Uploading files to RDP, VNC, or anywhere you can type

Posted on 28th November 2018, by Paul Ritchie

Equifax

RDPUpload is a tool which implements an old technique for uploading files in python. There is nothing new in its concept but the implementation is. You can get it here:

If you have a need to upload a file to an RDP, VNC, or anything else where regular uploading fails, then you can try this.

It works by:

  • Converting the file you want to upload into characters represented on the keyboard;
  • Asking you to place your mouse cursor into whatever receiving side application you have (RDP, VNC, WebPages with TextAreas, etc.);
  • It then types each character of the file with inhuman speed and accuracy.

On the receiving end you will need to save the text into a file, and then Base64 decode the contents of the file. For example, on Windows Server 2003 and upward you can use the "certutil.exe" utility tool, as follows:

1
certutil -decode encoded.txt decoded.zip

Note: the decoded file is a zip archive. On Windows the default zip client can extract the original file.

On Linux, you can use the base64 command to achieve similar results:

1
base64 --decode encoded.txt > decoded.zip

To see an example usage there is a video too:

 

Why Does this Exist

You may be asking why this exists when you can drag and drop files from services such as RDP.

It is not uncommon for penetration testers to be asked to do a great job under less than ideal circumstances. What seems like an easy or regular task can quickly get complicated once boots are on the ground.

That may mean being asked to assure the security of a Windows Server by conducting a  Configuration review. No bother! We have tools that can help us gather data in a short enough time frame to leave it cost-effective.

Then on the day:

  • The only port you can see is RDP (TCP 3389) - Common remote patch analysis processes are then right out as they require SMB and NetBios;
  • Oh by the way, we restrict mapping local drives;
  • We have also disabled copy and paste (which is a PCI requirement); and
  • Once on RDP there is no route to the Internet from the host.

These are all actually excellent security measures and we are happy they are there. But it does make the idea of reviewing the Windows machine somewhat trickier as that means manually reviewing every policy.

This was the original use-case for implementing the technique again. However, since I made it and released it into the wild, I have found myself using it to smuggle data past proxies. There is also various other use cases such as sending files into restricted networks if you have got an RDP/VNC session.

Wherever you can type you can send a file.

References

[1] https://github.com/SecarmaLabs/rdpupload - Our tool for uploading files via key presses.

[2] https://technet.microsoft.com/en-us/library/cc770631(v=ws.11).aspx - Microsoft Technet article on disabling client to server RDP redirections.

[3] http://tritoneco.com/2013/10/04/disable-remote-desktop-copy-paste/ - Discussing how disabling copy/paste between RDP and host is a PCI requirement.

[4] https://linux.die.net/man/1/base64 - Linux Command for base64 decoding files.

[5] /services/cybersecurity-assessment/configuration-review.html - Overview of Secarma's Configuration review service.

[6] https://cornerpirate.com/2017/11/14/uploading-files-to-rdp-when-that-is-restricted/ - My personal Blog where I initially released RDP Upload.

Secarma Accreditations Crest Accredited CCSS IT Health Check Service ISO 9001 IS0 27001 Cyber Essentials Accreditation Cyber Essentials Trusted Parter Badge