You are browsing the archive for LOLBins.

Cur\o/bin

May 2, 2021 in Living off the land, LOLBins

This post wraps up another Twitter thread I started a few days ago:

If you ever get bored using “copy” to copy files you can always use … curl:

curl file://c:\test\foo -o bar

Same way, you can use it instead of “type” or “cat”

curl file://c:\test\foo

You can also copy file by… uploading it locally

curl -T bar file://c:\test\

this will copy “bar” file to “c:\test\bar”.

And during copying, you can stat copying at a given offset:

and even cooler, you can extract any part of the file using range

curl file://c:\test\foo -C 1

dynamic payload building anyone?

and even cooler, you can extract any part of the file using range

curl file://c:\test\foo -r2-10

offering a chance to build dynamic payloads.

The operation is surgical and using Procmon we can confirm it reads only these two specific bytes:

@nf3xn added one more interesting option:

curl --remote-time file://c:\test\foo -o bar

to preserve file timestamps.

Throwing LOLBIN a tar ball

May 2, 2021 in Living off the land, LOLBins

This post summarizes some of the findings I posted on Twitter the other day.

While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command line arguments; undocumented – in a sense that they are not described in program’s help (tar –help), but are obviously known to *NIX tar program users:

Amongst the more interesting ones are the LOLBIN and data encoding opportunities:

Encoding

Windows tar can BASE64-encode and UUEncode files:

tar -c -f<out> --b64encode <in>
tar -c -f<out> --uuencode <in>

Decoding

Using “-x” we can decode these files:

tar -x -f<in> --b64encode
tar -x -f<in> --uuencode 

Running programs (lolbin #1):

tar -cff --use-compress-program calc f

The –use-compress-program works with:

  • -c(create)
  • -x(extract)
  • -t(test)

options meaning that:

tar -x --use-compress-program calc -f <in> 
tar -t --use-compress-program calc -f <in>

can be used to launch a program of your choice too.

Running Programs (lolbin #2):

When you use tar to create archives using different archive types e.g. bzip2, grzip, xz, etc. tar.exe spawns a child process (e.g. bzip2.exe). You can place a dummy bzip2.exe in your chosen directory and it will be launched when you use a command like the one below:

tar -c -ffoo -j .

Possible child processes created (need to tinker with options) are:

  • bzip2.exe
  • grzip.exe
  • lrzip.exe
  • lz4.exe
  • lzop.exe
  • lzma.exe
  • xz.exe
  • lzip.exe

Some of them only work with “test” option e.g. xz

tar -t -f<in> -J

These are existing archive type options

  • -j, -y — bzip2.exe
  • -J = xz.exe
  • -z = (gzip – n/a)
  • -Z = (compress – n/a)
  • –grzip = grzip.exe
  • –lrzip = lrzip.exe
  • –lz4 = lz4.exe
  • –lzma = (lzma – n/a)
  • –lzip = (doesn’t seem to work although should spawn lzip.exe)
  • –lzop = lzop.exe