Post Sat Feb 28, 2009 3:01 pm

Windows Command Line Obfuscation

The " and ^ characters can be used to on the windows command line to obfuscate commands. The " character only works when calling executables.

cmd.exe = c"m"d"."e"x"e = cm"d.exe = c^m^d.e^x^e = cm^d.exe = = c"m^d.exe = ....
dir = d^ir = ^d^i^r = di^r

This does not work
dir != d"ir

Now to figure out what to do with it. I am curious if this will work with command injection in windows.

I'd like to see how this works against an IPS that would normally act on cmd.exe in a query string and if it would even work on the server. Specifially, I am wondering how this will work against the windows 2000 unicode exploit with an obfuscated call do cmd.exe and dir. Looks like I need to set up a box and test.

Hopefully someone smarter than I can figure out a good way to use this.

I came up with this and posted this on my blog. Anyone have any good ideas on how this can be used for the advantage of the Pen Tester.
Last edited by timmedin on Sat Feb 28, 2009 3:03 pm, edited 1 time in total. |