The " and ^ characters can be used to on the windows command line to obfuscate commands. The " character only works when calling executables.
cmd.exe = c"m"d"."e"x"e = cm"d.exe = c^m^d.e^x^e = cm^d.exe = = c"m^d.exe = ....
dir = d^ir = ^d^i^r = di^r
This does not work
dir != d"ir
Now to figure out what to do with it. I am curious if this will work with command injection in windows.
I'd like to see how this works against an IPS that would normally act on cmd.exe in a query string and if it would even work on the server. Specifially, I am wondering how this will work against the windows 2000 unicode exploit with an obfuscated call do cmd.exe and dir. Looks like I need to set up a box and test.
Hopefully someone smarter than I can figure out a good way to use this.
I came up with this and posted this on my blog. Anyone have any good ideas on how this can be used for the advantage of the Pen Tester.