The veo/wsmemshell repository presents a novel approach to memory-based web shells (memshells) utilizing WebSocket technology. Traditionally, web shells are malicious scripts injected into web servers to allow remote control and unauthorized access. This project innovates by leveraging WebSocket—a protocol for full-duplex communication between client and server—to create a stealthy, flexible, and powerful memory shell that operates in-memory, reducing detection risks and increasing operational capabilities for attackers.
The primary language of the repository is Java, and it is designed to be compatible with a wide range of Java-based web application servers, including Tomcat, Spring, Jetty, WebSphere, WebLogic, and Resin. The repository also notes partial compatibility with Node.js, although dynamic injection is not possible in Node.js without modifying code and restarting the service. The project aims to provide a universal solution that can be easily integrated into various environments, with ongoing compatibility testing for platforms like JBoss (WildFly).
One of the standout features of this WebSocket memshell is its ability to bypass traditional network security measures such as Nginx and CDN proxies. These proxies often block or filter suspicious traffic, but the memshell's use of WebSocket allows it to circumvent these restrictions, provided proper header forwarding is configured. The repository highlights that it now supports scenarios where Nginx or CDN proxies are present, making it more versatile and harder to detect or block. Additionally, the project offers a JSP-based WebSocket shell that can connect directly to WebSocket proxies, further simplifying deployment and usage for attackers.
The repository is structured to provide detailed documentation and guides, including introductions to WebSocket memory shells, proxy implementations, multifunctional shell features, and methods for deploying shells without endpoint injection. These resources are intended to help users understand the technical underpinnings of the project and how to deploy it effectively in real-world scenarios. The project is maintained by 安恒-星火实验室 (Starfire Laboratory), a team specializing in offensive and defensive cybersecurity research, threat intelligence, attack simulation, and threat analysis. The team emphasizes practical, real-world security operations and contributes to the broader security community by sharing advanced attack and defense techniques.
In summary, veo/wsmemshell is a cutting-edge tool for creating in-memory web shells using WebSocket technology. Its main features include broad compatibility with popular web servers, the ability to bypass network proxies and CDNs, and support for JSP-based deployment. The project is well-documented and maintained by experienced security professionals, making it a valuable resource for both offensive security practitioners and researchers studying advanced attack techniques. The repository serves as a demonstration of how modern communication protocols like WebSocket can be exploited to enhance the stealth and effectiveness of memory-based web shells, highlighting the ongoing evolution of attack methods in the cybersecurity landscape.
