backdoorfactory: MitM tool for inserting shellcode into all types of binaries on the wire
backdoorfactory is a from-scratch rewrite of The Backdoor Factory – a MitM tool for inserting shellcode into all types of binaries on the wire.
backdoorfactory is an extension to bettercap that allows the insertion of shellcode into intercepted file downloads.
It lets you man-in-the-middle web file downloads and inject them with platform-appropriate shellcode. It works on downloaded archives as well.
This is a complete refactor and rewrite of the original the-backdoor-factory.
- Works on PE, Mach-O, and ELF format binaries using the Binject Debug library
- Integrates with bettercap‘s DNS and ARP based man-in-the-middling capabilities
- Unpacks and repacks Zip, Tar, and Tar.gz archives, injecting any binaries inside
- Supports configurable methods of shellcode injection via the Binjection library
- Shellcode repository allows different shellcodes per architecture and per binary format
- Install Go.
- Install bettercap and all dependencies. It’s recommended to use the pre-compiled binaries.
go get -u github.com/Binject/backdoorfactory
- From the directory you want the binary to be in, run:
go build github.com/Binject/backdoorfactory
First, the shellcode directory must be initialized.
Then, you must copy your shellcodes into the appropriate places in the shellcode directory structure.
Finally, backdoorfactory and bettercap can be started.
Shellcode Directory Initialization
Run the following command and set the -d argument to the path to your intended shellcode directory. It will be created if it does not exist.
./backdoorfactory -d shellcodes -i
You should see a response like:
2020/05/11 17:04:02 Shellcode Directories Initialized, copy shellcode files with .bin extensions into each directory.
Copy Shellcode Into Directory
Your shellcodes can have any filename, as long as they have the extension .bin
Copy the shellcode you want to inject into binaries into the appropriate folders for each architecture and binary format you want to target.
For example, a Linux x64 shellcode could be copied to shellcodes/linux/x64/shellcode.bin
Your shellcodes do not need to worry about the state of the stack or the details of injection, binjection handles all of that.
Running backdoorfactory and bettercap
./backdoorfactory -d shellcodes/
You should see a response like this:
Copy that command line to another terminal session (this one is busy running the pipe server that bettercap needs to talk to backdoorfactory). The paths to your binject.cap file may be different than above.
You can move those files before running bettercap with them, but make sure the binject.js file is always in the same directory as the binject.cap file.
In another session, run (with the real path to binject.cap):
bettercap -caplet /home/user/bdf/binject.cap
This will start a bettercap session.
Oneshot Test Mode
To test a single injection without having bettercap working, the backdoorfactory has two flags for Oneshot Test Mode, which will use your shellcode directory set up to attempt a single injection to a given binary file.
-t or –testfile to select the input binary to inject into
-o or –output to select the output injected file name
./backdoorfactory -d shellcodes -t input.exe -o injected.exe
Copyright (C) 2020 Binject