Windows Command Line Obfuscation

The " and ^ characters can be used to on the windows command line to obfuscate commands. The " character only works when calling executables.

cmd.exe = c"m"d"."e"x"e = cm"d.exe = c^m^d.e^x^e = cm^d.exe = = c"m^d.exe = ....
dir = d^ir = ^d^i^r = di^r
This does not work
dir != d"ir
Now to figure out what to do with it. I am curious if this will work with command injection in windows.

I'd like to see how this works against an IPS that would normally act on cmd.exe in a query string and if it would even work on the server. Specifially, I am wondering how this will work against the windows 2000 unicode exploit with an obfuscated call do cmd.exe and dir. Looks like I need to set up a box and test.

Hopefully someone smarter than I can figure out a good way to use this.

Posted by Tim Medin at 2/28/2009 1:12 PM
Categories: uncategorized
 

What did you think of this article?




Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
Display comments as (Linear | Threaded)

  • 2/28/2009 1:51 PM jmonty wrote:
    I wonder if this technique isn't already used to slip a payload past an IDS/IPS systems...dunno. If it's not already in use - this certainly might help an attacker remain stealthy.
    Reply to this
  • 2/28/2009 3:59 PM Tim Medin wrote:
    That is what I was wondering. I've been trying to find a snort rule it might bypass but haven't found one that would be applicable (yet).
    Reply to this
Leave a comment

Submitted comments are subject to moderation before being displayed.

 Enter the above security code (required)

 Name (required)

 Email (will not be published) (required)

Your comment is 0 characters limited to 3000 characters.