Skip to content

scumjr/idontgiveashell

Repository files navigation

idontgiveashell

Description

A colleague of mine wanted to enjoy the powerful features of my CPU but I don't trust him enough to give a shell on my computer. This program expects to receive a raw shellcode or a shared library, and executes it inside a seccomp-bpf sandbox.

Technical details

The following syscalls are allowed by seccomp-bpf:

  • rt_sigreturn,
  • exit,
  • exit_group,
  • read,
  • write,
  • mmap,
  • mprotect,
  • getcwd.

memdlopen (https://github.com/m1m1x/memdlopen) is used to load a dynamic library from memory. Despite being a proof of concept, the idea is awesome and it works great. (The code has been heavily rewritten to be a little bit more readable).

CPU time and memory are limited thanks to alarm and rlimits.

Tests

Tested on Ubuntu 14.04.2 LTS (ld-2.19.so).

About

Load a .so from network and execute it inside a seccomp sandbox

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published