Token-gated payload delivery for
authorized red team engagements
A single static binary manages payload staging over TLS with token-gated access, auto-expiry, and 12 modular delivery methods. Socat is the primary method with fallbacks for when it isn't available.
Every payload requires a valid token with configurable TTL, max uses, and source IP/CIDR lock. Invalid tokens return an identical decoy page — no information leak.
Socat (TLS, TCP, memfd, PTY), curl, wget, python, netcat, perl, bash /dev/tcp, memfd_create, and /dev/shm staging. Generate all compatible one-liners with a single command.
All payloads stored with AES-256-GCM encryption in memory. Decrypted only at delivery time, then immediately zeroed. Encryption key zeroed on shutdown.
Plaintext zeroed after every delivery with runtime.KeepAlive to prevent compiler elision. Token values zeroed in-place via unsafe.StringData.
HTTPS listener serves HTTP-based loaders at GET /p/<token>. Raw TLS listener serves socat OPENSSL connections. Both TLS 1.3 minimum.
All loader inputs validated against a per-field character whitelist before interpolation into shell commands. No semicolons, backticks, pipes, or dollar signs pass through.
Interactive CLI for loading payloads, generating stagers, managing tokens, and viewing delivery logs. Load a binary and get all 12 one-liners instantly.
Full Catppuccin Mocha palette throughout — console prompts, status indicators, delivery logs, and this page. Your terminal never looked better during an engagement.
Every loader generates a copy-paste one-liner with a unique token. Socat is primary — the rest are fallbacks for when socat isn't on target.
Payloads live encrypted in memory. Two TLS listeners serve HTTP and raw clients. Tokens gate every access. Background enforcer purges expired tokens automatically.
Primary listener on :443. Serves payloads at GET /p/<token> for curl, wget, python, and perl loaders. All other paths return an nginx 404 decoy.
Secondary listener on :4443. After TLS handshake, reads token from first line, streams raw payload bytes. For socat OPENSSL: and netcat connections.
HMAC-SHA256 keyed hashing prevents timing attacks on map lookup. Tokens support TTL, max-uses, and source IP/CIDR lock. Background goroutine purges expired tokens.
Each delivery method is a separate file with init() self-registration. Adding a new loader = adding one file. generate <id> all produces every compatible stager.
Load a payload binary, generate stagers with token-gated access, paste the one-liner via RCE. The payload streams over TLS and executes in memory.
Every design decision optimizes for operational security. Payloads never touch disk. Secrets are zeroed on every code path. The server looks like nginx to scanners.
No downgrade to TLS 1.2. Session tickets disabled. ECDSA P-256 certificates.
HMAC-SHA256 keyed hashing on token store. Constant-time map lookup prevents side-channel attacks.
All responses use Server: nginx/1.24.0. Invalid tokens get identical 404 decoy page. No behavioral difference.
SIGINT/SIGTERM trigger immediate zeroing of all payloads, tokens, HMAC keys, and encryption keys.
Read/write/idle timeouts prevent slowloris. 64KB max header. 128 concurrent raw TLS connection cap.
100MB maximum enforced on load. Only regular files accepted. Cert/key files written with 0600 permissions.
Build, generate a cert, load a payload, paste a one-liner. Four commands from zero to payload delivery.
make build produces a statically-linked binary with zero CGO dependencies. Under 5MB. Drop it on your attack infrastructure and run.
The -gencert flag generates an ECDSA P-256 self-signed certificate with configurable SNI/CN. Use -sni to match the domain you're impersonating.
The interactive console opens automatically. Load any ELF or PE binary — OS and architecture are auto-detected from headers. generate p1 all produces all 12 compatible one-liners with unique tokens.
Paste any one-liner via your RCE. The payload streams over TLS directly into memory. The delivery log shows real-time callbacks with source IP, method, and status.