Shellcode Execution

[darrenmartyn]

We can ~probably implement this trickery so we can execute arbitrary shellcodes. Maybe as a helper function?

https://twitter.com/David3141593/status/1386663070991360001

The example pops /bin/sh

cd /proc/$$;read a<syscall;exec 3>mem;base64 -d<<<McBIu9GdlpHQjJf/SPfbU1RfmVJXVF6wOw8F|dd bs=1 seek=$[`echo $a|cut -d" " -f9`]>&3

We could use this as another way to do the memexec using memfd's by implementing the memfd loader as shellcode (something I actually did before, I'll just have to find the code).

[UlrichBerntien]

Current a Python 2 and Python 3 script memexec.py and a perl script memexec.pl are included in o.rc. In o.rc the interperteter is searched and the gzip|base64 encoded script is executed in the memexec function.

As far as understand the trick: It stores the shellcode in the bash process memory /proc/$$/mem ($$ = pid of the bash). The address inside the process memory is taken from a /proc/$$/syscall argument. But I am not figured out how the trick controls which syscall is the current syscall of the process. I have to dig deeper. An interesting trick.

A logic must be implemented to decide when to use the scripts and when to use the trick.