How to use DDexec to run binary files covertly on Linux

As is well known, to run a program on Linux, the program must exist in the form of a file and must be accessible through the file system hierarchy in some way, which is the working mechanism of execve(). Such a file may be located on the disk or in RAM (tmpfs, memfd), but we certainly need a file path. This mechanism not only allows us to easily control what runs in the Linux system but also makes it easy to detect security threats or malicious programs planted by attackers, and even prevent attackers from trying to execute any of their tools, such as not allowing unauthorized users to place executable files anywhere.

However, the appearance of DDexec has changed this situation.

Technical Mechanism

1. Most Shell interpreters allow the creation of file descriptors, which are then inherited by child processes. We can create an fd that points to the Shell's mem file (with write permission), at which point the child process will use this fd to modify the Shell's memory;

2. ASLR will not be a 'roadblock' because we can check the Shell's maps file or other information to obtain relevant information about the process address space;

3. Use lseek() to query files, with the help of Shell, we can easily implement it with the dd tool;

Tool Download

Researchers can use the following command to clone the source code of this project locally:

git clone https://github.com/arget13/DDexec.git

Dependency Components

This script depends on the following components to implement its functionality:

dd

bash | zsh | ash (busybox)

head

tail

cut

grep

od

readlink

wc

tr

base64

Tool usage

Inject ddexec.sh into the Base64 source code that needs to be run, note that there should be no newline characters. The script parameters are the program's runtime parameters, starting with "argv[0]".

Below is an example of use:

base64 -w0 /bin/ls | bash ddexec.sh /bin/ls -lA

The project also provides a ddsc.sh script that allows us to directly run binary code. Below is a "Hello world" Shellcode example:

bash ddsc.sh -x <<< "4831c0fec089c7488d3510000000ba0c0000000f054831c089c7b03c0f0548656c6c6f20776f726c640a00"

Or:

bash ddsc.sh < <(xxd -ps -r <<< "4831c0fec089c7488d3510000000ba0c0000000f054831c089c7b03c0f0548656c6c6f20776f726c640a00")

No, this method also applies to Meterpreter.

This tool has been tested on Debian, Alpine, and Arch platforms, supports the following shells: Bash, zsh, and ash, and supports x86_64 and aarch64 (arm64) architectures.

License Agreement

The development and release of this project followGPL-3.0Open Source License Agreement.

Project address

DDexec：【GitHub Gateway】

Reference materials

https://porkmail.org/era/unix/award.html

https://www.sektor7.net/

https://blog.sektor7.net/#!res/2018/pure-in-memory-linux.md

https://github.com/carlospolop

https://book.hacktricks.xyz/

https://github.com/carlospolop/PEASS-ng

https://rootedcon.com/