12345678_1_2345678_2_2345678_3_23456789_4_2345678_5_2345678_6_2345678_7_2345678_8 Saran Wrap, an extra goodie for Back Orifice ~~~~~ ~~~~ Version 1.0 Concieved and Written by Brian Enigma Abstract ~~~~~~~~ I just got back from DefCon 6.0 and witnissed all the hype and fanfare for BackOrifice. If you do not already know how cool and wonderful BackOrifice is, you will have to go to http://www.cultdeadcow.com to witness it in its full glory. Description ~~~~~~~~~~~ Now, how do you get the unsuspecting individual to execute this program? It has no user interface, does nothing (visible), and deletes itself when finished installing. The typical user may be a little curious as to what the program they just double-clicked on did (before it disappeared). Saran Wrap packages your custom Back Orifice installer with another "legitimate" program--whether it is an installer, an application, a game, or anything else under the sun. The main program is run, it first creates a copy of your BO install, which runs and gets deleted. Then, it runs the "real" program. I am publically releasing the Saran Wrap for Back Orifice. Use it wisely, use it well, use it at your own risk. Installation ~~~~~~~~~~~~ Installation is quite easy and requires three files: 1) The Saran Wrap executable (SaranWrap.EXE by default, but you can rename it to anything you wish--SETUP.EXE, for instance) 2) Your BOSERVER.EXE file, optionally customized for your own choice of port number and password 2) The "real" program that should be run and presented to the user You should first rename your BOSERVER.EXE file to DATA1.Z. (Be sure you have Explorer set up to show you full filenames with extensions. Answer "yes" to the "are you sure you want to change this to another extension?" question). Next, rename the "real" program (SETUP.EXE or NOTEPAD.EXE or QUAKE.EXE, for example) to DATA2.Z. Again, answer "yes" to the "change the extension?" question. Rename SaranWrap.EXE to the "real" program's file name (SETUP.EXE, NOTEPAD.EXE, QUAKE.EXE, etc). That is all there is to it. The name space of "DATA?.Z" should not conflict with any existing program installer. In fact it should fit in quite well. Most installers use a single file (SETUP.EXE) or use multiple files (SETUP.EXE, DATA.Z, SETUP.INS, SETUP.PKG, etc.). In the case of a single-file install, the installer will now look like a multi-file install (especially, if you throw in a few bogus files from a multi-file install). For a multi-file install, the DATA1.Z and DATA2.Z fit in quite nicely with the legitimate DATA.Z. Source Code ~~~~~~ ~~~~ Source code is included. Any bug reports or code suggestions would be appreciated, and may be sent to enigma@netninja.com. Conclusion ~~~~~~~~~~ Have fun. Do not cause too much trouble. Thanks, CDC for making such a great "tool." DEAD COW KICKS ASS