Hacker News new | ask | show | jobs
by aa-jv 44 days ago
Parse /proc/<pid>/maps to find the relevant target_addr in your process-under-attack. And then its a matter of:

    $ dd if=shellcode.bin of=/proc/<pid>/mem bs=1 seek=$((target_addr)) ...
See also: DDExec

https://github.com/arget13/DDexec
1 comments
jeffbee 44 days ago
What legitimate purpose does this feature serve? Why should a process be able to write into the virtual memory of another process?
link
aa-jv 43 days ago
Testing and instrumentation.

This feature is used extensively in safety-critical testing procedures, for example. It is also used as a side channel for instrumenting long-running processes.

See also: debuggers and profilers, which simply wouldn't work without this capability.

I've also since learned that this feature is used in applications (e.g. Firefox) which sandbox their processes, as a means of crash-reporting when some process pisses in their sandbox, crashing ...

Sure, it 'seems' dangerous to have this capability - until you need to debug, profile, or instrument something ..

link