Metasploit mailing list archives
XBACKDOOR v1.0 released
From: metafan at intern0t.net (metafan at intern0t.net)
Date: Sun, 02 Nov 2008 11:16:03 -0500
Hi Jerome, Thank you very much for this proof of concept, this is definently (also) worth mentioning on my little website :) I do know that i could mention a lot more, but i just like to tell about the things i like, so that's what i'm going to do. I will take a look at how it works, including the documentation so i can understand exactly how it works etc. Though one quick question which is almost a question of how lazy i might be: Which programming language is it exactly it supports? (when you execute commands etc?) So far it looks really great even though i don't have time right now to check it all out, but i definently will :) One thing that concerns me a little is of course that you've made a controller to control all the infected machines/computers which is similar to a botnet.. It's cool in a proof of concept as long as no one else takes credit for your hard work, or abuses it and makes a botnet which i don't know is going to happen, anyways thanks again :) ~ MaXe
Hi there, *** This is just a Proof of Concept *** Due to some requests, I've uploaded some materials related to the XBACKDOOR. http://www.ja-psi.fr/tools/xbackdoor/ OVERVIEW The main goal of the XBACKDOOR is: 1) to inject the server part of the backdoor in the target memory (Reflective DLL Injection should be used soon) 2) to take control of the server via a client (nothing new here) What is new in thise backdoor server is that it includes a "live - in memory - compiler", with a fully integrated programming language. So, in few words: the client send programming code to the server (actually via a socket, using compressLZW+cryptRC516 crypt/uncrypt functions) and this code will be dynamically compiled and run all in memory. Source code documentation: http://www.ja-psi.fr/tools/xbackdoor/XBACK_SERVER.PDF PoC binary: http://www.ja-psi.fr/tools/xbackdoor/XBACK_SERVER_v1.0.rar MD5 ba66068b394b6b6ae410ad12db8b293c SHA1 315c7368690f103ea86bc790437ff1fd51d76d46 PS: no rootkit / anti-av functionnalities / hidden socket / hooking techniques... The binary file is named services.exe, uses an invisible.ico but no more yet. PS2: See the documentation for default configuration (listening port, default admin password...) PS3: play it with your friend Sony when you've time or use it for passwords cracking Screenshot of XBACK_CLIENT (works also in commandlines mode): http://www.ja-psi.fr/tools/xbackdoor/XBACK_CLIENT_MASTER.png (if no special encryption mechanism is used in the server, it supports netcat as a client) Download link: http://www.ja-psi.fr/tools/xbackdoor/XBAXK_CLIENT_v1.0.rar MD5 a3ca2b8f9260bbb3e896e987f79b7ba7 SHA1 0448cd5fbde64ecaf509a0c44267385cd6fa5977 Additionnal notes: The XBACK_CLIENT_MASTER (full version) let you control all infected computers and, for example, let you send the same code (payload) to all of them in one click. A Linux version of the server should be released in a near future. Here are some examples of payloads: http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_(UN)LOAD_DLL.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_CHANGE_BACKGROUND_IMAGE.T XT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_REGEDIT.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD_STOP_RESTART.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-API_KILL_EXE_BY_PID.TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-API_KILL_EXE-DLL_BY_NAME. TXT http://www.ja-psi.fr/tools/xbackdoor/payloads/PAYLOAD-MAIL.TXT HOW TO ADD PAYLOADS: The simpliest way is to download the free WinDEV Express edition: http://www.windev.com/windev/WD-Express.htm Learn the W-Language and/or use Help to learn more on W-functions. Save your code in the XBACK_CLIENT directory in a file named "PAYLOAD_XXX.TXT", reload XBACK_CLIENT and enjoy. IMPORTANT NOTES: This software is provided "AS IS", without warranty of any sort. The user is responsible of its use. Use it at your own risks. Please don't smoke too much. AC/DC is awesome. Blabla. /JA Jerome Athias, JA-PSI. IT Security Company in France _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
Current thread:
- XBACKDOOR v1.0 released metafan at intern0t.net (Nov 02)
- XBACKDOOR v1.0 released Jerome Athias (Nov 02)