional

947 views • 37 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

901 views • 60 slides
An introduction to Linux and the Unix Shell Rui Meireles Assistant Prof. of Computer Science,

An introduction to Linux and the Unix Shell Rui Meireles Assistant Prof. of Computer Science,

An introduction to Linux and the Unix Shell Rui Meireles Assistant Prof. of Computer Science, Vassar College, USA 1 Introduction 2 What is Linux? (1/2) First of all, Linux is an Operating System (OS) Software that manages the

776 views • 48 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter

Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter

Virtual Memory and Linux Alan Ott Embedded Linux Conference April 4-6, 2016 About the Presenter Linux Architect at SoftIron 64-bit ARM servers and data center appliences Linux Kernel Firmware Userspace Training USB

1.04k views • 71 slides
Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune

Escalating Privileges in Linux using Fault Injection Niek Timmers Cristofaro Mune timmers@riscure.com c.mune@pulse-sec.com ( @ tieknimmers) ( @ pulsoid) September 25, 2017 Fault Injection A definition... Introducing faults in a target

969 views • 47 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Dynamic Memory Management The Linux Perspective Allocating memory: The

Dynamic Memory Management The Linux Perspective Allocating memory: The

CPSC 410/611 : Operating Systems Dynamic Memory Management The Linux Perspective Allocating memory: The Interface Buddy System Slab Allocation Reading: Silberschatz (8 th ed.), Chapters 9.8

447 views • 6 slides
From weak to weedy Effective use of memory barriers in the ARM Linux Kernel Will Deacon

From weak to weedy Effective use of memory barriers in the ARM Linux Kernel Will Deacon

Introduction ARMs memory model Linuxs memory model Finer-grained control Questions Future work From weak to weedy Effective use of memory barriers in the ARM Linux Kernel Will Deacon will.deacon@arm.com Embedded Linux Conference

539 views • 52 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

1k views • 64 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

MD1388: A tiv e Halo Con trol using narro w band exitation at injetion Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen , h 2 agner 2 Xu 2 Daniel V alu , Jos hk a W , C.

190 views • 7 slides
Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words containing -tion . Teach When we see - tion in a word, it makes the sound /shun/. Look at these words below: attention potion section mention Teach

142 views • 13 slides
RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

Session 3 - Oscillators and PLLs A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring Oscillator Somok Mondal and Drew A. Hall University of California, San Diego La Jolla, CA, (USA) IEEE CICC, Austin, TX,

652 views • 29 slides
kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos

Introduction RX Fine-grained KASLR Evaluation kR^X Comprehensive Kernel Protection against Just-In-Time Code Reuse Marios Pomonis 1 Theofilos Petsios 1 Angelos D. Keromytis 1 Michalis Polychronakis 2 Vasileios P. Kemerlis 3 1 Columbia

1.18k views • 66 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides

More recommend