You are browsing the archive for Random ideas.

Command line do-nothingness

May 23, 2020 in Puzzles, Random ideas, Silly

Yesterday I came up with a silly game – find commands that do nothing, when executed from command line. I didn’t specify rules very precisely, but the rough idea was that the commands shouldn’t modify the environment. Grzegorz and a few other researchers joined me in this game and they added a lot of twisted and creative ideas (thx!).

One may ask: why doing it at all?

First of all it is fun. Secondly, it is a good research exercise as it brings ideas that may expose imperfections of a command line interpreter and tools. These in turn may lead to some new research avenues. In fact, many lolbin and persistence discoveries started with observing what commands and programs do, when executed (including checking the command line arguments they expect).

This is a list of all commands we came up with:

rem foo
:foo goto foo
for %k in () do echo
goto :eof
if foo==foo goto :eof
pushd . & popd
type nul
:: foo
echo > nul
copy nul nul
copy nul .
copy nul con
call call
cmd /c exit
cmd /r exit
cd .
cd .\.\.\.\.\.
cd ./././././.
cmd /c exit
cmd /r exit

We also had a few cheats (stream redirection/piping):

ver > nul
vol > nul
time /t >nul
set foooooo=
copy nul nul > nul
echo > NUL
copy nul > nul

And the funny bits discovered? Let’s have a look.

  • nul – non existing and non-sensical command, but you can still launch it and cmd.exe will report “Access is denied.”
  • copy nul nul – reports “1 file(s) copied.”
  • certutil – when launched w/o any command line argument, it prints out non-sensical “CertUtil: -dump command completed successfully.”
  • hostname – when launched with an invalid command line argument it shows non-sensical “sethostname: Use the Network Control Panel Applet to set hostname. hostname -s is not supported.”
  • set ” ” – prints additional 2 extra lines that don’t show up when you run “set”

Flash Player & Background updates from an internal server via mms.cfg

May 13, 2020 in Autostart (Persistence), Forensic Analysis, Living off the land, LOLBins, Random ideas

This is just a note to reference what I posted on Twitter earlier today.

According to Flash Player Admin Guide (‘Background updates from an internal server’ section), you can create a mms.cfg file with the following content:

SilentAutoUpdateServerDomain=<your serv>

Once installed, Flash will be updating from the server provided in the config. It could be a lolbin/persistence/covert channel opportunity. I have not tested it. Also, note that Flash is dying, so this is probably not that important.

In any case though, if you spot mmc.cfg file you may want to inspect it. Procmon tells me that these are possible locations:

  • C:\Windows\System32\mms.cfg
  • C:\Windows\SysWOW64\mms.cfg
  • C:\Windows\SysWOW64\Macromed\Flash\mms.cfg