You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/metasploit-framework.wiki/How-to-use-fetch-payloads.md
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,7 +81,7 @@ served payload is the same.
81
81
### Dependent Options
82
82
`FETCH_FILELESS` is an option that specifies a method to modify the fetch command to download the binary payload to
83
83
memory rather than disk before execution, thus avoiding some HIDS and making forensics harder. Currently, there are
84
-
two options: `bash`and `python3.8+`. Both of these require the target to be running Linux Kernel 3.17 or above.
84
+
two options: `shell`, `shell-search`and `python3.8+`. All of these require the target to be running Linux Kernel 3.17 or above.
85
85
This option is only available when the platform is Linux.
86
86
87
87
`FETCH_FILENAME` is the name you'd like the executable payload saved as on the remote host. This option is not
@@ -104,6 +104,16 @@ The remaining options will be the options available to you in the served payload
104
104
`linux/x64/meterpreter/reverse_tcp` so our only added options are `LHOST` and `LPORT`. If we had selected a different
105
105
payload, we would see different options.
106
106
107
+
### Fileless Execution
108
+
109
+
For Linux payloads, we support **fileless ELF execution** - this option is enabled with `FETCH_FILELESS`. Currently, this option can be the following values: `python3.8+`, `shell-search`, and `shell`. The basic idea behind all of them is the same: execute the payload from an anonymous file handle, which should never touch a disk, thereby adding a layer of stealth.
110
+
111
+
The `shell-search` option searches for available anonymous file handles available on the system, copies the payload into the one it finds, and executes the payload from that handle. This method uses `POSIX` commands only so that it can be run in any shell.
112
+
113
+
The `shell` option uses a slightly different approach: it runs the assembly stub from a shell, creates an anonymous file handle inside of the shell process, copies the payload into a new handle, and then runs it. Finally, it will kill the original shell process, leaving the payload running as *orphan* process. This method uses a syscall `memfd_create` to create an anonymous file handle.
114
+
This option can be used in any Linux shell.
115
+
116
+
The `python3.8+` option uses the same technique as the `shell` option. However, it all happens in Python code. It will call the `os.memfd_create` function, which will create an anonymous file handle from the Python process. Then, it uses `os.system` to copy the payload into a new file handle and execute it. This option requires Python version 3.8 or higher on the target machine.
107
117
### Generating the Fetch Payload
108
118
```msf
109
119
msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > set FETCH_COMMAND WGET
0 commit comments