Python Backdoors - Memory-Resident Payloads

on
I have been playing with different ways for my python backdoors to run additional scripts and payloads.  More specifically, figuring out different techniques to run these payloads in memory without dropping to disk.  The most reliable approach I have found is passing the payload as an argument to 'python - << EOF'.  And tagging the end of the script with the 'EOF'.  The syntax is as such:
-------------------------------
python - << EOF
print('Hello, World!')
EOF
-------------------------------
I wrote a small PoC backdoor, as well as a handler to demo (see bottom).  Here is how it works:

To run it, the command is 'run <pathtoyourscript.py>'.
The server will send the 'run' command to the client, along with the size of the payload.
The client will  accept this command, set a variable for the payload size, and respond with the 'ready' message.

The server reads in the ready message, loads the payload into a variable, and then transmits it to the client.
The client stores this payload in a variable, then passes it to the 'runproc()' function along with the <<EOF / EOF tags.
The 'runproc()' function simply uses the 'subprocess' 'Popen()' to invoke python to run the payload.
Let's go ahead and run it.  Here is our test payload:
And here it is in action (server on the left, client on the right).
The payload successfully executed without dropping anything to disk. Below are the links to the PoC.  Happy hacking!

 Backdoor/client-side code: https://raw.githubusercontent.com/rnranalysis/payloads/master/demo_fileless_client.py
Handler/server-side code: https://raw.githubusercontent.com/rnranalysis/payloads/master/demo_fileless_server.py

Comments

  1. Vedant Bhalgama June 25, 2020 at 6:41 AM

    Hi Mate!

    This is not working in Windows, I get this error when i try to run another payload,
    << was unexpected at this time

    And how to know if the backdoor is working in memory?

    ReplyDelete

Post a Comment