{"id":20648563,"url":"https://github.com/linuxthor/emptythreat","last_synced_at":"2026-05-18T11:03:28.142Z","repository":{"id":150324115,"uuid":"267094582","full_name":"linuxthor/emptythreat","owner":"linuxthor","description":"Linux proof of concept that loads and executes encrypted shellcode from extended file attributes ","archived":false,"fork":false,"pushed_at":"2020-05-26T16:59:34.000Z","size":10,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-07-10T15:20:02.345Z","etag":null,"topics":["linux","meatypuppets","poc","xattr"],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/linuxthor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-05-26T16:27:21.000Z","updated_at":"2020-05-27T00:00:57.000Z","dependencies_parsed_at":"2023-04-25T00:46:59.222Z","dependency_job_id":null,"html_url":"https://github.com/linuxthor/emptythreat","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/linuxthor/emptythreat","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxthor%2Femptythreat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxthor%2Femptythreat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxthor%2Femptythreat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxthor%2Femptythreat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/linuxthor","download_url":"https://codeload.github.com/linuxthor/emptythreat/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/linuxthor%2Femptythreat/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33175835,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-18T09:27:30.708Z","status":"ssl_error","status_checked_at":"2026-05-18T09:27:28.300Z","response_time":71,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["linux","meatypuppets","poc","xattr"],"created_at":"2024-11-16T17:09:20.974Z","updated_at":"2026-05-18T11:03:28.136Z","avatar_url":"https://github.com/linuxthor.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# emptythreat\n\nLinux proof of concept that loads and executes AES encrypted shellcode from extended file attributes(1)  \n\nUses the excellent tiny-AES-C https://github.com/kokke/tiny-AES-c  \n   \nload.c - This file will fetch key, iv and encrypted data from extended attributes. Data is decrypted and executed in memory   \nput.c  - This file will configure the extended attributes on a 'load' binary such that shellcode executes   \n\nThis PoC explores an unusual method and location to store code. Copies of the file will not run the same as the original unless they have also been 'blessed' with the extended attributes. \n\nThe code can be neutralised by removing any of those extended attributes.. \n\nBuild as:\n\n```\ngcc -Wall -o load load.c aes.c\ngcc -Wall -o put put.c aes.c\n```\nThen run:\n```\n./load\n```\nAnd it will exit as no key or iv can be loaded. \n\nNext the file can be 'blessed' with ./put\n```\n./put ./shellcode silkyundulates11 meatypuppets0000 ./load\n```\nAnd next time ./load is run the shellcode will be executed\n```\n./load\nYello World \n```\nHowever.. copies of the file that are made for backups etc don't work the same way..(2)   \ne.g\n\n```\ncp ./load ./load.bak\n./load.bak\necho $?\n1\n```\n\n\nNOTES:    \n(1) Assuming those are supported which is a _reasonably_ safe assumption    \n(2) Depending how diligently the copy was made etc..    \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinuxthor%2Femptythreat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flinuxthor%2Femptythreat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flinuxthor%2Femptythreat/lists"}