View Issue Details

IDProjectCategoryView StatusLast Update
0003114Kali Linux[All Projects] New Tool Requestspublic2020-03-30 14:39
Reporterycam Assigned To 
PrioritynormalSeverityfeatureReproducibilityN/A
Status closedResolutionwon't fix 
Product Version 
Target VersionFixed in Version 
Summary0003114: exe2powershell - exe2bat reborn for modern Windows
Descriptionexe2powershell - exe2bat reborn for modern Windows

exe2powershell converts a binary into a bat file, without size limitation (64kB) and with compatibility to modern Windows (7 x64, 8, 8.1, 10, 2008, 2008R2, 2012).

The *.bat produced by exe2powershell contains several "echo" lines (< 128 chars) of the decimal code of initial binary, and finally invoke a powershell command line to regenerate the payload.exe on the remote server through command line.

- exe2bat compatibility : input file lesser than 64kB (<= Windows 7 x86)
- exe2powershell compatibility : input file without size limitation, Windows with powershell (>= Windows 7)

exe2powershell on github with source-code, sample and binaries :

- https://github.com/yanncam/exe2powershell
- https://yanncam.github.io/exe2powershell/
Steps To ReproduceC:\exe2powershell\bin>exe2powershell.exe
  ______ ___ _____ _____ _ _ _
 | ____| |__ \| __ \ / ____| | | | |
 | |__ __ _____ ) | |__) |____ _____ _ _| (___ | |__ ___| | |
 | __| \ \/ / _ \ / /| ___/ _ \ \ /\ / / _ \ '__\___ \| '_ \ / _ \ | |
 | |____ > < __// /_| | | (_) \ V V / __/ | ____) | | | | __/ | |
 |______/_/\_\___|____|_| \___/ \_/\_/ \___|_| |_____/|_| |_|\___|_|_|

        [ exe2bat reborn in exe2powershell for modern Windows ]
 [ initial author ninar1, based on riftor work, and modernized by ycam ]
    [ exe2powershell version 1.0 - keep up to date : www.asafety.fr ]

 [*] Usage : exe2powershell.exe inputfile outputfile
 [*] e.g. : exe2powershell.exe nc.exe nc.bat
Additional InformationKali integrates many Windows binaries used during pentest on Windows Server.
These tools are located in /usr/share/windows-binaries/
Kali provides "wine" by default to run these tools directly.

One of these tools, the oldschool "exe2bat.exe" is present here : /usr/share/windows-binaries/exe2bat.exe

Through this old tool, a pentester can convert a payload.exe or another utility (ftp.exe, tftp.exe, nc.exe, etc.) into a *.bat file.
The produced *.bat file contains several "echo" lines with hexadecimal code of the initial binary.
Finally, the *.bat file invoke the "debug.exe" binary located in %systemroot%\System32\debug.exe by default in old Windows to regenerate te initial "payload.exe".

Through this tool "exe2bat", a pentester can "upload" a payload.exe only with the use of "echo" and "debug" command in a shell.

But "exe2bat" have limitation :
- This tool use "debug.exe" which is deprecated and not present in Windows since Windows 7 x64 (usable in Windows 7 x86). So Windows 8, 8.1, 2008, 2008R2, 2012 or 10 doesn't have this binary...
- "debug.exe" is an old-retro-compatibility tool kept in Windows (16bits-application)
- exe2bat can convert "*.exe" to "*.bat" file only if the initial file is lesser than 64kB

Compared to these limitations of "exe2bat", I've created "exe2powershell", the reborn of "exe2bat".

exe2powershell converts a binary into a bat, without size limitation (64kB) and with compatibility to modern Windows (7 x64, 8, 8.1, 10, 2008, 2008R2, 2012).

The *.bat produced by exe2powershell contains several "echo" lines of the decimal code of initial binary, and finally invokes a powershell command line to regenerate the payload.exe.

I think this tool can be useful to pentester who used to use exe2bat, so I suggest you to include it among the other Windows binaries in /usr/share/windows-binaries/.

Sincerely,

Activities

g0tmi1k

2018-01-29 14:54

administrator   ~0008390

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

- [Name] - The name of the tool
- [Version] - What version of the tool should be added?
--- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
- [Homepage] - Where can the tool be found online? Where to go to get more information?
- [Download] - Where to go to get the tool?
- [Author] - Who made the tool?
- [Licence] - How is the software distributed? What conditions does it come with?
- [Description] - What is the tool about? What does it do?
- [Dependencies] - What is needed for the tool to work?
- [Similar tools] - What other tools are out there?
- [How to install] - How do you compile it?
- [How to use] - What are some basic commands/functions to demonstrate it?

ycam

2018-02-24 11:32

reporter   ~0008804

- [Name] - exe2powershell
- [Version] - 1.0 (https://github.com/yanncam/exe2powershell)
- [Homepage] - https://www.asafety.fr/projects/exe2powershell/
- [Download] - https://github.com/yanncam/exe2powershell (source & binary version)
- [Author] - Yann CAM
- [Licence] - GNU
- [Description] - exe2powershell is used to convert any binary file (*.exe) to a BAT file. The resulting BAT file contains only "echo" command and finally a powershell command to re-create the original binary file.
- [Dependencies] - Nothing, standalone binary (exe2powershell.exe)
- [Similar tools] - exe2bat (already present in Kali but not-compatible with newer Windows versions)
- [How to install] - Source code is here : https://github.com/yanncam/exe2powershell/blob/master/src/exe2powershell/exe2powershell.cpp, compiled via Code::Blocks without any additional libraries linked nor dependencies.
- [How to use] - exe2powershell.exe nc.exe nc.bat

g0tmi1k

2020-03-30 14:39

administrator   ~0012568

Tool hasn't had an update for a while.

Other than post exploitation, why would a binary exe be used.

Issue History

Date Modified Username Field Change
2016-03-03 10:24 ycam New Issue
2018-01-29 14:54 g0tmi1k Note Added: 0008390
2018-02-21 09:35 g0tmi1k Product Version 2016.1 =>
2018-02-24 11:32 ycam Note Added: 0008804
2020-03-30 14:39 g0tmi1k Note Added: 0012568
2020-03-30 14:39 g0tmi1k Status new => closed
2020-03-30 14:39 g0tmi1k Resolution open => won't fix