News:

Pretty crazy that we're closer to 2030, than we are 2005. Where did the time go!

Main Menu

Interesting sandbox hypothetical

Started by deadly7, February 24, 2011, 07:21:23 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

deadly7

February 24, 2011, 07:21:23 PM
Let's say you have a binary that "phones home". The machine on which it resides you have SSH access to, but cannot log in via root [or sudo]. How would you sandbox it so that all outgoing network traffic from the executable gets blocked?
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
[17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

iago

#1
February 24, 2011, 07:35:54 PM
on windows, I wrote a loader that would start a process suspended and modify some of the calls (send/recv/etc) to go through my code before going out. It would probably work without admin access, and the same type of thing should be possible on Linux. It's function hooking or writing a loader.

I've never done it on Linux, sadly. I mostly do this type of thing from Windows.

nslay

#2
February 25, 2011, 11:58:28 PM
I've never seen a Unix firewall that can block based on process. Although, I'm mostly a pf user myself.
An adorable giant isopod!

Joe

#3
February 26, 2011, 11:22:45 AM
I can't say without more details, but is unplugging the Ethernet a possible fix? It'll stop the program from phoning home, at least.
Quote from: Camel on June 09, 2009, 04:12:23 PMI'd personally do as Joe suggests

Quote from: AntiVirus on October 19, 2010, 02:36:52 PM
You might be right about that, Joe.

Blaze

#4
February 26, 2011, 12:06:54 PM
If he has to ssh in, and he doesn't have root, it's likely that he does not have physical access to the box.
And like a fool I believed myself, and thought I was somebody else...

Joe

#5
February 26, 2011, 12:53:14 PM
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
Quote from: Camel on June 09, 2009, 04:12:23 PMI'd personally do as Joe suggests

Quote from: AntiVirus on October 19, 2010, 02:36:52 PM
You might be right about that, Joe.

iago

#6
February 27, 2011, 10:37:42 AM
Quote from: Joe on February 26, 2011, 12:53:14 PM
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
Sure, but it might have a large false positive rate.

Blaze

#7
February 27, 2011, 04:39:48 PM
Quote from: iago on February 27, 2011, 10:37:42 AM
Quote from: Joe on February 26, 2011, 12:53:14 PM
Can you write a plugin that gives me an "I just woke up button" that doesn't allow me to post within 30 minutes of clicking it?
Sure, but it might have a large false positive rate.


Hahaha.
And like a fool I believed myself, and thought I was somebody else...

Sidoh

#8
February 27, 2011, 04:47:49 PM
HOLD ON, HOLD ON. WAIT A MINUTE

did someone just get told?
Print
Go Up Pages1
User actions