[stackghost]

These come up in CTFs all the time. One trick I don't see here is you can use `dd` to write into the `/proc` hierarchy to achieve all sorts of fuckery including patching shellcode into a running process.

[mpeg]

You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it

[saagarjha]

I don't think I've used any of these in a CTF tbh

[stackghost]

I've definitely used one or two in the last 6 months

[saagarjha]

For what kind of challenge? Most of these are not even available in CTF environments

[mna_]

I've used them for pwncollege CTFs but pwncollege is way below your level (I've seen some of your write ups before).

[saagarjha]

I don't think I could solve most of the challenges there

[stackghost]

If memory serves, I got creds for a machine where the git user was able to run `git diff` with setuid, so you could abuse the pager to escape into an elevated shell.

[dominicq]

Huh? How does that work exactly? I've heard of /proc fuckery before but didn't know you could disable aslr with it.

[PhilipRoman]

If you have /proc available, you don't even need to disable ASLR (all mappings are available to you)

[stackghost]

Hey you know what, I've used dd to write into process memory but haven't actually used it to disable KASLR, so it's possible I am misremembering. My bad.

[dominicq]

:(

Sounds super 1337 and I hope it's actually possible somehow.

[aa-jv]

Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:

    $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...

See also: DDExec

https://github.com/arget13/DDexec

[jeffbee]

What legitimate purpose does this feature serve? Why should a process be able to write into the virtual memory of another process?

[aa-jv]

Testing and instrumentation.

This feature is used extensively in safety-critical testing procedures, for example. It is also used as a side channel for instrumenting long-running processes.

See also: debuggers and profilers, which simply wouldn't work without this capability.

I've also since learned that this feature is used in applications (e.g. Firefox) which sandbox their processes, as a means of crash-reporting when some process pisses in their sandbox, crashing ...

Sure, it 'seems' dangerous to have this capability - until you need to debug, profile, or instrument something ..