DeepSec 2018 Talk: Pure In-Memory (Shell)Code Injection in Linux Userland – reenz0h

A lot of research has been conducted in recent years on performing code injection in the Windows operating system without touching the disk. The same cannot be said about *NIX (and Linux specifically).

Imagine yourself sitting in front of a blinking cursor, using a shell on a freshly compromised Linux server, and you want to move forward without leaving any trace behind. You need to run additional tools, but you don’t want to upload anything to the machine. Or, you simply cannot run anything because the noexec option is set on mounted partitions. What options remain?

This talk will show how to bypass execution restrictions and run code on the machine, using only tools available on the system. It’s a bit challenging in an everything-is-a-file OS, but doable if you think outside the box and use the power this system provides.

Anyone interested in offensive security should find the talk sexy, says reenz0h, especially since it’s not theoretical mumbling but a demo-rich journey through the inner workings of Linux and some old-school hacks.

We asked reenz0h a few more questions about his topic of expertise.

Please tell us the top 5 facts about your talk.

My talk is about injecting code, either in a form of a shellcode or an entire ELF object, into a process memory running under Linux. There are some known ways to do it and various methods were developed throughout the years. LD_PRELOAD is a trick known for decades. Memory-only remote execution was described in Z0MBiE’s “In-Memory PE EXE Execution” in 29A zine back in 2002. Also we had the famous “Remote LibraryInjection” by skape & jt, “Userland Exec” by the grugq or “Advanced Antiforensics” by Pluf & Ripe, posted in Phrack 63 in 2005. So, my research takes the next step on this journey, or, as Isaac Newton would say: “We stand on the shoulders of Giants”.

In my talk I’m focusing on injection done locally or remotely without any high level privileges and, most importantly, without storing a payload on a disk. To achieve that I utilize any tools available on the system. Also, these techniques can be used to bypass ‘noexec’ flags set on partitions.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

Actually I don’t remember what started it. I have a very long list of things I want to research and it keeps growing and growing. I always add something to it when I see or hear something interesting and my brain just makes the right”connection” inside my head .

And stimulus doesn’t has to come from or has to be related to the field of information security. It can come from anything like biology, physics, history, or sci-fi books, or movies. I read a lot and am interested in many areas so these things happen spontaneously. Recently, for example, I’ve been refreshing my understanding of microbiology and genetics, and studying how DNA is replicated initiated interesting connotations with regard to how similar mechanisms could be used in malware. Actually, this is my current field of research.

So if you’re looking for an inspiration, go out and meet and talk to smart people. It helps tremendously. Events like DeepSec, hacker spaces, collaborative communities, hackathons, and sharing and discussing is what makes the world move forward. I guess it’s called progress 🙂

Why do you think yours is an important topic?

It’s not distinctive per se, rather part of the never ending battle between offense and defense. Someone creates better shields so the other can start crafting new swords. And this cycle is endless.

I wanted to show that there are some areas in *NIX land where anyone can find something interesting and sexy. *NIX is a huge universe with many faces and flavors, ready to be explored and conquered.

With regards to code injection it’s not particularly a novel technique. We had great research on this topic in the past but *NIX is a living thing and new opportunities pop up. I just took the effort to look at where we are, reshape it and move forward. As (allegedly) Mark Twain used to say:”History does not repeat itself, but it rhymes”, I made another round in this cycle.

Is there something you want everybody to know – some good advice for our readers maybe?

I’m a huge proponent of a sort of MacGyver-style approach to anything, especially in information security. When I was a kid I used to watch this TV-series with Richard Dean Anderson a lot in the 1990s. This guy was THE GUY, my hero of the day , even if I knew most of what he did was BS.

But if you think more broadly you come to the conclusion that this approach makes sense. We constantly reinvent the wheel while available tools are not utilized 100%. Let’s take penetration testing as an example. We have great attack frameworks out there allowing you to do magic with just a few keystrokes, especially with post-exploitation activities. But once you’re on the box, you can do most of them with tools which are already on the system, often native ones. Persistence, lateral movement, screenshots, process dumping or exfil to name a few.

So my advice to all would be to know the system as much as possible to make it serve you, not constrain you. This was the true hacking spirit back in 1980s and 1990s.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

I’d say it’s the “same old, same old story” all the time. The race between attackers and defenders and new “next gen solutions” awaiting to “solve” the problems of the past and bring new ones for the future. Halvar Flake is right preaching all over the globe that introducing more code (that is: more attack surface) takes us nowhere. The complexity of our systems is constantly growing and I don’t see anything on the horizon that would change that.

Additionally we live in a more dangerous world. It’s not that keeping our data in a cloud or the “everything connected” attitude is a bad thing. These are just technologies agnostic to our decisions. The intention standing behind is what might turn them against us. Like any other tool. A knife can be used for chopping a carrot or stabbing someone.

And if you look into recent attacks on ICS, Triton/Trisis specifically, you might start wondering where’s the line it’d stop. Triton was designed to disable Safety Instrumented System which protects human life from disasters happening in critical infrastructure (I guess Joe Slowik will cover this malware in detail during his talk). If someone releases such a tool, it means they target human life. And that really sucks. Nationstate adversaries push the line further and further until something really bad happens.

Of course Triton is not an apocalyptic malware which will send us all to hell. It’s tailored to a very specific SIS, configuration and setup, so it won’t spread everywhere like Conficker. But I hope you get my point.

Interestingly, international community and policy makers are silent on this topic. The critical infrastructure in the Ukraine is being attacked for the last few years and we still don’t see any reaction from either NATO, UN, EU or US. This means something.

But to wrap up on a positive note: Don’t be afraid of the surrounding world but realize what’s going on and act accordingly. Learn and share, keep hacking and grow, be good, not an a**hole. As a Mandarin curse says: “May you live in interesting times”. You bet we are… 😉


Geek by passion, engineer by profession since the last millennium. For many years he’s been working in global red teams, simulating threat actors targeting IT infrastructure across various industries (financial, technology, industrial, energy, aviation) across the globe. Speaker at HackCon, NoVA Hackers, Geek Girls Carrots, Tech3.Camp, PWNing Con. Organizer of x33fcon – IT security conference for red and blue teams, held in Gdynia, Poland. Founder of Sektor7 research company.

Tags: , , , , , ,

Leave a Comment