History

Dongge Liu ddf48c9a74 A PoC of `execSan` with `pytorch-lightning-1.5.10` (#7827 ) * A PoC of `execSan` with `pytorch-lightning-1.5.10`		2022-06-09 14:22:41 +10:00
..
PoEs/pytorch-lightning-1.5.10	A PoC of `execSan` with `pytorch-lightning-1.5.10` (#7827 )	2022-06-09 14:22:41 +10:00
Makefile	A PoC of `execSan` with `pytorch-lightning-1.5.10` (#7827 )	2022-06-09 14:22:41 +10:00
README.md	Execsan syntax error (minor fixes) (#7806 )	2022-06-07 11:50:30 +10:00
execSan.cpp	Execsan syntax error (minor fixes) (#7806 )	2022-06-07 11:50:30 +10:00
target.cpp	Execsan syntax error (minor fixes) (#7806 )	2022-06-07 11:50:30 +10:00
vuln.dict	An attempt to detect shell injection with `ptrace` (#7757 )	2022-05-26 15:37:04 +10:00

README.md

Shell Injection Detection with `ptrace`

We use ptrace to instrument system calls made by the target program to detect if our /tmp/tripwire command in vuln.dict was injected into the shell of the testing target program. This works by

Checking if execve is called with /tmp/tripwire.
TODO: Checking if we managed to invoke a shell (e.g. /bin/sh) and cause a syntax error.

Quick test

Cleanup

Note this will delete /tmp/tripwire if it exists.

make clean

Run test

Note this will overwrite /tmp/tripwire if it exists.

make test

Look for one of the following lines:

===BUG DETECTED: Shell injection===

which indicates the detection of executing the planted /tmp/tripwire.

===BUG DETECTED: Shell corruption===

which indicates the detection of executing a syntactic erroneous command.

TODOs

Find real examples of past shell injection vulnerabilities using this.
More specific patterns of error messages (to avoid false postives/negatives)

e.g. cache and concatenate the buffer of consecutive write syscalls
e.g. define the RegEx of patterns and pattern-match with buffers