I’m currently working through the PWK course from offensive-security, hoping to get my OSCP certification. While following the course materials, I’ve got to a section that talks about methods of transferring binary files after you have a shell on a remote system.
One of the methods suggested is converting the file to text using exe2bat.exe to convert the file into a series of echo commands with redirection to a file that can be copy/pasted into the shell and finally running debug.exe to convert the file back into an exe. It’s a pretty well known method, detailed instructions can be found easily with google.
I hit a problem when working through this though… I created a bind shell using nc.exe (v1.10 NT) and when i connected to this and pasted in the lines from the bat file created by exe2bat.exe, the nc.exe process would crash. It turned out to be crashing when it got the 3rd line from the bat file. I thought this was strange, so I contacted offensive-security support and they confirmed my findings, but weren’t sure why and suggested I used a different method to get a remote shell, e.g. using msfvenom.
I have done some testing myself, and wrote a python script that tells me what it received and how long it was so that I could see in more detail what was going on. The script is:
1
2
3
4
5
6
7
8
9
10
11
12
13
| #!/usr/bin/env python3
import sys
print('pypipe.py v0.1')
print('--------------', flush=True)
for idx, line in enumerate(sys.stdin):
line = line.strip()
print('# Received line {}. Length (bytes):{}'.format(
str(idx).zfill(3),
str(len(line)).zfill(3)),
flush=True) |
#!/usr/bin/env python3
import sys
print('pypipe.py v0.1')
print('--------------', flush=True)
for idx, line in enumerate(sys.stdin):
line = line.strip()
print('# Received line {}. Length (bytes):{}'.format(
str(idx).zfill(3),
str(len(line)).zfill(3)),
flush=True)
Binding this to port 80 on windows with
nc -nvlp 80 -e "py pypipe.py" |
nc -nvlp 80 -e "py pypipe.py"
and then connecting with netcat on my other system makes any input get reported back to the remote system line by line, and i can see that the problem happens when a long line is sent. I could also tell that it accepted a line with 323 characters, but when i sent 324, it crashed.
I suspect I’m seeing the bug mentioned here and here.
So I’ve learned that I can’t use that version of nc.exe to send binary files that have been converted into long text strings. Different versions of nc probably don’t have this issue.
While this is a problem because it’s an exploitable bug, this is not much of a problem for transferring binary files because in real world secenarios because there won’t be nc.exe on the system unless I’ve already found a way of getting a binary file onto the system, but it’s something that did trip me up for a few hours while doing the PWK course.