Reverse Metasploit payload BAT – Pure ASCII

I don’t know if anybody would find this usable, but I thought it is a nice exercise and it was fun coding it. In one of the previous posts I was mentioning a restrictive scenario much like this …

Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.
 

So I’ve designed a Teensy dropper that uses pure ASCII to drop a single BAT file to the target and executes it. So far I only have the BAT generator which works well in my test Win7 environment. It should be trivial to convert the generated BAT to a C code and program Teensy with it.

The BAT generator uses code and encoding taken from Terry Newtons website Binary2batch

Damn the autoconversion of ASCII special char$ !!!

Encoder.sh

You need Dosbox for this to work,  as the shellcode uses the 16bit DOS encoder to encode the executable into ASCII characters. The shellscript is rather rough and has a hardcoded string like the original executable name (a.exe) I could not come up with a bash variable string to parse into Dosbox command.

The first part is a CM3 encoded decoder decbin.com which would decode the metasploit payload exe. The second part is also CM3 encoded encoder which encodes the metasplot payload exe.

So what you need is the actual Metasploit payload EXE, place it into a working dir where this script would reside and rename it to a.exe (or modify the script to your needs)

I find it incredible how it is possible to “abuse” the 16bit binary emulation on modern 32bit Windows.  Its a real jungle and monkeys like jungle …..

Advertisements
Gallery | This entry was posted in Uncategorized. Bookmark the permalink.

7 Responses to Reverse Metasploit payload BAT – Pure ASCII

  1. pentest0r says:

    and what’s Teensy indeed ?

  2. bcdc1994 says:

    astrobaby hablo en español te puedo hacer algunas preguntas?

  3. Michael says:

    How I cand transform Metasploit “ms08_067_netapi” and “download_exec” into one linux standalone executable(without metasploit installed) ?
    thank you

    • astr0baby says:

      You still need metasploit on the attacker box (or a stripped down version containing only ms08_067_netapi exploit). What I would do is create a bash script that would autohandle all tasks needed to load ms08_067_netapi exploit. There are many examples on my blog how it is done.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s