.

Uploading Executables when Uploading isnt an Option

<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Mon May 03, 2010 9:26 pm

Uploading Executables when Uploading isnt an Option

Sheer poetry  :) :) :)
http://www.i-hacked.com/content/view/288/42/
Recently I needed a way of building an executable on a remote machine using only a keyboard. Basically I needed to "type out an executable" (think of it as I had a very basic "ah-hem" shell that I wanted to make more secure). Because my target host was Windows based, it is not as easy as uploading and compiling from source. I could of course simply use tricks found at http://commandlinekungfu.com  to download the file, however I wanted to find a solution where this system didn't create any outgoing requests that resulted in the downloading of an executable. The technique described below is already being used by some very common cyber-security tools such as Fasttrack and sqlmap. It is an interesting solution, one that might help you out with a project in the future.

The problem is that you cant simply type out an executable binary. There are multiple characters that are not printable ascii, so your binary will fail if you try. However there are some tools that will allow us to convert the already compiled binary into ascii printable debug scripts, which can be reassembled using the native debug command on windows machines. Thus creating a "portable" binary that is Ascii printable, therefore gives us the ability to "type out an executable"

In order to do this we need a few things:

   *
     The Executable we want to transfer
   *
     UPX Packer (not needed but helpful)
   *
     dbgtool (Python / Windows)

For this article we will be using the windows Ncat binary (http://nmap.org/ncat/) and since my machine is OSX, the python based tools in our example.

Ncat

    Ncat is a feature-packed networking utility which will read and write data across a network from the command line.
    Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP
    and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to
    other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless
    number of potential uses.

Because our target is a windows host, we need to download and unpack nmap for Windows (ncat now is packaged with nmap). Because we are going to communicating this executable via ?keyboard? or some other slow method, we would be smart to compress this file as much as possible before we convert it. We will need to use a packer that self decompresses and retains the ability to execute.

   UPX is a free, portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks for most of the formats supported, because of in-place decompression.

Install UPX on your system:

   *
     OSX: sudo port install upx
   *
     Debian: sudo apt-get install upx-nrv
   *
     Windows: Download

As you can see below, ncat can be compressed over 32% - totally worth it. (be warned, UPX packing executables decreases the stealthyness)

   hevnsnt$ upx -9 -o ncat-upx.exe ncat.exe
                        Ultimate Packer for eXecutables
                           Copyright (C) 1996 - 2009
   UPX 3.05w       Markus Oberhumer, Laszlo Molnar & John Reiser   Apr 27th 2010
         File size         Ratio      Format      Name
    --------------------   ------   -----------   -----------
     175104 ->     57344   32.75%    win32/pe     ncat-upx.exe


Next we need to convert the UPX packed binary into a ASCII debug script, using the dbtool listed above:

   python ./dbgtool.py -i ncat-upx.exe -o ncat-upx.scr

Take a second and open the ncat-upx.scr in whatever your favorite text editor is. As you can see, you now have a portable executable that is in printable ASCII.

Upload nc_upx.scr to the target Windows system (either by pasting in your shell, or however you need to do it) and then reconvert your binary to an executable with the following command: debug<DEBUGSCRIPT.scr

   C:\>debug<ncat-upx.scr

There will be some debug output such as this:

   e df00 57 53 32 5f 33 32 2e 64 6c 6c
   e df0c 4c 6f 61 64 4c 69 62 72 61 72 79 41
   e df1a 47 65 74 50 72 6f 63 41 64 64 72 65 73 73
   e df2a 56 69 72 74 75 61 6c 50 72 6f 74 65 63 74
   ------SNIP------

This debug script will write a new file named #TEMP#. Simply rename this file to ncat-upx.exe and execute. Better get your ncat-fu ready, because your super over complicated, slow, ninja file upload is complete!
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon May 03, 2010 9:57 pm

Re: Uploading Executables when Uploading isnt an Option

That's pretty sweet!  I will have to try this out.
~~~~~~~~~~~~~~
Ketchup
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Tue May 04, 2010 4:17 am

Re: Uploading Executables when Uploading isnt an Option

Sounds sweet, thanks!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Tue May 04, 2010 6:15 am

Re: Uploading Executables when Uploading isnt an Option

Read it yesterday. It was a hit on twitter.
Excellent article! Thanks for posting it at EH.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue May 04, 2010 7:17 am

Re: Uploading Executables when Uploading isnt an Option

Ahhh! Great article Dark_Knight.

We need more of these!!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Tue May 04, 2010 1:40 pm

Re: Uploading Executables when Uploading isnt an Option

FYI, I didn't see it mentioned in the article, but if you browse to /pentest/windows-binaries/tools/nc.txt on the latest backtrack 4, you will find line for line how to do the above.  It's basically a batch file that creates the .hex file, then compiles with debug.  You can just copy/paste into a CLI.  Pretty sweet stuff.
chown -R bamed ./base
<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Mon May 31, 2010 12:44 am

Re: Uploading Executables when Uploading isnt an Option

Nice article.  But there are two things that should be mentioned:

1. The maximum file size is 64K since debug can't handle anything bigger.

2. Although he selected ncat.exe as the binary, I think it wasn't a very good choice.  ncat.exe has quite a lot of dependencies including the Microsoft Visual C++ Redistributable Package (http://nmap.org/download.html) and I'd love to see how you can use it in a penetration test given its dependencies.  Any ideas?

Thanks.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Mon May 31, 2010 8:00 am

Re: Uploading Executables when Uploading isnt an Option

I would think that you can just run the debug command multiple times and append the resulting files into a single file to overcome the 64K limit.  The same can be done for the vcrun libraries. 
~~~~~~~~~~~~~~
Ketchup
<<

SecMan

Newbie
Newbie

Posts: 17

Joined: Thu Dec 25, 2008 8:57 am

Post Mon May 31, 2010 1:04 pm

Re: Uploading Executables when Uploading isnt an Option

Ketchup, did you successfully try it?  When I placed the vcrun libraries in the same directory, it still wouldn't work.  Is there some command I have to run first for example?  Thanks.
<<

DaberMania

Newbie
Newbie

Posts: 1

Joined: Mon Mar 28, 2011 8:53 pm

Post Mon Mar 28, 2011 8:58 pm

Re: Uploading Executables when Uploading isnt an Option

That is a very useful way to copy files.  After some research I found another way that this can be done without needed to use debug.  You also do not have a file size limit.  I have full detailed directions on my blog, however, here is a simple summary of what happens:

Identify a executable that you wish to transfer
Create the VBScript to encode the executable to Base64
Transfer the ASCII text output to your victim computer
Create a VBScript on the victim computer to decode the ASCII  text

The full topic can be found here: http://dabermania.blogspot.com/2011/03/converting-any-file-to-ascii-for.html
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Mar 29, 2011 10:25 pm

Re: Uploading Executables when Uploading isnt an Option

I seem to recall a trick using DNS text records and then build the exe with debug that could be used here as well. I forget where I heard about it though.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 3 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software