Closed zero77 closed 2 years ago
For now most files live in a random path under /dev/shm
, which normally has no noexec
set, and is mounted as a memory filesystem.
Custom binaries are already in /dev/shm
, I currently don't have a better solution as they have to stay in named path otherwise you can't execute them in bash shell.
LPE scripts don't need to touch the disk at all, I will make them completely memory based soon.
Thanks for the advice
I guess dropping files that have to be on disk to /dev/shm
is probably the best option.
Unless you created your own custom ramdisk and used /dev/shm
as a fall back
Check https://github.com/jm33-m0/emp3r0r/commit/cce6e444619a85358b29af9cfc078972bc877618 LPE suggester should now work in memory, BTW I am going to modify upc script a bit as it's pretty old
Check cce6e44 LPE suggester should now work in memory, BTW I am going to modify upc script a bit as it's pretty old
Thanks
If you are interested here are a number of Linux LPE scripts that check for different vulnerabilities and misconfigurations. https://github.com/WazeHell/PE-Linux https://github.com/bcoles/so-check https://github.com/CISOfy/lynis https://github.com/rebootuser/LinEnum https://github.com/diego-treitos/linux-smart-enumeration https://github.com/TH3xACE/SUDO_KILLER https://github.com/nilotpalbiswas/Auto-Root-Exploit
Unless you created your own custom ramdisk and used
/dev/shm
as a fall back
Then we still need to mount it, no big difference from /dev/shm
.
I have an idea though, we can write bash
to a memfd
if the kernel supports it, as a memfd
it can be executed like a normal executable
I think this can replace upc
Unless you created your own custom ramdisk and used
/dev/shm
as a fall backThen we still need to mount it, no big difference from
/dev/shm
.I have an idea though, we can write
bash
to amemfd
if the kernel supports it, as amemfd
it can be executed like a normal executable
Yes, that would be even better, though i stumbled across this. sandflysecurity[.]com/blog/detecting-linux-memfd_create-fileless-malware-with-command-line-forensics
Everything is detectable
Also, to hide the files better, we can hook some libc functions, or even syscalls, I have written the demo code, you can improve them if interested
Now emp3r0r runs via memfd
method by default, which makes it literally memory based, even hidden from filesystem.
Plus, the process name is randomized like [kworker:1xxx]
, making it harder to detect
But also note, the packer
cannot guarantee the safety of your agent binary, to retrieve the binary from memfd
, use cat /proc/pid/exe > agent
Apologies if this is already the case but, can you please drop more files to memory instead of disk and perhaps give the option to run command directly in memory.
As an example, could the custom binaries used by the reverse shell and the output from the LPE suggest be stored in memory.