ELFPack: ELF Binary Section Docking in Stageless Payload Delivery

Dimitry Snezhkov -  CyberFinance     

Abstract :

When it comes to generating and delivering offensive implants to Linux systems Red teams have choices. These choices revolve around both static stageless (e.g. embedded payload) and dynamic payload bootstrap where a minimal stage implant is deployed with a promise to retrieve a more feature rich payload from the network at a later step.

Lately, the stageless payload method has been somewhat less favored by offensive teams due to its lower success of evasion and increased detection by EDRs. However, we feel there are still opportunities that exist in successfully utilizing embedded payloads. Moreover, we feel static embedding can solve some of the payload bundling cases better than mechanisms involving stagers. This talk is to address developments in the static payload embedding and loading type of delivery.

In this talk we will attempt to shed light on how ELF binaries are constructed and specifically, how ELF sections can be used to facilitate a successful payload hosting, retrieval and loading. We will introduce the concept of ELF section docking whereby a section containing payload can be independently attached to the payload-agnostic loader by an ELF injector. We will further expand the concept to address in-the-field re-attachment of sections to loaders without the use of compilers which may be very useful for long-haul offensive operations. Furthermore, we will show how ELF docking can be successfully used as an alternative to packing when addressing complex payloads and providing teams with options and flexibility in multiple payload delivery scenarios. Moreover, we will touch on detection evasion features implemented in a proof-of-concept loader and injector tooling which is released open source for the audienc

Speaker: Dimitry Snezhkov  

Red team operator in the past, now focused on security research, code hacking, and tool building.