Summary
When you are in a locked down environment and connected via RDP and you can’t use internet or even the clipboard to transfer files. This is a slow & quite crude method you may be able to use to infiltrate files by basically just typing the files out in base64 format then decoding them. Obviously doing this for anything other that the smallest of files would be very painful. That’s where AutoIt comes in we can just get it to act like an automated keyboard and type the file out for us then just decode it at the other end. Keep in mind even with AutoIt typing super fast it’s still incredibly slow, probably best to use only scripts and small files. Even a 1MB file will take hours to complete.
Installation
- Download the latest release from https://www.autoitscript.com/site/autoit/downloads/
- Click
next.
- Click
I Agree.
- Leave as default and click
Next.
- Leave as default and click
next
- Leave as default and click
next
- Click on
Install
- Once completed uncheck
Show release notesthen click thenFinish
Create AutoIt Script
We now need to create an AutoIt script to type the binary to the destination as base64 encoded text. Use the below PowerShell script to create such a file. The 2 lines you will want to modify here are highlighted with red rectangles in the image below. On line 1 you want to set the path to the file that you want to infiltrate. On the last line you may want to modify the location that the script will be output to.
# Read in a binary file (Change the path here if you like)
$bytes = [System.IO.File]::ReadAllBytes("C:\temp\Windows_AFD_LPE_CVE-2023-21768.exe")
# Convert to base64
$base64 = [System.Convert]::ToBase64String($bytes)
# This is the maximum line size that AutoIt appears to support.
$chunkSize = 4084
# Don't know but ChatGPT told me it would work and it seems to.
$numChunks = [Math]::Ceiling($base64.Length / $chunkSize)
# Add a sleep statement to the start of the script so you have time to click on the destination before it starts typing.
$autoit_script = "Sleep(5000)`n"
for ($i = 0; $i -lt $numChunks; $i++) {
$startIndex = $i * $chunkSize
$chunk = $base64.Substring($startIndex, [Math]::Min($chunkSize, $base64.Length - $startIndex))
$autoit_script += 'Send("' + $chunk + '",1)' + "`n"
}
# Output the file as a AutoIt script.
$autoit_script | Out-File C:\temp\exploit.au3
Start the Transfer
Before we start it will be best to check the hash of the file being sent before we send it so we can be sure when it reaches the destination that it has not been altered.
Get-FileHash -Algorithm SHA1 C:\temp\hulk.png
OK so we know what the hash is of the file prior to sending. Time to get ready for the transfer. When the transfer is underway you probably want to be careful about moving the mouse or touching the keyboard. Once you double click the script to start you have 5 seconds until it starts typing with absolute fury so make you have the connection setup and at the destination have notepad open.
OK so you are all setup. Double click on the exploit.au3 file. Then quickly select the open notepad window of the destination.
If you are prompted click on AutoIt v3 Script.
AutoIt go brrrrrrrr!
Decode File at Destination
- Open PowerShell ISE then type in the below script. In the last line of this script modify the file path of where you would like the file to be written.
$base64String = ''
$bytes = [System.Convert]::FromBase64String($base64String)
[System.IO.File]::WriteAllBytes("C:\temp\hulk_destination.png", $bytes)
- Select all
ctrl+ain notepad to select all text thenctrl+cto copy it to the clipboard.
- Paste the text from the clipboard into the first line between the single quotes as indicated below.
- Run the script.
- Verify the hash of the file at the destination.
Get-FileHash -Algorithm SHA1 C:\temp\hulk_destination.png