Closed zero77 closed 2 years ago
jm33-m0
commented
3 years ago For now most files live in a random path under /dev/shm, which normally has no noexec set, and is mounted as a memory filesystem.
Custom binaries are already in /dev/shm, I currently don't have a better solution as they have to stay in named path otherwise you can't execute them in bash shell.
LPE scripts don't need to touch the disk at all, I will make them completely memory based soon.
Thanks for the advice
zero77
commented
3 years ago I guess dropping files that have to be on disk to /dev/shm is probably the best option.
zero77
commented
3 years ago Unless you created your own custom ramdisk and used /dev/shm as a fall back
jm33-m0
commented
3 years ago Check https://github.com/jm33-m0/emp3r0r/commit/cce6e444619a85358b29af9cfc078972bc877618 LPE suggester should now work in memory, BTW I am going to modify upc script a bit as it's pretty old
zero77
commented
3 years ago Check cce6e44 LPE suggester should now work in memory, BTW I am going to modify upc script a bit as it's pretty old
Thanks
If you are interested here are a number of Linux LPE scripts that check for different vulnerabilities and misconfigurations. https://github.com/WazeHell/PE-Linux https://github.com/bcoles/so-check https://github.com/CISOfy/lynis https://github.com/rebootuser/LinEnum https://github.com/diego-treitos/linux-smart-enumeration https://github.com/TH3xACE/SUDO_KILLER https://github.com/nilotpalbiswas/Auto-Root-Exploit
jm33-m0
commented
3 years ago Unless you created your own custom ramdisk and used
/dev/shmas a fall back
Then we still need to mount it, no big difference from /dev/shm.
I have an idea though, we can write bash to a memfd if the kernel supports it, as a memfd it can be executed like a normal executable
jm33-m0
commented
3 years ago I think this can replace upc
zero77
commented
3 years ago Unless you created your own custom ramdisk and used
/dev/shmas a fall backThen we still need to mount it, no big difference from
/dev/shm.I have an idea though, we can write
bashto amemfdif the kernel supports it, as amemfdit can be executed like a normal executable
Yes, that would be even better, though i stumbled across this. sandflysecurity[.]com/blog/detecting-linux-memfd_create-fileless-malware-with-command-line-forensics
jm33-m0
commented
3 years ago Everything is detectable
Also, to hide the files better, we can hook some libc functions, or even syscalls, I have written the demo code, you can improve them if interested
jm33-m0
commented
2 years ago Now emp3r0r runs via memfd method by default, which makes it literally memory based, even hidden from filesystem.
Plus, the process name is randomized like [kworker:1xxx], making it harder to detect
jm33-m0
commented
2 years ago But also note, the packer cannot guarantee the safety of your agent binary, to retrieve the binary from memfd, use cat /proc/pid/exe > agent
Apologies if this is already the case but, can you please drop more files to memory instead of disk and perhaps give the option to run command directly in memory.
As an example, could the custom binaries used by the reverse shell and the output from the LPE suggest be stored in memory.