Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial linting of ddexec.sh #14

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Conversation

tinmarino
Copy link

@tinmarino tinmarino commented Apr 16, 2023

Hi @arget13,

It works super fine, nice script.
I refactored a little, with the function declaration and docstring my style so that I can have a nice folding, I hope this is OK for you.

Otherwise, there are 2 minors improvement:

  1. if [ -n "interp_off" ] (forgot the dollar)
  2. bin variable is exported in my environment, so I get an "argument list too long" because this variable becomes very big and is passed (in my case as exported)

But most of all these are the changes:

  • Quote expansions
  • Use the default assignment idioms :=
  • Nest all in function from top to bottom, create a main

Folding

The folding I get with docstrings inside functions, for reference

    1 #!/bin/sh
    2
    3 init_global(){                                                  : 'Init global variables                                                         > 64
   67 endian(){                                                       : 'Helper: Endian conversion'                                                     > 6
   73 sc_chunk(){                                                     : 'Exctract a chunk from the global SC_ARRAY'                                     > 6
   79 search_section(){                                               : 'Search for a section segment in file                                          > 87
  166 shellcode_loader(){                                             : '### TODO: SHF_COMPRESSED sections ###                                        > 158
  324 craft_stack(){                                                  : 'Craft initial stack                                                           > 75
  399 craft_shellcode(){                                              : 'Craft the shellcode to bootload user binary'                                  > 56
  455 ddexec(){                                                       : 'Main function'                                                               > 133
  588 ddexec "$@"

@tinmarino
Copy link
Author

tinmarino commented Apr 16, 2023

This would be all for this PR, just to note that I may create other one with these changes. What do you think of them?

  • Use array for command and not echo eval
  • Comment
  • Assign a type to declaration, as there is much arithmetic
  • Add automatic tests
  • Reorganize and reorder functions: from top to bottom, hopefully a small main

@arget13
Copy link
Owner

arget13 commented Apr 16, 2023

Hello! I'm really glad that someone actually took the time to read and understand such difficult to read code.
Later I'll see in detail the PR. Regarding the next changes:

  • I would have used an array (it is the obvious answer!) but they aren't supported by ash (busybox).
  • About comments... I don't know, the script is pretty big already and this is supposed to be as small as possible in case you need to copy & paste through an unstable connection to a computer with restricted access to Internet.
  • Types? I don't think ash or any POSIX shell support them.
  • Automatic tests... yeah, I tried that but I'm really bad with github actions. You can see the configuration files for github actions in .github and you'll see that they don't work particularly well; if you want to fix that, that'd be great.
  • If you find a better way to organize the code, well, we can use it, of course.

@arget13 arget13 added the enhancement New feature or request label Apr 16, 2023
@arget13
Copy link
Owner

arget13 commented Apr 16, 2023

On the other hand please consider that I expect to change the technique to memdlopen. Whenever I have the time, hehe.

@tinmarino
Copy link
Author

Hi @arget13,

Thank you for the fast response. I agree with your comments, and think the compatibility with all possible shell should not be broken (I guess it was hard to get, congratulation) let me show refs.

  1. Array: no array allowed <= in effect, ash do not support them: Syntax error: "(" unexpected
  2. Comment: no abusive comment, it is ok to add comment in some external .md files as you did (I love the README.md)
  3. Types: not suported <= local: -i: bad variable name
  4. Test: we all agree, I'll see that
  5. Refactor: I do not think I'll improve: dividing in more function may create subshells or global variables.

So I'll just consider tests before you accept this small refactoring (all in functions) to avoid conflicts. Anyway it is the best next step and I'm educatively playing with GitHub Actions.

@tinmarino
Copy link
Author

I'd like to collaborate more on this ddexec project and understand it is ok. Thank you for pointing me to memdlopen, I'll have a look at the paper (curiosity, i will not use it).

My interests

This leads me to introduce my interests. I am not in cybersecurity (any more), but rather in a user friendly TUI (git like) for remote execution on machines where I am invited. Usually for testing, with code in Bash on my machine piping to an ssh tunnel (this you are familiar lol).

Existing alternatives or friends

I created the lib_dispatch bash code to call any Bash function anywhere (with introspection) but it cannot call native binary encoded strings and calling some native code as mprocs would be a nice feature (my chiefs would appreciate :-)).

I do not like to touch filesystem either, not for furtivity as pentester but more because it may not exists, be in readonly, not mounted, slow, etc and this leads to add some magic (path) in code, may create some race conditions, etc => this is dirty even for legitimate code!

The only solution for in memory execution from shell I found before yours is using memfd_create syscall. See a recent response and also blog. This requires perl!

Brief

All that to say that the memory parsing you are doing in pure shell is really innovative, I was waiting for that! The features this unveil extend far beyond education and security. It empowers shell scripting and this is where my interest lie.
I hope I can bring a little my added value (as shell expert).

Saludos desde Chile.
See you at next (test) PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants