I don’t know if anybody would find this usable, but I thought it is a nice exercise and it was fun coding it. In one of the previous posts I was mentioning a restrictive scenario much like this …Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.
So I’ve designed a Teensy dropper that uses pure ASCII to drop a single BAT file to the target and executes it. So far I only have the BAT generator which works well in my test Win7 environment. It should be trivial to convert the generated BAT to a C code and program Teensy with it.
Damn the autoconversion of ASCII special char$ !!!
You need Dosbox for this to work, as the shellcode uses the 16bit DOS encoder to encode the executable into ASCII characters. The shellscript is rather rough and has a hardcoded string like the original executable name (a.exe) I could not come up with a bash variable string to parse into Dosbox command.
The first part is a CM3 encoded decoder decbin.com which would decode the metasploit payload exe. The second part is also CM3 encoded encoder which encodes the metasplot payload exe.
So what you need is the actual Metasploit payload EXE, place it into a working dir where this script would reside and rename it to a.exe (or modify the script to your needs)
I find it incredible how it is possible to “abuse” the 16bit binary emulation on modern 32bit Windows. Its a real jungle and monkeys like jungle …..