Adventures in systemd injection

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 8, 2019, 10 a.m. (30 minutes)

Injecting into Linux processes is nothing new, but it's a great way to get malicious code running without an additional process.Libpcap is also nothing new, but it's a great way to have malware wait for something interesting.Systemd is somewhat new, but it's a great place to inject malware using libpcap.Or so I thought.This talk follows the speaker's journey trying to inject a libpcap-based tool into systemd.Along the way we'll see how to get a running process to load a library, hook functions the easy way, and dodge selinux.

Presenters:

• Stuart McMurray
  Stuart is a Red Teamer at IronNet, where he focuses on tool development, Unix, and general Swiss Army knifery.He's been on the offensive side of public and private sector security for six years, during which time he's been an operator and trainer and developed a small arsenal of public and private offensive tools. Stuart's been a speaker at BSides and CarolinaCon and has red teamed for Quantum Dawn and the Collegiate Cyber Defense Competition.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Adventures in systemd injection Stuart McMurray.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Adventures in systemd injection Stuart McMurray.eng.srt (subtitles)
• https://www.youtube.com/watch?v=PaBLBVb4eMY

Similar Presentations:

• May Contain Hackers (MCH2022) / Surviving systemd
• BSidesLV 2019 / Please inject me, a x64 code injection
• DEF CON 27 (2019) / Please Inject Me, a x64 Code Injection