Run ANY Linux Program In Memory

Key Takeaways

hey how's it going everyone thanks so much for tuning in I am super excited to be hanging out with Carlos polyp and Yago forgive me I don't know hey last name or whatever but it's great to see you both again we got a chance to hang out over at Defcon uh and hey look you two are presenting some incredible research some really cool stuff you were digging into and I'm flattered I thought you know what hey maybe we could just kind of put this out on YouTube for more folks to be able to see uh and get to see the incredible research um but Carlos Yago I don't know if you need to do any introductions or we should just start the party and dive in well thank you thank you very much for letting us come here to your channel to show our research it's great to be able to share these kind of things with with so much public so thank you for for the opportunity and well we definitely dedicate a lot of time to to this so I hope that people watching this video are going to really enjoy the technique we are going to be presenting um I don't have anything more to add um I'm not I'm not I think I'm not really good with words so speak okay um so let me share my screen to to get it started well in case you don't know about me I'm the guy behind hat tricks and peace and in case you don't know about um about Diego he's a really great binary exploitation guy who focus on low level stuff so I think we we made a really good combination for these uh for This research I suppose you are seeing the index in my screen right cool so um we want to present you John uh this technique that is actually a combination of several techniques that we have been improving um along two years something like that so of course first of all we are going to be talking about what are we going to be talking about this what is this then we're going to explain the first thing we developed uh DDX SEC and then we are going to get started with a lot a lot of different demos uh but the basic goal of these techniques are always going to be to load um to load programs in memory in Linux and get to execute them from lean from from Linux memory and actually letting me explain you this better with the first slide why is this um why this so first of all um a couple of years ago or maybe more maybe a few years ago I was working with with uh with my boss he told me hey we are moving everything to to Resource to these three less containers now later we will talk about what is this uh but if you don't know about this it was called maybe the new one hackable the stuff like maybe three four years ago and this was because well you have so so little so a few things in these kind of containers that it sound very very complicated to to exploit them even if you find a vulnerability so I started thinking about hey okay so uh I don't have many permissions in this release in this kind of very restrictive containers I don't even have right permissions how can I execute something and of course the first thing I thought was okay well Windows is super simple to just inject something in memory and execute it even in other processes so why not doing this in in Linux what it turns out that in lumos is much more complicated you need to have much more permissions and and actually the reason or there wasn't any state of the art techniques that allowed you to do this in a very simple way so we started uh we're creating our own techniques which the first one was called ddxx that next uh jab is going to explain you about it but before it I want to let you know about the state of the art back then uh we had this Block Force sector set from sector seven when he was explaining that maybe a cell got injected in memory in Linux could allow you to call the Cisco memfd create which is going to be a file descriptoring memory where you can write to it it is going to be written in memory but you can actually execute it from the file system so if you have this previous permission I told you about where you are in a system where you have a read-only uh file system and you can still create files via this mmfd create ciscal write to them and execute it so this was a great way to bypass this read-only permission although this was quite noisy because well this is a pretty weird Cisco to call so an idea checking for this will probably catch you but it was a very pretty neat technique um then we also saw this tweet from David Wuhan where you can see that he's actually overriding the um let me check block self mem do we have processment here well it will yeah the first Commander secures it's a city system directory of the shell and there it reads the The Cisco file which holds the information of the current Cisco the process is doing that way we can know um the the instruction pointer of the process and we bypass aslr completely then create a file descriptor this one to the mem file this mem file is um a mapping I want to want a mapping of the virtual memory of the shells process so the shell is creating a fat descriptor to this file and this file descriptor will be inherited by the the where is the DD yeah uh for the for the yeah that DD will inherit that file descriptor and we are redirecting it um a output to that file descriptor in the last characters of the line so that way DD will be able to write to the to the memory of the of the shell and it will be writing to the instruction pointer or well not the current instruction pointer because it may have changed since we last checked it in when we read from the um from The Cisco file but we we kind of have um an idea of where will the the program pass again so we write with the D to that place since the since the file descriptor is inherited with writing permissions did he will will be able to write there and we are just modifying the the Shell Code well the code that um the shell will execute um and kinda just put there whatever we want we can we can we can run a native code which which is uh the the target a small a smaller random I want to make is that um although uh I think uh the yeah the the sector 7 block was from uh 2018. uh we we didn't know about it uh this this couple of pieces uh were really really Niche um these these examples is proof of concepts are nothing more like that they are like something really really experimental and nobody just a couple of of people knew about about this these these methods and we didn't uh that that's why Carlos asked me and and then I developed ddxec which works um well back then it worked uh it was really really similar to the to the one to the technique that sector seven uh but posted and then when I learned about um that tweet that we showed up from baby uh I I changed it I changed it um so the idea um uh back then uh we we would make a DD overwrite its own memory that's because we can't write to a mem file of another process because there is a a patch that added to the kernel not not so many years ago called Jama um so Yama prevents all kinds of pit race um related actions like well betraying a process or reading the product file system entry of that process unless you are rude or unless you are that process so we couldn't make DD right to the memory of any other process so did he had to write itself overwrite itself it was a self-modifying idea I think we called it and that's why it was called the exec [Music] um and uh well David had this amazing idea of using a leaked uh well kind of leaked handle Handler just using Windows jargon I guess uh this inherited Father scripture actually uh to because the shell can create a file descriptor with the right permissions to its own mem file and this file descriptor will be inherited by the D so now DD has a way to overwrite the Shell's memory and this has the advantage because now we don't need to disable aslr we needed to disable the aslr because to DD we need to tell it where to write the address at which it needs to write in the argument so after DD exists we need to to place to prepare in the arguments uh the address where it needs to write and if DD doesn't exist we can't know the this this address because of aslr so we needed to disable eslr this wasn't a huge problem because there is a Cisco called personality which allows to disable SLR for a singular process and there is a tool that is present in many in many in many Linux situations called set Arch um in Alpine it was called a Linux 52 Linux yeah Linux 32 or Linux 64 depending on whether you are on 32 or 64 bits and that allowed you to well to perform that personality ciscal and disable the the the SLR for a single process a process of yours of course you can you can disable SLR for a Arabic process that that would be ignored um so that that's it that was the advantage of of the inherited file descriptor that and now we are writing to the memory of another process the the shells process the shells memory and the shell already exists and we can and we can read okay the the maps uh file in in its profile system entry or the ciscal the ciscal file which holds well this information it holds actually more information in is in in a way so that's that's a big Improvement so now um my what I what I made that is different to this uh to these techniques uh in the end it's just um making a Shell Code or what a kind of uh the tool which is written in Shell scripting because we can't execute any binary we want so it had to be made in initial scripting which was really awful um the tool what what makes this create a Shell Code um to that will load the the binary in memory it also the Shell Code will also load the loader and prepare the stack so how does it do this um each binary has a series of of headers that tells the kernel or the loader if it is a program it will be to the kernel um what pieces of of itself need to be in what are at what addresses um and the permissions and things like that so the this shell the shell script will analyze the binary we want the binary scatters uh of the binary we want to run know which mappings at which addresses it needs to create a map to call a map with read and write permissions then write a a piece of the of the binary there prepare the permissions and stuff like that and then do the same for the loader then prepare the stack because the kernel is the one who prepares the stack who Maps the stack and in the stack lay the the arguments and the environment and a piece of information really really important called auxiliary Vector which holds information from the kernel to the loader um this Vector has information like um the the address the base address of the binary or where are the headers of the binary or which address is loaded the the loader or things like that [Music] um and that's it and once this is all set up just jump to the loader the loader will see parse the binary in memory see the the dependencies it needs load these dependencies link them and then jump to the binary and and that will be it so that that's that's idiotics okay so you think this was this was clear um like a summary again we're just going to be overwriting um perks of mem preparing all the well the stack and all the parts of the of the binary and then called in the loader that's a very very quick summary in a in an amazing uh cell code created dynamically with cell script which like if you try to read that code you will get crazy man it's it's it's it looks obfuscated and it's not uh only only a mad guy would have created that to be honest I mean it is because um the shell scripting uh is is looks like it was put together by I don't know by some kind of uh my person it is it is really really ugly uh um moreover if you can't use a very useful extensions like the ones added by bash or set as age or things like that these shells don't interpret posix uh scripting proposal scripting they have a lot of useful well improvements extensions to the to these process so the problem is that I wanted this to run on Alpine and Alpine has a really really shitty shell which is Ash Ash from busy Vlogs because Alpine only has busy box um I I kind of get it because we see box is supposed to be really really small which they fail but yeah I mean busy box is like a 100 megabytes so um well um so it is really really close to posix it has a couple of extensions I'm not really sure which ones but uh I I have to discard all these extensions like switch cases or dictionaries things like that I couldn't use them I I really I I have to so when I ported the the script to uh to a arm 64. there are pieces of Shell Code yeah thank you yeah sh lower lower lower lower more more yeah more yeah there there there there that is like um a dictionary I had I had to improvise a dictionary so that's a string the sscra is a string it's uh and a string just a string which where each entry is separated from each other using new lines and the and the name from the value is separated using a tabulator so um if you can go now uh up to all the way all the way to the top um yeah in the line 27 that function a is is used to um it uses it receives a as a as an argument a name of of this dictionary and then just uh yeah if I find like if someone finds this in his computer and he calls me hey can you reverse this so let me know how this is how this is working man I wouldn't like to be that person yeah because because I need to run this in evil yeah because this this um because because uh the shell code is created uh well if you can go now down like in this in the fusion I think uh no no no not all the way down um let's step it up uh uh uh more like there like that yeah yeah in the line in the line 182 you have an example of of the usage of that of that function uh because of so many pecularities of how socials work and how you can return values uh from a function in JavaScript and things like that I needed to use unable I I mean uh description is something we can talk about it like for a whole day so I would I would stop right now we move forward and see you next time how to use it let's do it yeah um so we are going to be using ddx6 as we explained this is useful for executing from memory so we are going to be using it in a mini cube in a cube inside my computer which is a Mac OS with M1 arm and we are going to be applying read-only and no exec um flux to the file system so we are not going to be able so this is a very realist scenario where you have compromise support with that just have these security contest flux to true and then you cannot just download stuff and execute them you need to do it for memory because this is going to be preventing you from doing any other any download and executed stuff so we are going to be using DDX to execute different um different binaries so let me change this okay so um let me check this is working Cube CTL get bots we have all buying this is the one we are going to be compromising so we get here I think we get a uh so here now let me show you that actually this is read only so if I execute moms and we check this we can see that the root is known as lonely if I try to do things like hey let's try to write in TMP we get some errors um I have already run this but I can rerun it we download the dx.sh and also you have already download qctl because it takes some seconds so I already have it here um if I give it execution's permissions so actually this is something fun let me show you that the message actually is read write but it has the no exact flag so even if we can actually write into this directory we cannot execute things so if I try to execute CTL we get permission denied even if we have the execution bit uh turn on yeah I think it is worth noting that uh shame which is um it is it is like just a in memory it is a problem yeah it is it is worth nothing and also that actually inside there is a way children need to to write the script so you can actually uh execute this completely firelessly without creating a file anywhere not just not in disk but also not anywhere yeah basically imagine if you would you just um you just download it and put it here instead of saving DD accept to disk but I just downloaded to to make it simpler to to understand so what we are going to be doing here is to pass the bnls binary in base64 to ddxf and we are going to be indicating the r0 and the R1 so we are just going to be executing from memory um LS so we do this and we wait a couple of seconds it will work okay it takes yeah that that's because it it takes so long because if you see the script there are like um lots and lots uh I don't know thousands of processes being executed to pass this binaries it it really isn't um very efficient here I try to load yeah as a general said it's very slow and actually the next uh iteration that we are going to show you is much faster I just wanted to show you that if we try to load qctl we have a 47 megabytes it's going to take several minutes I can tell you that it worked because I just executed before starting this recording um so it definitely works but it's going to take some some minutes anyway this is great because when you compromise some kind of container inside kubernetes you definitely want to run uh qctl in order to well to to enumerate it if not you need to use scroll even if you have call installed and that's a nightmare so that was one of the main reasons why I needed this kind of techniques back in the day because man I it was just impossible to enumerate this machine because I couldn't just download anything I just I could just use what was already installed that usually are very very um very few things so this was like a game changer for this kind of uh from this kind of attacks inside very restricted environments um actually um let's explain very briefly if you won Diego the detections that we are also bypassing um yeah so this is kind of funny um so there was an EDR um which started detecting the usage of daily exec because uh well if they are sending us I get it they aren't really Advanced right now I hope they will get better uh so they are based on command line so they are just checking uh the the profile system and seeing the command line of each process and if you detect something that it doesn't like well it just shut it shuts it down and and file a report uh so what it started detecting was um DD if if you if you if the command line contained a DD well it is if the command line was of a program called um Didi and in some place in the arguments there was the argument seek which I guess it doesn't make any sense because seek is like an argument you can actually have and it will be very legitimate and common I guess so I don't know if you called Didi with the seek argument with any value uh it will it will shut it down and file a report so [Applause] um okay uh I I found a way to do my passage and that way a gave way to a modification of the technique so uh previously what we were using was DD to seek and write to the mem through the mem file um but we can just use DD to seek and then write with uh with any other thing that's because of of a popularity that file descriptors what posix file descriptors have which is that um an inherited file descriptor um will be the same as throughout all the processes that that have that have it so if you have a process on this process has a file descriptor and then Forex then you have two processes that have the same file description and not file descriptors is exactly the same um even if one of these processes that are actually also the same or almost the same because they are a fork if one of them executes and well it makes an exactly Cisco and it starts running on any other process um this process will also inherit this file descriptor and it will also have it will have the same file descriptor it is the same the same the structure the f f the I I can't remember the name of the structure in the kernel uh that same structure is the same it's the same place in memory in in Kernel's memory so if one of these processes seek through the file and and leave the file descriptor with um a function a file pointer inside the file at another place um any other process that shares this file descriptor will see the pointer inside the file modified too and we can and we can see it in this example um which is uh I write some text to a file called txt then create a file descriptor the third so the the file descriptor 3 will be now file descriptor with reading permissions to that file and then um the ldd to write to that file at the place at the third type so it will seek uh to the third right well to the fourth actually uh because this starts at zero um write nothing partly because count is equal to zero and partly because this file descriptor doesn't have permission to write um so did they actually fails but we can see because the standard error is related to null and then if we try to read from this file descriptor the third one from this file we can see that the the file descriptor the pointer the file pointer of that file descriptor has actually changed and we haven't modified the file if we now read the file the file is complete so now we can use DD to to seek through the file and we don't need to do this using seek there is another argument that you can use which is skip so that's how I I modified the exact the user skip instead of seek we now we tell they did to read from from the file even though it can't because the Father scripture in nearly exec is created using writing permissions not reading permissions so with ldd to read from the file uh skip is the argument you use to tell to seek to to a place inside a reading file inside the source file and see keys in the in the destiny file so um now we are using just I was just using DD to seek using skip so the EDR wouldn't detect it and then just write using something like printf from the from the very own shell so we will have the shell over writing its own memory again uh so then I had this idea which is um I think we can go to the next slide there was yeah okay so we have we have here that example of how we can of how this this is done um so yeah in this case I'm using base64 to write the shelter to uh to the mem file um and DD is just being used to to seek but if if that um greater than would the where to be changed to uh less than and seek to uh skip uh it would work um and uh yeah so now I have to find well I had the idea that um there may be other other files or other programs or commands um common in in many restaurants uh that could be that could be used to seek because now we are not using the Seeker as a writer too we are just using to seek the problem that I I had in the beginning is that DD was the only command that allowed you to seek and write but now we only needed to seek so I I tried with tail and with comparing with hex dump and I think xxd also um and they all we can use all of them if if there are Harry Potter fan you may get this joke so there you have um I made the joke to call this uh everything exactly instead of DDX you can check you can choose the the Seeker um that will be the binary used uh it's like a couple of seconds there if you if you go to the to this to the code of ddxec uh uh to the end the bottom of it there you have it in 528 it starts the this if where the the Seeker which which has been choose uh um is yeah um what is xxd man you didn't add it yeah because xsd is like really all it is a seldom present in in Industries so I don't know in the in the readme I I put it as an example of how you can specify uh yeah exam but you are you can also um through environment variables you can also use xxd if you go to the readme there is an example there of how you can use um xxz they read me read me yeah I'm going there man nice you have the arrow to go back yeah uh the and everything is SEC so you have the um if you find another valid Seeker not implemented in this case you may still use it setting the Seeker arcs file so you tell it to use as a secret xxd and then you you tell it how to use it you tell it that it needs to receive the parameter dash s and then the the offset where so imagine you can show that that will work too I don't know so any questions I don't know oh that's so cool I I love that you're kind of within the restraints of just a regular vanilla shell yeah so using all those like classic oh living off the land binaries to just then do literally anything you want all in memory is incredibly cool oh it didn't work [Music] I mean something we haven't tried before man oh yeah I mean that's that's code I I haven't checked in a while I I may have broke something it's certainly works but then for this no no no no I was a place uh said to say it's just an example well anyway um the goal of this was that um we found out that some of the year was checking that if you execute did it with a very long argument like a very large no no no no no it didn't matter I I I I no no it was something if Didi I'm sick yeah yeah even if you made like a symbolic a symbolic link if you made a symbolic link and called Didi using another name it it wasn't detected yeah but but I remember that they also checked for a large number because a lot of system administrators and tools are going to use indeed so no no no that was just a guess uh I made and I failed uh it it was yeah because I I couldn't believe it I couldn't believe that it doesn't matter the the size of the argument so I I have a friend with the CDR with access to the CDR uh and we started doing tests um and that's it that was it it only checked for DD and seek nothing more um I I find that a kind of pathetic who really are man cool yeah I mean I get it yeah they are just starting with Linux but I don't know okay so um until now uh we have to talk about how to well how to load a binary using the DDX technique uh process of man she's all using different binaries that perform LC as Joe mentioned are just doing some living on the land using some living of the land binaries um but we have only facing we have been only facing uh a very restrictive environment like uh raw Alpine cell with read-only but there are even more restrictive environments you can face like destroys ones that we have spoken about in a little bit at the beginning but I would like to tell you more about what these are in case of people watching this doesn't know what is a distress container so I asked ebt4 and he told me that resource container are only contained the bare minimum components necessary to run a specific application so if you have for example a python flask a digitalized container you're going to be having python install you're going to be having flask and the other Library dependency system but you might not even have cell you might not even half cut LS or any other binary that you are used to to find inside the inside the container so basically this Source containers containers tries to increase the security by removing everything that is actually not used and it also makes containers more more simple or more lightweight so it's actually it's actually pretty great like even if we are going to be bypassing some of the uh well security measures that this this strollers has is actually pretty good because the containers are going to be running better because they have less this stuff that they doesn't need anyway the thing is that imagine that you find yourself um with an ERC vulnerability inside a container and just start executing things such as less cut Etc password all this stuff but you don't have those boundaries like you don't have anything like you're going to get crazy because anything you usually do you're not going to be able to do so actually let me show you in a very quick demo uh what I'm talking about um so first of all I'm going to be connecting here to to kubernetes Cluster that is going to be in in AWS so we know that everything all this has already worked in my mini Cube cluster in Macos airm now we are going to our governance cluster in AWS with with AMD 64. so everything is going to be working in all these environments and now we are going to be trying to get a cell inside these digitalis flask spot we can get a cell we execute the list but we don't have it with ready to execute cut educ pass but we don't have it anyway in this in this case you can still use built-ins such as read in lovely to to read for example with this password there is something you can do yes because you still have you still have a cell and actually there is a nice uh post here that um in the case how you can get uh how you can get arbitrary code execution like execute a proper binary using openssl which usually is going to be present in these these two list containers but still uh you can fix this will this attack by removing this on open SSL binary um so I wouldn't say that it's going to be super super resilience this technique so we wanted to to search for something more resilient with the memory and also of course you can go to other type of distressed containers that doesn't even have a cell so you try to get a cell and you will get final phone in path so like imagine like you have this RC and and you don't even have a cell like what I don't know what you are going to do but it will be very very mad uh at this kind of situation so um now that we know what is a distortless container we have already done this demo let me tell you about how you can still abuse this scenario so imagine that the same case I told you you have compromised uh our application that is running in flask um usually when a word application when any application is running something like it's actually secured in a common usually they are going to be having a cell installed because the way platforms usually um framework usually execute something is to call the cell and from the cell call what you want to execute so if you don't have the cell even the regular ways to to well to run binaries from Frameworks are going to be failing so if you have a real common injection usually you will have some kind of cell so that's interesting and if you have a cell of course I told you that you cannot use buildings but even if you don't have a cell like man if the application is running in python or node or PHP python is going to be installed so you can get a reverse self with python you can get a python Revolution so hey still you can you can still move forward with your usual way to compromise environments even if it's going to be looking a little bit weird because everything you need to do is going to be python but also a python Pearl and Ruby give us something more uh in order to get a execution from memory python polar Ruby by default are going to be having these awesome libraries that allows you to call the direct syscons so you actually don't need to do anything weird you can just call the memfd create Cisco and store in that file in memory the binary you want to execute like Cube CTL and then execute it that's exactly what we saw uh when we present the David buhanan and the sector 7 post they were doing that they were calling memfd create from from memory creating this new file storing anything there and calling it so I'm not going to be doing this demo because this is actually not our technique but I just wanted to let you know that hey even if we are going to present in another technique in this specific languages you have an easier way to to execute things for for memory and actually everything is very well written in this GitHub repo called fileless elf exit which basically allows you to give a binary it will transform it for example in Python to a very uh very short python code that will have the binary you pass in base64 and the python code we will see it it's basically going to be called in memory grid loading the base64 decoded and executing it so let me show you the the video for this so here we are running here we are running a python displayless container which is vulnerable to Percy in this port we are going to be accessing we call LS we can CLS is not there cut it's also not there but we can see that python is present in the system so now we are going to be abusing the the vulnerability to get a reverse self with python basically we are going to get a python Roberson here you can see python import socket blah blah blah so at some point in the video okay import circuits a process uh yeah so we get a python reversal like a bus rehearsal but executing python um and now we are going to get inside an Ubuntu machine which is going to be our attacker machine inside the same network um so we get inside the Ubuntu machine and here is the the place where we are going to be preparing everything we have downloaded file list elf exec now we are downloading Cube CTL because we are going to be preparing this this python stuff actually let me stop this right here can you see yes at the bottom good so here we are calling the file less execute uh python script with Cube CTL so we are creating a cube CTL that is execute through python through memory what sorry about that uh so we everywhere in a python that will execute qctl uh from memory very easily now we executed to check that this is actually working it executes qctl so it looks good we are still in our machine the robot cell is still here and now we are going to be modifying a little bit the code because if we execute these Asis in our reversal we need to finish the execution we are going to be killing our reversal so we want to create a fork and execute it from a fork so here we can see that basically we are we have Cube CTL in base64. um we are oh come on man I'm trying to stop the video in base64 and we are actually um to do let me check Cisco um I'm missing something here so this is called to be this is called from mfv create and here will be the file descriptor that we create when we call okay yeah yeah okay so we are calling this it's called members degree right here and then we are writing the base640 code of cube CTL in the in the file exploratory memory that you we just created and then we are just calling accept to execute it this is basically what this python is very very very simple um so we prepare it so we don't kill our rubber cell now we are going to be listening in a in a web server so we can download this python from our reversal this is the victim where we got device on rubber shot so we import your url request now we get we download our python code qctl and now we just need to call exec because python is going to be executing what we just download and we will have execute qctl so basically we we didn't use our technique but this is a pretty neat way to just execute something for a memory but you have the problem that you need python pair or Ruby what happened if we get to node well that's a problem because you know there is no direct way to execute a Cisco of your choice so again we can get a node reversal even if there is no cell you can still get a new reversal you can still use node to enumerate the system but we can also do some kind of the DX style in order to create a new process that is going to be triggering the well the DDX execution writing overwriting plug self mem and calling this is called memfdcreate so this way from the parent process we can now load the stuff inside um inside the new uh file descriptor creating memory in the children process and execute it from there so basically we are just creating a spawning a chilling process in order to load our cell code and just getting to execute arbitrary uh ciscals and let me show you this in um in a in a very fun demo so so this is actually the most complex demo I think so I hope this is going to be working let me move this here again so first thing we are going to be doing is getting in the in the machine we are going to be getting a reversal so let me check that I don't have any process listening so we are going to be getting the reversal here um also um there is actually let me show you use it you'll get odds there is a port that is called uh destroys Express Pro type pollution pod actually all these spots all these examples that I'm showing you can be accessed here in this in this GitHub repo digital SRC in my repository and actually this is the explanation of the destroyless containers so here we are we are basically calling uh this one the distro layers prototype pollution pod that if we go to the if we go sorry here to the docker file we can see that at the end we are using the Google image for digitalized containers using node.js so we have our Express web application running our destroys in in a Google image cool so let's get back to the demo um I need to mirror the power 3000 in my current machine from from this vulnerable one and actually this could be a little bit weird this is now a row um RC these are an RC through our prototype pollution vulnerability but I'm not going to be explaining it more information can be found in hat tricks for example um so I'm just going to be I'm listening right yeah cool I'm just going to be executing this and if all went good we have now our uh no DS reverse so let me get back to the demo um now what we could be doing is just enumerating the the machine from from noise so I have just imported the OS Library import OS and we could do things such as OS platform to get information always released or if we want some information about the network interfaces we can just call um OS network interfaces as you can see you can still enumerate from node even if you don't have arbitrary execution um another thing you could do will be to just create your own function on uh create your your own list for example so here I have just copy pasted a function you can find in the repo I just showed you and we could just execute LS directory and we could just enumerate this okay we can still build some things to to enumerate the system but let's get to the memory execution now I'm going to be copy pasting some requirements so nothing super relevant um and now I'm going to explain you I'm going to be writing a new file with the code that the children is going to execute as as Diego said before these writings we are doing are not necessary but it's easier to explain it if we are writing everything and I can explain you what is happening so we are going to be writing this file we write in-depth shm because we saw before that this is the only folder where we have a right access now we are going to be um writing in this file the the no DJs code we need so the new node.js process is going to be loaded inside what inside this is called pointing a pointer this circle that is going to be calling this is called mmsd uh MSD create um inside the proc salesman so basically what this code is doing is the basic um tweet that David buhan and Sir at the beginning with our memfd create cell code but doing it from from node so now we have everything created we are going to be writing this over the file we just uh over this file now we have this content in the file we are going to check that this is actually true we got LS we know that this file exists so this looks good now we are going to be executing this new process um and we executed it and if it work this new process will have executed at the end the The Cisco as we have create a memory file in in memory uh memory file descriptor um so now I'm going to be copy pasting a new function in order to list if this is actually true so if we go to the process we can see that it work we have created this memory file descriptor that is actually called there um because when else and now um well I guess this address in a new variable and we are reaching the final point where we create the download function which basically is going to be receiving a URL downloading it from the internet writing it over this file descriptor so we can later execute it so I'm going actually to be using the download function to download Cube CTL over the uh MMC over this file descriptor that we just created we are still in the read-only No Exit digitalized container with all these protections so if I use fork with this remember that I told you that usually this kind of platforms usually call a cell before calling the the banner you want to execute if we just call Fork indicating this uh file descriptor is not going to be working because it is trying to execute a cell that doesn't exist so in order to achieve the execution of the exact Cisco directly from node we need to use these special parameters uh we need to indicate nothing here and then in the exact path indicate actually the file we want to execute if not node is going to be using this cell so we need hexagonally to use these these parameters so if we do this we have execute now Cube CTL from memory um just by executing the the previous the previous uh cell code I don't know man what do you think that's freaking crazy that is so cool and and it's about to get even even better with the um so up up until now we have been doing the well the DDX technique but actually Diego created something better or actually he demonized the DDX in C so we can we can use it properly so do you want to explain that why we have this haha loopy that they exact Governor is like right here yeah um I don't know if you know the the this meme which is um yeah now you can't I don't know do something and like haha anything goes bro so this will be like no you can't you can just uh [Music] it takes like uh several seconds or even minutes in some weird cases to run um and that will maybe a problem um so and I have this idea of uh maybe you can you can have uh um like DDX sec compiled like a binary of the exec and then you use ddxx to run this binary and this binary is just uh like a server or a demon uh and it stays there waiting for for requests and when it receives a request uh just forks I mean the fork load this process this binary and execute it so now do just need a couple of seconds to run this binary this Daemon uh this loopy did exactly because it is just like did exactly in a loop so they just need a couple of seconds with the with this script with the DDX script uh to load the the Daemon and then use the Daemon to load any anywhere you want um with the argument you want um six stop because they are all sharing uh the terminal so if we want [Music] um uh well this is because now we have we're going to to make I think I think that sixth option will be there so uh in the in the slide I'm saying so we are now going to be doing um another demo aren't we of uh of um yeah yeah yeah and another another uh environment yeah so yeah yeah yeah yeah yeah yeah yeah yeahyeah yeah yeah yeah yeah yeah yeah yeahyeah yeah okay so yeah I was playing basically this DDX we just have it in C in a loop so it's much faster and you can reuse it which is the the goal because we cannot wait 10 minutes every time we want to execute something is not feasible so in this case we are going to be using a different environment just to change a little bit we are going to be getting a PHP reversal we are not going to be using a Google Digital Image but uh if you go back just a second you know yeah thank God so we are okay um initially Google released all these these Solace images and maybe it's like six months ago one year ago these guys like restarted this destroy let's stop with their own images so we wanted to make sure that this trick was also working in this guy's images so that's why we we selected this scenario for this for this demo um well ESP had other limitations which are not that relevant um also to to also in the previous node scenario we use a cell code to call mems to create but we told you that hey this is kind of noisy so we are going to be improving instead of calling this circle we are actually going to be loading uh the ddx7 Ruby binary that Java created and finally on for for the greatest last demo in this kind of scenarios we are going to be actually executing Boosie box in additional container you know that well this is kind of uh ironic because one of the goals of this release is just to get rid of all these cells that are needed so we are going to just recreating uh getting a new cell for our digitalized container so let's let's show this demo to do so I'm going to be getting in this case I I was I was kind of uh well you can see that we don't have any cell inside the container so I need to get a cell with PHP um I was feeling lazy that day and I didn't create any PHP web application but we still need to get a reversal to show you how it will feel from our rear rubber so so actually let me check that we don't have anything and we actually have you so imagine that we have compromised these um these PHP application we have some kind of code injection inside PHP and we just get a reversal a PHP reversal like this one and we will get just this so imagine just yeah this was the application we compromised it now we have our PSP reversal and this is what the magic is is going to be happening um yeah well do you want to explain while I copy paste this stuff or do you want me to explain yeah okay so uh now the first part uh well you have passed you have like yeah okay okay so this is we're defining um PHP code for another PHP is instance we are going to be executing because well we are going to make PHP overwrite itself and we don't want to lose this PHP session so we will Fork uh well yeah it would be a fork yeah internally it will be off work so [Music] um the next thing [Music] um okay well here here you can see that we are actually using the same technique as before yeah we are reading the Cisco we are writing our process of man so it's actually the same but the cell code is different maybe you want to say a few words about this circle yeah well uh it is just a Stager because the shell we are going to be using is actually much much greater it will be like it will it will fill your screen I think yeah yeah so so they stay here in order to load the the real Circle later so until now is the same we didn't know but with a different Circle on and actually I don't know you copied the shortcut the Stagger yeah uh cool okay so there you have it uh we are preparing the this new PHP session is going to have uh uh the the arguments it will it will be executed with a dash a so it will be an interactive session of PHP and then uh just uh execute it yeah yeah so there we are executing it uh with the PHP uh the how to to execute it here Carlos um made a big effort of finding how to to make PHP execute another process without using a shell again because internally I think it was using the function system system so the system is an xbe to to to sh uh so but if you use procopen with an array if you use procopen I think you you told me if you use proc open with um string with a string it doesn't work it uses system again but if you just broke open with an array it does a new system and just do the the exactly and then well we specify this this descriptors um and well where we want this pipe um foreign yeah so we we passed through this pipe which will be the the standard in for this new session of PHP the the code we we prepared in a string earlier um and then passed the the Shell Code um and the circle will be will be red by the by the Stager um yeah this is the so-called yeah yeah you're true no no but I think I think you just keep something in the the circle now so okay the previous stage was expecting in uh in our file in a in a pipe the new cell code he was waiting for it and now what we have done is send the real circle to the stadium but wait wait wait that this uh appending something it is a concatenation is here the second part is here I'm not saying your pointer okay well I I will trust you if it first it is your fault basically basically all of this is the circle so we need to agree that I I stayed there because it was too too long to be stored from the beginning in the point that we had but yeah it's going to work yeah okay so the circle we have just written the Shell Code and uh it has been read um by the by the Stager and now uh we Define a function just for Simplicity uh that will be we will use to communicate with this Shell Code this Shell Code was actually created from a c program which we can show later this C program can also be compiled it is the the day one uh the demon I made the blue PDD exact so right now it only expects requests from the standard input well it can easily be adapted to use uh kind of like a circuit or something like that [Music] um so I think I just stopped seeing your screen moving oh okay yeah okay yeah so there we have the this function uh that we will use to to communicate so this uh this demon uh expects first uh an integer of 32 bytes in Little London uh with the size of the argument then the argument then the size of the binary and then the binary um uh that's it uh the function is is exactly what it does uh so now we can use this function um until PHP to download um some binary in whatever place we want they pass the arguments we want to run um well that falls for True is the stop argument of the function that's because um we are sharing uh or we may be sharing a terminal with with PHP um PHP will be reading at the same time from the terminal as this program we are going to to be running so when when two when two processors are trying to read from the same place there can be a lot of problems so uh if you see the last line of the function name exec will send a stop signal that was the thing that I was trying to explain from that slide the six stop signal to just make a PHP sleep so PHP will make itself a sleep um the the demon will will wake it up so now we have it we we got to to download from our server everything filelessly we aren't writing anything anywhere um and just execute it with with the arguments we want so you can figure that this is much much faster than the previous DDX that's because it is C let's see and this is my my favorite part of the demo where we actually get uh a sale and we can do thi