During a discussion with a friend about techniques for getting files onto a Windows system once you get a remote cmd.exe shell, I was listing all the ways that I’ve seen: tftp, ftp, ftp with script, vbscript (similar to wget), and pasting hex into a file to be processed by debug.exe.

It was the last technique that piqued his interest because he hadn’t heard of it -- and neither have most people I’ve asked. The last time I saw it in use was an incident in 2005. The admin of the hacked server had locked down the system pretty tight, preventing access to tftp, ftp, and vbscript.

What did the attacker do? He put his own ftp.exe on the server by converting it first into hex (including specific notation understood by debug.exe), and pasted it into the echo command in his shell, putting the copied text into a file on the server. Next, with “debug < ftp.hex”, his file of text was converted into an executable that he could use to download his toolkit.