FireELF- Fileless Linux Malware Framework
fireELF is a opensource fileless linux malware framework thats crossplatform and permits customers to simply create and handle payloads.
By default is comes with ‘memfd_create’ which is a brand new solution to run linux elf executables fully from reminiscence, with out having the binary contact the harddrive.
Options
- Select and construct payloads
- Means to minify payloads
- Means to shorten payloads by importing the payload supply to a pastebin, it then creates a really small stager suitable with python
- Output created payload to file
- Means to create payload from both a url or an area binary
Included payload memfd_create
The one included payload ‘memfd_create’ relies on the analysis of Stuart, this payload creates an nameless file descriptor in reminiscence it then makes use of fexecve to execute the binary immediately from the file descriptor.
This enables for the execution fully in reminiscence which signifies that if the linux system will get restarted, the payload will probably be no the place to be discovered.
Making a Payload
By default fireELF comes with ‘memfd_create’ however customers can develop their very own payloads. By default the payloads are saved in payloads/ and as a way to create a sound payload you merely want to incorporate a dictonary named ‘desc’ with the parameters ‘title’, ‘description’, ‘archs’, and ‘python_vers’. An instance desc dictonary is beneath:
desc = {“title” : “check payload”, “description” : “new reminiscence injection or fileless elf payload”, “archs” : “all”, “python_vers” : “>2.5”}
Along with the ‘desc’ dictonary the entry level the plugin engine i constructed makes use of requires a essential perform which can mechanically get handed two parameters, one is a boolean that if its true it means its getting handed a url the second parameter it will get handed is the information.
An instance of a easy entry level is beneath:
def essential(is_url, url_or_payload):
return
In case you have a way be happy to commit a payload!
Set up
Obtain the dependencies by operating:
pip3 -U -r dep.txt
fireELF is developed in Python 3.x.x
Utilization
utilization: essential.py [-h] [-s] [-p PAYLOAD_NAME] [-w PAYLOAD_FILENAME]
(-u PAYLOAD_URL | -e EXECUTABLE_PATH)
fireELF, Linux Fileless Malware Generator
non-obligatory arguments:
-h, –help present this assist message and exit
-s Supress Banner
-p PAYLOAD_NAME Identify of Payload to Use
-w PAYLOAD_FILENAME Identify of File to Write Payload to (Extremely Really useful if
You are not Utilizing the Paste Website Choice)
-u PAYLOAD_URL Url of Payload to be Executed
-e EXECUTABLE_PATH Location of Executable