Comment by maxtaco
19 hours ago
Use extreme caution running arbitrary code on your machines, especially obfuscated code that tickles kernel bugs! (edited)
19 hours ago
Use extreme caution running arbitrary code on your machines, especially obfuscated code that tickles kernel bugs! (edited)
Analysis of the POC concurs with my tests that confirm that the portion of `su` that gets overwritten does not survive a reboot.
it's living in your page cache, not on your disk. flush the caches and it'll disappear.
Indeed. But it's easier to just kill a container or a k8s node and reprovision than to flush the caches
The page explicitly describes that it is stealthy as it does not make permanent changes, only corrupting the binary in memory.
unfortunately the page can also lie to you haha. it seems people have reviewed the code by now, but running suspicious shellcode you don't fully understand is never a great idea.
I personally had AI review the code, add comments, disassemble the shell code, etc.
1 reply →