{"id":13508308,"url":"https://github.com/XiphosResearch/netelf","last_synced_at":"2025-03-30T11:31:41.987Z","repository":{"id":57919647,"uuid":"66460237","full_name":"XiphosResearch/netelf","owner":"XiphosResearch","description":"Run executables from memory, over the network, on Windows, Linux, OpenVMS... routers... spaceships... toasters etc.","archived":false,"fork":false,"pushed_at":"2017-09-28T17:42:53.000Z","size":492,"stargazers_count":282,"open_issues_count":6,"forks_count":33,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-01T08:32:58.591Z","etag":null,"topics":["dll","hacking","in-memory","linux","memfd","openvms","rce","remote-shell","win32"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/XiphosResearch.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-08-24T11:58:44.000Z","updated_at":"2024-08-12T19:24:32.000Z","dependencies_parsed_at":"2022-09-01T09:11:02.283Z","dependency_job_id":null,"html_url":"https://github.com/XiphosResearch/netelf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiphosResearch%2Fnetelf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiphosResearch%2Fnetelf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiphosResearch%2Fnetelf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/XiphosResearch%2Fnetelf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/XiphosResearch","download_url":"https://codeload.github.com/XiphosResearch/netelf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246314011,"owners_count":20757450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dll","hacking","in-memory","linux","memfd","openvms","rce","remote-shell","win32"],"created_at":"2024-08-01T02:00:51.200Z","updated_at":"2025-03-30T11:31:41.374Z","avatar_url":"https://github.com/XiphosResearch.png","language":"C","readme":"# NetELF\n\nRun the client side of NetELF to download and execute a program over the network from a server. The server sends an arbitrary binary and command-line arguments.\n\nWhere possible it will execute the program in-memory, it will not leave files on the filesystem. This makes it ideal for pentests, emergencies and general systems automation.\n\nOriginally inspired by a post on [this post on comp.unix.programmer](https://groups.google.com/forum/message/raw?msg=comp.unix.programmer/V1M97GBxIXo/6JQtqmpHSsQJ).\n\n## Supported Platforms\n\nFully supported \u0026 tested:\n\n * Linux \n * Windows 7\n\nRegularly tested \u0026 partially supported:\n\n * Solaris x86, Sparc\n * OpenVMS VAX, Alpha\n * Ultrix VAX, RISC\n * Windows 95+, NT 3.51+\n\nOthers that it should work on\n\n * FreeBSD\n * OSX\n * OSF/1\n * HP-UX\n * QNX\n * z/OS\n\n## Example\n\n```\nmake\n./server.py /bin/ls -la \u0026\u003e /dev/null \u0026\n./netelf 127.0.0.1 1337\n./netelf 127.0.0.1 1337 \n```\n\n## In-memory Execution\n\nI looked into the source code for glibc and musl to see what goes on behind the scenes, interesting, it executes the file from `/proc/self/fd/%d`.\n\nSee the following: \n* [Glibc implementation of fexecve](https://github.com/jeremie-koenig/glibc/blob/master-beware-rebase/sysdeps/unix/sysv/linux/fexecve.c)\n* [musl implementation of procfdname](https://github.com/esmil/musl/blob/master/src/internal/procfdname.c) \n* [musl implementation of fexecve](https://github.com/esmil/musl/blob/master/src/process/fexecve.c) \n\nMount options on tmpfs permiate through to `/proc/self/fd/`, so to disable you need to add `noexec` to `/dev/shm` and other tmpfs mounts:\n\n```\nsudo mount /dev/shm/ -o remount,rw,nosuid,nodev,noexec -t tmpfs\n```\n\nThis causes `fexecve: Permission denied` because the `shm_open` succeeded, but silently the file descriptor didn't get `+x` permission, doing `fchmod` on the handle won't work either. The file permissions can be checked with `fstat`.\n\nRegarding which executables will work with this technique, the most reliable have been self-contained, statically linked executables. In some cases (where the same libc was used on the host used to compile the executable and on the host it is being executed on, and where both have the same libraries/dependencies), dynamically linked executables have worked. Executables which rely on specific environments or external files generally tend to fail.\n\nFurthermore, it is possible to pass arguments to the executable you are running in-memory! The name of the process is derived from `argv[0]`, this can be customised using `--argv0 [kthreadd]`. By default it will use the `basename` of the executable file.\n","funding_links":[],"categories":["C","C (286)","linux"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXiphosResearch%2Fnetelf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FXiphosResearch%2Fnetelf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FXiphosResearch%2Fnetelf/lists"}