SANS Penetration Testing

Awkward Binary File Transfers with Cut and Paste

[Editor's note: Josh Wright spins up another useful blog article about different ways to move files to and from Linux systems. Lots of nice little tricks in this one. Thanks, Josh! -Ed.]

By Josh Wright

Sometimes I find myself with access to a remote Linux or Unix box, with limited opportunity to transfer files to my target. I appreciate the "Living off the Land" mentality and relying on locally-available resources instead of adding tools to my host as much as the next guy (or gal), but sometimes I need a binary to get the job done.

Fortunately, I've been working with Unix and Linux for a long time, and I remember old techniques back when modems made that horrible screeching sound. As long as you have a terminal, you can upload and download files regardless of other network access... with a little awkwardness.

Encode and Clip

In the example that follows, I'm going to transfer the netcat-traditional "nc" binary to my target system. I'm starting from Kali Linux, and my target is a CentOS system. The distribution type makes little difference for these steps, other than ensuring your binary will work on the target system.

Step 1: Compress the Source Binary

Compress the source binary using a method that will be accessible on the target system. Gzip is usually a smart choice:

-rwxr-xr-x 1 root root 22140 Jun 12 2012 /bin/nc.traditional
root@kali:~# gzip /bin/nc.traditional
root@kali:~# ls -l /bin/nc.traditional.gz
-rwxr-xr-x 1 root root 11197 Jun 12 2012 /bin/nc.traditional.gz

Step 2. Install Sharutils and Xsel

On the attacker system, install the sharutils and xsel packages (we'll use them next):

root@kali:~# apt-get install sharutils xsel
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
sharutils xsel
...
Setting up sharutils (1:4.11.1-1) ...
Setting up xsel (1.2.0-1) ...

Step 3. Alias Pbcopy

Mac OS X has a wonderful tool "pbcopy", which takes the STDOUT from one program and places the content in the clipboard. This makes it so you can "cat" a file and send the output to the clipboard without having to highlight everything in your terminal with a mouse. Linux users have also had this for a while with the "xsel" (and "xclip") tool. Create an alias for pbcopy in your login profile so it is always accessible and easy to remember:

root@kali:~# echo "alias pbcopy='xsel --clipboard --input'"
>>~/.bash_profile
root@kali:~# source ~/.bash_profile
root@kali:~# alias pbcopy
alias pbcopy='xsel --clipboard --input'

Step 4. Transfer the File

With the prerequisites out of the way, we'll transfer the file to the target system. First we convert the binary 7-bit ASCII format using the uuencode utility. Uuencode is the precursor the Base64 or MIME encoding techniques, and it breaks up the ASCII content into 63-character lines that makes it simpler to cut-and-paste than Base64 encoding. In the example below, we specify the input filename twice - the first is the actual file, and the 2nd is the filename reference inside the uuencoded data:

root@kali:~# uuencode /bin/nc.traditional.gz /bin/nc | pbcopy

Next, switch to your target system, and create a new file using "cat", pasting the content from the clipboard, and pressing "CTRL+C" at the end of the paste to close the file and return to the shell:

josh@centos:~ $ cat >nc.gz.uu
begin 755 /bin/nc.traditional.gz
M'XL("$YEUT\``VYC+G1R861I=&EO;F%L`-U\?WR4U97W,Y,)#B%D8H46*VT?
M==!@DT@0+3\U0$"T42,BV@+"D,PP(\G,=.:9`+Y40B<!QB$VW5I?=VLKE&[7
...
M/OH.]5W3B_+P.&ZOY='CMZ^.WG$^/:;7\_"XYAP'WID+X!W,IW<`]!I4S%3(
E7\KLGWA\K:SR3LPG6PY/-W.+EO4C7OZW(*TF_Q=K0^LO?%8`````
`
end
^C
josh@centos:~ $

Now we have a file called nc.gz.uu which we want to uudecode. Do not fear if the target system is missing the uudecode utility — we have Python!

josh@centos:~$ python -c 'from uu import decode; decode("nc.gz.uu", "nc.gz")'
josh@centos:~$ gzip -d nc.gz
mock@centos:~$ chmod 755 nc
josh@centos:~$ ./nc -h
[v1.10-40]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
?

This process can get annoying when transferring multiple files, so remember that you can use tar to create an archive of everything you need to transfer first.

Conclusion

Writing this article made me feel old. I distinctly remember using this same technique back when I was writing articles for Virus Laboratories and Distribution (VLAD) in the 90's. That was ages ago, but good tricks die hard.

-Joshua Wright
jwright@willhackforsushi.com

1 Comments

Posted December 10, 2014 at 5:03 PM | Permalink | Reply

Andre Gironda

I remember these with screen or tmux copypasta. Classic, thanks

Post a Comment






Captcha


* Indicates a required field.