Throwing LOLBIN a tar ball
2021-05-02 22:42:11 Author: www.hexacorn.com(查看原文) 阅读量:153 收藏

May 2, 2021 in Living off the land, LOLBins

This post summarizes some of the findings I posted on Twitter the other day.

While looking at Windows version of tar.exe I discovered that it includes lots of undocumented command line arguments; undocumented – in a sense that they are not described in program’s help (tar –help), but are obviously known to *NIX tar program users:

Amongst the more interesting ones are the LOLBIN and data encoding opportunities:

Encoding

Windows tar can BASE64-encode and UUEncode files:

tar -c -f<out> --b64encode <in>
tar -c -f<out> --uuencode <in>

Decoding

Using “-x” we can decode these files:

tar -x -f<in> --b64encode
tar -x -f<in> --uuencode 

Running programs (lolbin #1):

tar -cff --use-compress-program calc f

The –use-compress-program works with:

  • -c(create)
  • -x(extract)
  • -t(test)

options meaning that:

tar -x --use-compress-program calc -f <in> 
tar -t --use-compress-program calc -f <in>

can be used to launch a program of your choice too.

Running Programs (lolbin #2):

When you use tar to create archives using different archive types e.g. bzip2, grzip, xz, etc. tar.exe spawns a child process (e.g. bzip2.exe). You can place a dummy bzip2.exe in your chosen directory and it will be launched when you use a command like the one below:

tar -c -ffoo -j .

Possible child processes created (need to tinker with options) are:

  • bzip2.exe
  • grzip.exe
  • lrzip.exe
  • lz4.exe
  • lzop.exe
  • lzma.exe
  • xz.exe
  • lzip.exe

Some of them only work with “test” option e.g. xz

tar -t -f<in> -J

These are existing archive type options

  • -j, -y — bzip2.exe
  • -J = xz.exe
  • -z = (gzip – n/a)
  • -Z = (compress – n/a)
  • –grzip = grzip.exe
  • –lrzip = lrzip.exe
  • –lz4 = lz4.exe
  • –lzma = (lzma – n/a)
  • –lzip = (doesn’t seem to work although should spawn lzip.exe)
  • –lzop = lzop.exe

文章来源: https://www.hexacorn.com/blog/2021/05/02/throwing-a-lolbin-tar-ball/
如有侵权请联系:admin#unsafe.sh