Saturday, July 2, 2022
HomeHackerInject A Shared Library (I.E. Arbitrary Code) Into A Reside Linux Course...

Inject A Shared Library (I.E. Arbitrary Code) Into A Reside Linux Course of, With out Ptrace




Inject a shared library (i.e. arbitrary code) right into a reside linux course of, with out ptrace. Impressed by Cexigua and linux-inject, amongst different issues.

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace (1)

    .___.__  .__            __               __
__| _/| | |__| ____ |__| ____ _____/ |_ ______ ___.__.
/ __ | | | | |/ | |/ __ _/ ___ __ ____ < | |
/ /_/ | | |_| | | | ___/ ___| | | |_> >___ |
____ | |____/__|___| /__| |___ >___ >__| /| __// ____|
/ /______| / / /|__| /

supply: https://github.com/DavidBuchanan314/dlinject

utilization: dlinject.py [-h] [--stopmethod {sigstop,cgroup_freeze,none}]
pid /path/to/lib.so

Inject a shared library right into a reside course of.

positional arguments:
pid The pid of the goal course of
/path/to/lib.so Path of the shared library to load (observe: should be
relative to the goal course of's cwd, or absolute)< br/>
non-obligatory arguments:
-h, --help present this assist message and exit
--stopmethod {sigstop,cgroup_freeze,none}
Tips on how to cease the goal course of previous to shellcode
injection. SIGSTOP (default) can have side-effects.
cgroup freeze requires root. 'none' is prone to trigger
race situations.

  • As a result of I can.

  • There are numerous anti-ptrace strategies, which this evades by merely not utilizing ptrace.

  • I do not like ptrace.

  • Utilizing LD_PRELOAD can typically be fiddly or unimaginable, if the method you wish to inject into is spawned by one other course of with a clear atmosphere.

  • Ship the cease sign to the goal course of. (non-obligatory)

  • Find the _dl_open() image.

  • Retreive RIP and RSP through /proc/[pid]/syscall.

  • Make a backup of a part of the stack, and the code we’re about to overwrite with our shellcode, by studying from /proc/[pid]/mem.

  • Generate main and secondary shellcode buffers.

  • Insert main shellcode at RIP, by writing to /proc/[pid]/mem.

  • The first shellcode:

    • Pushes widespread registers to the stack.
    • Hundreds the secondary shellcode through mmap().
    • Jumps to the secondary shellcode.
  • The secondary shellcode:

    • Restores the stack and program code to their unique states.
    • Pivots the stack (so we do not contact the unique one in any respect).
    • Calls _dl_open() to load the user-specified library. Any constructors will likely be executed on load, as ordinary.
    • Restores register state, un-pivots the stack, and jumps again to the place it was on the time of the unique SIGSTOP.
  • Sending SIGSTOP could trigger undesirable side-effects, for instance if one other thread is ready on waitpid(). The --stopmethod=cgroup_freeze choice avoids this, however requires root (on most distros, a minimum of).

  • I am not totally positive how this can work together with complicated multi-threaded functions. There is definitely potential for breakage.

  • x86-64 Linux solely (for now – 32-bit help may doubtlessly be added).

  • Requires root, or relaxed YAMA configuration (echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope is beneficial when testing).

  • If the goal course of is sandboxed (e.g. seccomp filters), it won’t have permission to mmap() the second stage shellcode, or to dlopen() the library.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments