Linux code injection paint-by-numbers.
Can we launch a process that looks one way to (superficial) auditors but is, in fact, entirely different? (Think process hollowing and the like on Windows).
Firstly, how are processes created and what does related auditing look like?
Control will return from fork() to both process instances. In the child process, the return value will simply by 0, in the parent it will hold the pid of the child.
By default, this will happen on exit of the execve() syscall.
The options here are numerous. In this example, we want to chose a strategy that doesn’t require us doing any image/reloc fix-up foo.
We can use dlopen() to do all the heavy lifting.
We’ve created a child process and halted execution prior to anything too process-specific having been run but after basic setup has taken place.
But how to locate dlopen()?
A cursory glance shows that dlopen() is exported by libdl. But alas this library is not loaded in our process address space.
dlopen(libc) → dlsym(__libc_dlopen_mode)
We will account for this offset skew shortly.
x86_64 calling convention dictates that we’ll be using registers rdi (library path), rsi (mode), rdx (dl caller).
The easy choice here is just to dump it somewhere on the stack (we’re not interested in a sane return from __libc_dlopen_mode() after all).
This is a great outcome as it’ll trap back into the parent process and allow us to redirect control to our injected code.
More from Internet
Or, you could let us know when you figure out why it was trending yesterday and the users are complaining which is why Vice wrote about it. Why I'm saying what I am.
There's an assumption here that this problem is fixed bc it was already hacked.
It's not.
We have ppl freezing and dying in TX right now because some ppl who thought they were really smart never spoke to anyone with actual experience with energy systems in extreme cold climates.
Texans are waiting for a solution to a preventable problem.
Farmers are saying that now, not during a crisis, they have to wait for a JD tech to arrive to help them.
The assumption that bc SOME farmers said screw this and used hacked firmware to get around that obstacle doesn't mean that all farmers are doing that.
If all farmers were using hacked firmware we wouldn't be discussing this right now would we?
Of course no one has pointed out that another issue here is that no one at John Deere has figured out they don't have enough staff to quickly and reliably SOLVE problems.
The locked firmware is just one of many issues here.
By not giving people a fast solution they're causing this and other issues.
So what I'm saying is somebody at John Deere needs to examine all of this.
There's an assumption here that this problem is fixed bc it was already hacked.
It's not.
Let us know when you've found the supply chain hack that's already there
— SleeplessOrphan (@sleeplessorphan) February 20, 2021
We have ppl freezing and dying in TX right now because some ppl who thought they were really smart never spoke to anyone with actual experience with energy systems in extreme cold climates.
Texans are waiting for a solution to a preventable problem.
Farmers are saying that now, not during a crisis, they have to wait for a JD tech to arrive to help them.
The assumption that bc SOME farmers said screw this and used hacked firmware to get around that obstacle doesn't mean that all farmers are doing that.
If all farmers were using hacked firmware we wouldn't be discussing this right now would we?
Of course no one has pointed out that another issue here is that no one at John Deere has figured out they don't have enough staff to quickly and reliably SOLVE problems.
The locked firmware is just one of many issues here.
By not giving people a fast solution they're causing this and other issues.
So what I'm saying is somebody at John Deere needs to examine all of this.
