The Gist
Having been in many situations where the Windows environment I was working in was secured from external file transfer, I've devised a few methods for transferring binary files without the need of physical drives or network connections. Such environments are found in kiosks, POS terminals, Citrix/RDP/VNC/etc. remote terminals and other "thin" clients.
I'm gonna show you some methods of exploiting functionality not often thought of as useful for attackers in hardened environments using plain text encoding.
Tip: If the target environment has a working unzip/decompress application like that built into Windows XP/Vista, compress the binary before encoding it.
Outlook Express/Windows Mail
E-mail applications use
MIME to attach non-text files to messages. This feature can be used locally to encode files into a plain text format (usually base64). Here's how to transfer a binary file with the keyboard:
1. In the source environment, compose a new e-mail message.
2. Change the message format to Plain Text, this will reduce clutter in the file.
3. Attach the binary file you want to transfer.
4. In the File menu, choose "Save As...". Save the file as the Mail (*.eml) type.
5. Open the saved .eml file in Notepad to view the contents.
6. Open Notepad in the target environment and copy the contents of the saved .eml file.
7. Save the file with a .eml extension.
8. Open the .eml file with OE/WM.
9. Right-click the attachment and choose "Save As...".
Caveat: OE/WM restricts access to executable files from attachments by default. Adjust the security settings or rename your file if necessary.
Windows Scripting Host
The Windows Scripting Host gives access to components which are capable of taking plain text encoded data and saving it as a binary file.
For example, this pair of scripts will hex-encode a binary file to a plain text file and back:
encodefile.vbs
decodefile.vbs
Programmatic Keyboarding
Some remote terminal environments like RDP support copy and paste operations, but most won't -- namely Citrix MetaFrame (or whatever they call it these days). A great way to manipulate this keyboard/mouse only interactivity is to run a WSH script in the host environment. The following script reads a file and types it into the target environment:
sendkeys.vbs
Tip: Useful binary files small enough to be typed into an environment are hard to come by. Compile your own.
Hardware Acceleration
You may not be able to attach a USB Mass Storage Device, but it's highly likely your target will allow you to attach USB HID (Human Interface Device) or PS/2 keyboard. Both use a standard Windows driver and would not require elevated privileges to install.
It's simple to create hardware devices that emulate HID or PS/2 devices. Encoded files can be loaded onto a microcontroller and "typed" for you.
Schematics and source code for such a device may show up here eventually.
Input Methods
Notepad missing? Windows has some other options like wordpad/write.exe, edit.com, web browsers.
Web browser? Use some javascript to write a file to the current document, then use the browser's "Save As..." function to save the file to disk. The following javascript, when pasted into the address bar, will draw a textarea where you can enter text. Click the "Pop" button to open a new window with the text. Save this document.
javascript:document.write("<textarea rows=10 cols=50 id=thetext>Text <Here></textarea><input type=button onclick=doit()><script>function doit() { var win = window.open('','win'); var tmp = document.getElementById(\"thetext\").value; win.document.write(tmp);}</script>");
In some cases you may need to encode certain HTML entities to prevent the browser from parsing them. Also be cautious of how the browser saves the file. The browser might attempt to change CR/LF to whitespace or save the file as Unicode which can create parsing problems.
Thoughts
It seems a requisite for a secure environment is a read-only filesystem.
