With adsutil. vbs+..\+cmd. ASP to create the perfect Backdoor-vulnerability warning-the black bar safety net

2005-12-15T00:00:00
ID MYHACK58:6220055452
Type myhack58
Reporter 佚名
Modified 2005-12-15T00:00:00

Description

We have to do a good back door, while depressed, of those who ready-made backdoors in software are difficult to escape the antivirus software's hunted down, and write yourself back door of our small bugs are also seem to be not realistic. Below I will teach you a method that lets you build a belongs only to your own back door in! The required tools: a cmd. asp enough yo, write your own one or are looking for one of the rows, but proposed to myself to write a actually very simple! And write your own also will not be killed. The disc where there is a my own write cmd. asp very detailed notes, yo, you can see! Build process: suppose you have to take a machine to. Well the beginning started! I believe we also all remember the original there is an article saying the iis application protection setting to low( iis process) and then run the asp Trojan will have system privileges! We will put him in is configured to: in common and then still keep our cmd. asp to system permissions to run. (Figure 1) This is used to adsutil. vbs this tool. Adsutil. vbs is the system comes with a tool used to manage iis, usually in c:\inetpub\adminscripts. As for adsutil. vbs the specific use here is no longer set forth, please go online to check yo! Wherein the application protection settings for the case: LM/W3SVC/InProcessIsapiApps, the process started within the ISAPI the. LM/W3SVC/InProcessIsapiApps is an array, which contains a set of point to some of the ISAPI path. In this array inside the ISAPI is running is by inetinfo. exe directly to start the inheritance inetinfo. exe local system permissions and not the ISAPI is by svchost. exe derived dllhost. exe process started running as IWAM _ NAME, however we need to do is manually add the asp. dll to here. Note that this stuff can't be added, can only cover up!! Execute: cscript adsutil. vbs get /W3SVC/InProcessIsapiApps look at the original there are those: (Figure 2) and then execute: cscript adsutil. vbs set /W3SVC/InProcessIsapiApps C:\Windows\system32\inetsrv\httpext.dll C:\Windows\system32\inetsrv\httpodbc.dll C:\Windows\system32\inetsrv\ssinc.dll C:\Windows\system32\msw3prt.dll C:\Windows\Microsoft.NET\Framework\v1.1.4322\aspnet _ isapi.dll C:\Windows\system32\inetsrv\asp.dll note that each value between is a space the joists apart, not enter it! The following figure(Figure 3) okay, this next application protection setting is also of no use, our or system permissions! Then let's create an anti-virus software to kill not, the administrator can not find the folder the cmd. asp into them! (4) let us open the folder and see, you will magic find aaa and aaa. (Create a folder when the aaa..\)文件夹 里 的 都 是 1.txt(Figure 5) That 2. txt where to go? In fact, we open the aaa. Folder actually into the aaa folder. And 2. txt or on real aaa..\inside yo! And this folder with the General method is to delete off of yo! Specific reference I included in an article: letASP Trojan 不 被 杀 .txt well using this principle, we in the broiler station directory to build a folder, assuming that he originally ad this folder, we create a ad..\folder, and then use the copy command to put our cmd. asp to copy the past! Well, now we have not been killing not easy to be found in the system back door! But thought no, if someone else also pass a cmd. the asp up, that we not become 螳螂捕蝉 Siskin in the back of the Mantis. No, we want to build a belongs only to my own back door now! cmd. asp there are so sentence: set oScript=server. createobject(WSCRIPT. SHELL) of this sentence, but the core yo, good to go to search of the registry WSCRIPT. SHELL items and then put him to modify into what you want, such as WSCRIPT. SHELLshell is. (Figure 6) Note the search time will also search to WSCRIPT. SHELL. 1 should also be modified to get rid of or white busy yo! Then put your cmd. asp inside the set oScript=server. createobject(WSCRIPT. SHELL) to set oScript=server. createobject(WSCRIPT. SHELLshell) well, the cmd. asp copy into the ad..\ so you will have your own back door. Access to the back door when only need to enter http://host/ad../cmd.asp as you can see I do this, (figure 7) Oh, good! Note: the above screenshots are for in 2 0 0 3, 2 0 0 0 the following might be a bit different, but I'm in 2 0 0 0 under test, the success of the yo! The wrong place, please master correction, do not understand where to www.cnhack.cn and I discuss! Thanks to nsfocus's tombkeeper it. -----In the text there are several places for readers and editors see. Instead. of.