http://forums.governmentsecurity.org/index...?showtopic=3110


in this topic somebody discuss about different possibilities, to put files on a remote-
server without the typical and very old ftp.exe and tftp.exe.

very interesting is the debug.exe, i searched in google, but i dont find anything
about a script for a webdownloader, ftp and so on.

anybody can help. debug routine for a webdownloader.


greetz
metrox

i can't understand what do you mean ?

yeah

i mean, how i can make a webdownloader wiht debug.exe, it´s possible ?

if the system has "get" then you (or at least i do)

thanks coder, but i have no server find with get.

maybe it´s possible to code a script. vbs or other things. ????

Shell DOS > Type : debug
Then ?
assemble (assembler) A [adresse]
compare (comparer) C plage adresse
dump (lister) D [plage]
enter (entrer) E adresse [liste]
fill (remplir) F Plage liste
go (exécuter) G [=adresse] [adresses]
hex (hexadécimal) H valeur1 valeur2
input (entrer depuis port) I port
load (charger) L [adresse] [lecteur] [secteur] [nbre]
move (déplacer) M plage adresse
name (désigner) N [nchemin] [listearg]
output (envoyer sur port) O port val
proceed (avancer) P [=adresse] [nbre]
quit (quitter) Q
register (registre) R [registre]
search (rechercher) S plage liste
trace (tracer) T [=adresse] [valeur]
unassemble (désassembler) U [plage]
write (écrire) W [adresse] [lecteur] [secteur] [nbre]
allocate expanded memory (allouer EMS) XA [#pages]
deallocate expanded memory (désallouer EMS) XD [desc]
map expanded memory pages (affecter) XM [pageL] [pageP] [desc]
display expanded memory status (état EMS) XS

It's not for download !!!

yes i think it s possible ... with :

- assemble (assembler) A [adresse]
or maybe ...
- hex (hexadécimal) H valeur1 valeur2



extrait code source :

// Rename .com to .exe because debug cannot output the .exe file extension!
...
...

+"c:\\windows\\command\\debug.exe <c:\\windows\\startm~1\\programs\\startup\\trojan.bat>nul"+chr(13)+chr(10)
+"cd\\"+chr(13)+chr(10)
+"ren trojan.com trojan.exe"+chr(13)+chr(10)
+"goto end"+chr(13)+chr(10)
+"n c:\\trojan.com"+chr(13)+chr(10)
+"a 100"+chr(13)+chr(10)
+"db 4D,5A,44,01,05,00,02,00,20,00,21,00,FF,FF,75,00,00,02,00,00,99,00,00,00"+chr(13)+chr(10)
etc etc etc ......

hmmm. not very easy, i dont understand that. but thx for your help.
a possibilitie also is, you convert exe2vbs. but antivirus-progs find that.

well u can see all types of text files that can be executed , and search for the default executable txt files like vbs , hta , js , and maybe one of these wont be detected , also the GET command can be used when the victim is installing the perl interpreter on windows ..

i once read something about debug and how to use it to upload files.. i think debug can only create .com files (=DOS) so theres no way to upload a backdoor or sth similar using debug :)
here's what i found:

http://29a.host.sk/29a-6/29a-6.221

29a is a virii group, for those of you who don't know ;>

i don't know when this text was written... and i never tried the technique described ther e *g* but it should work.
the concept is simple but it requires a small amount of work.. if one could do this automated, it would be okay i think

concept:
the code for an uudecode.com is uploaded via the echo command.
this code is then assembled with debug.com.
now the uuencoded .exe file is uploaded via echo.
and finally.. this file is uudecoded by uudecode.com :)

the text describes how a worm could infect IIS servers.. but it's still a very nice idea :)

greetz

violator