Last active
March 17, 2024 22:40
-
-
Save nullbind/0aeb8f0a5e391787df030f45819a03d9 to your computer and use it in GitHub Desktop.
BackDoor Setup Exe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author: Scott Sutherland, 2017 | |
Descript: Summary of how to backdoor an existing setup file in Windows. | |
Note: Not sure if anyone covered this already? Seems kind of like a Casey Smith thing. | |
How to Backdoor Existing Setup Files by Modifying Config Files Stored in RCData | |
In this example, the lyncsdk.exe will be used. It can be download here: https://www.microsoft.com/en-us/download/details.aspx?id=36824 | |
lyncentry.exe also works as an example. | |
Below are some basic instructions. | |
1. Open file with CFFExplorer. | |
2. In the object tree on the left side, navigate to the "Resource Editor". | |
3. In the tab for the lyncsdk.exe, expand RCData. | |
4. Right-click on "SCRIPT" and choose "Save Resource (Raw)". Save the file as config.xml. | |
5. Open config.xml in your favorite text editor and add the following XML after line 22. | |
<Action type="Execute"> | |
<CommandLine>cmd.exe /c "echo more evil > c:\temp\evil.txt"</CommandLine> | |
</Action> | |
Note: The XML above can be used to execute arbitrary commands when the setup file is run. In this example, I just have it write "more evil" to a text file named "c:\temp\evil.txt" | |
6. Save the changes to config.xml. | |
7. Navigate back to CFFExplorer, select the tab for the lyncsdk.exe, and expand RCData. | |
8. Right-click on "SCRIPT" and choose "Replace Resource (Raw)". | |
9. Choose your modifified config.xml. | |
10. Save the save to overwrite the existing lyncsdk.exe file. | |
Now it will run their code along with your command. :) | |
Possbile Use Cases | |
Below are a few possible use cases: | |
- Backdoor setup file used for distrobution | |
- Possibly bypass whitelisting | |
- Possibly result in execution of command or bypasses by analyzing the xml config code. | |
- mitm backdoor? | |
Refferrences: | |
https://msdn.microsoft.com/en-us/library/windows/desktop/aa381039(v=vs.85).aspx | |
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/resfmt.txt | |
http://reboot.pro/topic/16405-backdoors-the-easy-way/ | |
Future Research: | |
0: what type of installer is this? GetMSIProductProperties msi installation file...? | |
https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx | |
Main question: how do we location setup files that ship with ms, once we modify them, can they bypass white listing? get-pe? | |
second question: spend time reverse those identify to look for code execution / bypasses via their functionality in the xml. | |
how do we scan file headers for rcdata headers with powershell? <OPatchInstall version="1.0"> | |
https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-PEHeader.ps1 | |
https://github.com/mattifestation/PowerShellArsenal/tree/master/Parsers | |
http://www.fuzzysecurity.com/tutorials/20.html | |
https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx | |
More info | |
There is a second common type as well: | |
examples: weindows7upgradadvisorsetupexe dxwebsetup.exe Office2003SP3-KB923618-FullFile-ENU.exe | |
find more here by fuzzin gthe download id: https://www.microsoft.com/en-us/download/confirmation.aspx?id=20 | |
other common options in RCDATA section of resource tables for ms provided exe installs include | |
runprogram | |
postrunprogram | |
usrqcmd | |
admqcmd | |
SCRIPT example | |
https://www.microsoft.com/en-us/download/confirmation.aspx?id=10 | |
excelviewer.exe | |
word2007-kb974631-fullfile-x86-glb.exe | |
office2007-kb970012-fullfile-x86-glb.exe | |
automation notes | |
- the Resource directory head lists the offsets for the RCDATA, script etc. | |
"Patch wrapper and installer engine" in the configuration files section of the resource table. | |
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0" | |
Note: not all ms installers have one of the two execution header build it, question is can we add it? | |
also target: pdate.exe or Hotfix.exe, | |
other interesting actions | |
<Action type="CreateFolder"> | |
<Path>$(SYS.ARGS.EXTRACTPATH)</Path> | |
</Action> | |
<Action type="ExtractFile"> | |
-- list and modify resource tables | |
https://msdn.microsoft.com/en-us/library/windows/desktop/ms648008(v=vs.85).aspx#_win32_Creating_a_Resource_List | |
https://github.com/mubix/ditto/blob/master/ditto.cpp | |
you may also be able to execution the script straight from setup.exe files: | |
white list bypass - weee! | |
\\stuff\C$\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe /qn /remote ENCCMD=A02A4FB9524BE48494C29F04C33C3E2723A79D0F4CC3D638A63F167846A91F34ACC40D8A8F37FDF3FFD17E261E8F492AA5AD4AC95D857414226A13D6C1254A6F7134A319772DDDA84934B3F6380883EBDFA943B7A4B437F9CB81683380D87991ED5C9CD1CDCB6C70B44405D944F4749B2049F139982CE9908C5F6A0EFEC726A4B6BA213E95DED6C886C392B70D534BB1C52DF535ED8657DC186760EEC295F1CA96F9C9CA3B2BD46D0309A2F129ED89EC919D061826DAAC6DA9F53C80C715E2876E65194CA6E3437D4FEFCADD8D3F73A38734FDFD3813AAB76A85CB61D91D19B2AC6744369BF0686F1F8B9C11500850A5489C54410A8020771851F34A8964DBF17831356DF0CA2CA417116E6F4D18FDD4A2B551AC80248FA4075E423FF5C03E16177443C553379C89156D7D7505DB7A3EFB6DB669C0D24CC8D9D1C2C4D49D3BE669E0ACEE6DE72AF3F462CC6CBB0D68AC384326E596CF634D88C652080B441B1FBE4922F2FBAC1829CE38C866DECDCCEBAEE35AE60E014C6614656864D58254A6284D9C5CED714296C7CD8EFE9060EFB1444CD89B847750E681D0B9729EF3B89F6ADA7870C5053303B9E336485514FC23E21E67F88C414B6EBDC4D6D44799280614C880F27A436923E64E021A18D97D7DD90A2B92848600FC92B5709F8DF7AB3724E81F6395C77C7F2667CB996CCB2E8127C63B3DD99BBE2A36A436EBA4B1F6C243F2ABC877D5D97C26ED1602DFD39F2F7387E677C632E035B82A9619C8E6D0ABBBC686C381782BA36B58516E64C77C51B204F2EE65C1F2733D0C6B771A8F38A65F4895546A4A01282907F941EE77DD8FD912567D0DC14138A12BF87801D29517CCD61DB6AF0CCEF9FA0DED2D6A64E2111494411996C95023E94ED176CA3779AF56054254C194855483190FD3D4E13C5CA812B9D44A0A89B48D8862A5A53F2C3F9561515552469331FF6BD8E601E106030B30D8B8D5E5FBC1C30E061D40D0F9647B575861D669FE6DC55A2AD69898639811A74C79A5FE18956FA48A7E3C2F2FA6198B2702A49C6BF0D1D444504845CCABF6A6B22214A87A32870373FF6C441EA1976836B893867FEFD7A54721F9639526E2166B37BF2965F7996761850693F8633D785522D736D6D00DEFB3C95E5CA62F9D5A10EC119D497C6D3ABC2906C5227AA2C1C9D76B7499D356439B6FBB651D8CB7137559882063A66DFC3BF4F9D30DCC98FEE22940442DF7FA7F6561E0C8E6BA944302BE95D82DDF8313E0E7DB1889C69C534CCFF751A7ACDB0C6B279EC0875C91230EDDFD4CAA3BCAB4E4E2D2C51C5DE360FD6C995497986BCA2038B138DBF695A3CFD345184729882CBA393304EC635A876E404D4805A05BBED9013F4A62B4BC6CEA4717D2E0ADE2E52E60A2BC9604AF6CABB985C2EA34C880ADFDDAC7AA169E9240154D4BBBE97ACE40FAED0437AAAB6BB66B97F5C468A1046C305B4F471F145067070FEDC94136B161B2129C407D3F72874C6A0AF2DA7A5BA9FCE6A58CAA48CE42D9868FEAB1E35520E7042BAA5C896C3DAA27D9291686F38376F9A8B8F42F1C1A766B857D552A51D632D55B1A166DD514DCCB31812A4EC01067F48899C6BFEFCA748D8DD9CB49C67FADC0B264D4FBA40FD89ACCABD0905D09954C2DBAFE1FFF1892B31196B03446120FD35D6BA21E3C10C9F7E2F9C4BBBD806A4CA667899971428A3C7E262A50E63B8742AE88D928A4AF859DF2963288A05DD6EDD69335118C83BA2AC1A93768B2B2B502F6F520351536D5737A3DDB1CAADBF7325DD6679C6F9A33F5FD35717041435E31C17ACDBAC6FC13F4BFB9705A2972D1F8BC61F5BE6C5E9A373C3A30A5E2CF62171771B7EBD653D3CABF9BFAFDF002CF659C89D37BE88085327289ED00552D20D2A2FC20035F1DA02C660E1125AEF0281FE0CBAD744791C4A4704F1B811715540ECC430E595067C691B0C875CFD061BED478245C737DF9F7FD98084879485F8D23E75BB91F974DEA6D8F667371B29C0C13ED748A696A5D4AEC493691A1593126301627B854305BC1529768529E5A2CBEDF2818C15E26FE32746BC906AA824219A0C0E93C2194A78B200141C573C01469C19BAB9722FCA2555732532D8CEA75D586460D7E466A1A53D7F4EB6CAAC8FCB6F04D860039DA13134257D9F87460B9B88E63A6C3A814B2D410D12197847333C687E5FCD72B1735F519C29B3351AFBA0A8EC76314E15B |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment