This post wraps up another Twitter thread I started a few days ago:

If you ever get bored using “copy” to copy files you can always use … curl:

curl file://c:\test\foo -o bar

Same way, you can use it instead of “type” or “cat”

curl file://c:\test\foo

You can also copy file by… uploading it locally

curl -T bar file://c:\test\

this will copy “bar” file to “c:\test\bar”.

And during copying, you can stat copying at a given offset:

and even cooler, you can extract any part of the file using range

curl file://c:\test\foo -C 1

dynamic payload building anyone?

and even cooler, you can extract any part of the file using range

curl file://c:\test\foo -r2-10

offering a chance to build dynamic payloads.

The operation is surgical and using Procmon we can confirm it reads only these two specific bytes:

@nf3xn added one more interesting option:

curl --remote-time file://c:\test\foo -o bar

to preserve file timestamps.

This post summarizes some of the findings I posted on Twitter the other day.

While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command line arguments; undocumented – in a sense that they are not described in program’s help (tar –help), but are obviously known to *NIX tar program users:

Amongst the more interesting ones are the LOLBIN and data encoding opportunities:

Encoding

Windows tar can BASE64-encode and UUEncode files:

tar -c -f<out> --b64encode <in>
tar -c -f<out> --uuencode <in>

Decoding

Using “-x” we can decode these files:

tar -x -f<in> --b64encode
tar -x -f<in> --uuencode 

Running programs (lolbin #1):

tar -cff --use-compress-program calc f

The –use-compress-program works with:

• -c(create)
• -x(extract)
• -t(test)

options meaning that:

tar -x --use-compress-program calc -f <in> 
tar -t --use-compress-program calc -f <in>

can be used to launch a program of your choice too.

Running Programs (lolbin #2):

When you use tar to create archives using different archive types e.g. bzip2, grzip, xz, etc. tar.exe spawns a child process (e.g. bzip2.exe). You can place a dummy bzip2.exe in your chosen directory and it will be launched when you use a command like the one below:

tar -c -ffoo -j .

Possible child processes created (need to tinker with options) are:

• bzip2.exe
• grzip.exe
• lrzip.exe
• lz4.exe
• lzop.exe
• lzma.exe
• xz.exe
• lzip.exe

Some of them only work with “test” option e.g. xz

tar -t -f<in> -J

These are existing archive type options

• -j, -y — bzip2.exe
• -J = xz.exe
• -z = (gzip – n/a)
• -Z = (compress – n/a)
• –grzip = grzip.exe
• –lrzip = lrzip.exe
• –lz4 = lz4.exe
• –lzma = (lzma – n/a)
• –lzip = (doesn’t seem to work although should spawn lzip.exe)
• –lzop = lzop.exe