Analysis of the POC concurs with my tests that confirm that the portion of `su` that gets overwritten does not survive a reboot.
replyit's living in your page cache, not on your disk. flush the caches and it'll disappear.
replyIndeed. But it's easier to just kill a container or a k8s node and reprovision than to flush the caches
replyThe page explicitly describes that it is stealthy as it does not make permanent changes, only corrupting the binary in memory.
replyunfortunately the page can also lie to you haha. it seems people have reviewed the code by now, but running suspicious shellcode you don't fully understand is never a great idea.
replyI personally had AI review the code, add comments, disassemble the shell code, etc.
replythat's quite smart. i was almost stupid enough to paste it into a terminal to check if it worked before deciding to wait and let others analyze it first haha
reply