Creating patched binaries for pentesting purposes

Published: 2020-09-13
Last Updated: 2020-09-14 03:38:50 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
0 comment(s)

When doing pentestings, the establishment of backdoors is vital to be able to carry out lateral movements in the network or to reach the stage of action on objectives. This is usually accomplished by inviting someone to click on a commonly used executable on the computer using social engineering techniques.

In this diary we will work on the Backdoor Factory tool, which can be found at We will use two machines: A linux ubuntu 18.04 and a Windows 10 2004. Kali Linux 2020.3 default installation does not work with this tool as it uses python3 libraries.

Backdoor-factory will be installed on Ubuntu 18.04. Github repository will be cloned and then capstone and pefile will be installed:

Backdoor factory initial installation

Cygwin was used to create the PE binary. Simple hello world application compiled with gcc:

Next, PE binary is uploaded to the linux VM and backdoor-factory will assess it and then show the supported payloads:

Backdoor initial assessment

Linux IP address will be used to create a reverse tcp shell payload:

IP address used to create the reverse TCP shell

Now the tool will be used to create a reverse TCP shell to ip address and TCP port 10000 using the testapplication binary:

Backdoor creation with the reverse TCP shell to IP address and TCP port 10000

The tool ask to pick the cave where the backdoor will be placed. Cave 4 will be used:

Section 4 is used to build the patched binary

Backdoored binary is now available to be transfered to the Windows VM.

Next, a netcat listener is setup to TCP port 10000 in the linux VM:

Patched binary is transferred to the Windows machine and executed:

Now we can see how the reverse shell got connected to the netcat listener:

Reverse TCP shell connected to netcat listener

Manuel Humberto Santander Pelaez
SANS Internet Storm Center - Handler

e-mail: msantand at isc dot sans dot org

0 comment(s)


Diary Archives