Metasploit mailing list archives
XBACKDOOR v1.0 released
From: jerome.athias at free.fr (Jerome Athias)
Date: Sun, 02 Nov 2008 16:46:53 +0100
Hi there, *** This is just a Proof of Concept *** Due to some requests, I've uploaded some materials related to the XBACKDOOR. http://www.ja-psi.fr/tools/xbackdoor/ OVERVIEW The main goal of the XBACKDOOR is: 1) to inject the server part of the backdoor in the target memory (Reflective DLL Injection should be used soon) 2) to take control of the server via a client (nothing new here) What is new in thise backdoor server is that it includes a "live - in memory - compiler", with a fully integrated programming language. So, in few words: the client send programming code to the server (actually via a socket, using compressLZW+cryptRC516 crypt/uncrypt functions) and this code will be dynamically compiled and run all in memory. Source code documentation: http://www.ja-psi.fr/tools/xbackdoor/XBACK_SERVER.PDF PoC binary: http://www.ja-psi.fr/tools/xbackdoor/XBACK_SERVER_v1.0.rar MD5 ba66068b394b6b6ae410ad12db8b293c SHA1 315c7368690f103ea86bc790437ff1fd51d76d46 PS: no rootkit / anti-av functionnalities / hidden socket / hooking techniques... The binary file is named services.exe, uses an invisible.ico but no more yet. PS2: See the documentation for default configuration (listening port, default admin password...) PS3: play it with your friend Sony when you've time or use it for passwords cracking Screenshot of XBACK_CLIENT (works also in commandlines mode): http://www.ja-psi.fr/tools/xbackdoor/XBACK_CLIENT_MASTER.png (if no special encryption mechanism is used in the server, it supports netcat as a client) Download link: http://www.ja-psi.fr/tools/xbackdoor/XBAXK_CLIENT_v1.0.rar MD5 a3ca2b8f9260bbb3e896e987f79b7ba7 SHA1 0448cd5fbde64ecaf509a0c44267385cd6fa5977 Additionnal notes: The XBACK_CLIENT_MASTER (full version) let you control all infected computers and, for example, let you send the same code (payload) to all of them in one click. A Linux version of the server should be released in a near future. Here are some examples of payloads: http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_(UN)LOAD_DLL.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_CHANGE_BACKGROUND_IMAGE.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_REGEDIT.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_STOP_RESTART.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-API_KILL_EXE_BY_PID.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-API_KILL_EXE-DLL_BY_NAME.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-MAIL.TXT HOW TO ADD PAYLOADS: The simpliest way is to download the free WinDEV Express edition: http://www.windev.com/windev/WD-Express.htm Learn the W-Language and/or use Help to learn more on W-functions. Save your code in the XBACK_CLIENT directory in a file named "PAYLOAD_XXX.TXT", reload XBACK_CLIENT and enjoy. IMPORTANT NOTES: This software is provided "AS IS", without warranty of any sort. The user is responsible of its use. Use it at your own risks. Please don't smoke too much. AC/DC is awesome. Blabla. /JA Jerome Athias, JA-PSI. IT Security Company in France
Current thread:
- Reflective DLL Injection Jerome Athias (Nov 01)
- Reflective DLL Injection Jun Koi (Nov 02)
- Reflective DLL Injection egypt at metasploit.com (Nov 02)
- Message not available
- Reflective DLL Injection Harmony Security (Nov 03)
- Reflective DLL Injection Jun Koi (Nov 06)
- Reflective DLL Injection Harmony Security (Nov 06)
- Reflective DLL Injection Jerome Athias (Nov 06)
- Reflective DLL Injection Jun Koi (Nov 02)
- <Possible follow-ups>
- Reflective DLL Injection metafan at intern0t.net (Nov 01)
- Reflective DLL Injection Jerome Athias (Nov 01)
- XBACKDOOR v1.0 released Jerome Athias (Nov 02)