You are browsing the archive for Silly.

Command line do-nothingness

May 23, 2020 in Puzzles, Random ideas, Silly

Yesterday I came up with a silly game – find commands that do nothing, when executed from command line. I didn’t specify rules very precisely, but the rough idea was that the commands shouldn’t modify the environment. Grzegorz and a few other researchers joined me in this game and they added a lot of twisted and creative ideas (thx!).

One may ask: why doing it at all?

First of all it is fun. Secondly, it is a good research exercise as it brings ideas that may expose imperfections of a command line interpreter and tools. These in turn may lead to some new research avenues. In fact, many lolbin and persistence discoveries started with observing what commands and programs do, when executed (including checking the command line arguments they expect).

This is a list of all commands we came up with:

rem foo
:foo goto foo
for %k in () do echo
shift
break
goto :eof
if foo==foo goto :eof
setlocal
pushd . & popd
type nul
:: foo
echo > nul
copy nul nul
copy nul .
copy nul con
call
call call
endlocal
color
cmd /c exit
cmd /r exit
cd .
cd .\.\.\.\.\.
cd ./././././.
title
nul
cmd /c exit
cmd /r exit
title

We also had a few cheats (stream redirection/piping):

ver > nul
vol > nul
time /t >nul
set foooooo=
copy nul nul > nul
echo > NUL
copy nul > nul

And the funny bits discovered? Let’s have a look.

  • nul – non existing and non-sensical command, but you can still launch it and cmd.exe will report “Access is denied.”
  • copy nul nul – reports “1 file(s) copied.”
  • certutil – when launched w/o any command line argument, it prints out non-sensical “CertUtil: -dump command completed successfully.”
  • hostname – when launched with an invalid command line argument it shows non-sensical “sethostname: Use the Network Control Panel Applet to set hostname. hostname -s is not supported.”
  • set ” ” – prints additional 2 extra lines that don’t show up when you run “set”

Wow! 64! Lolbin! Bring back NetMeeting!

May 22, 2020 in Living off the land, LOLBins, Silly

All Windows Lolbins are dead.

Right?

The native OS program that I never looked at caught my attention today. Its location is:

  • c:\windows\SysWOW64\instnm.exe

And it caught my attention, because its filename implies it is some sort of installer. And since installers are renowned for offering LOLBIN functionality I started digging…

The version info made me shiver…
32-bit NetMeeting Installer for Win64.

Que?

I have not heard of ‘NetMeeting’ for at least 700 years…

To my surprise, the program is very small (8K) and after loading it into IDA I realized why. It uses Setup APIs to install… stuff.

So, my hunch was right and the LOLBIN opportunity became real.

Like a dog that got thrown a bone I raised to the occasion and unleashed all the research powers at my disposal. I painstakingly crafted (googled it really) an artisan .inf file that satisfies the ugly desires of SetupOpenInfFileW API that I spotted in the first line of decompiled code:

[Version]
Signature=$CHICAGO$
LayoutFile=layout.inf

[DefaultInstall]
RegisterDlls=foo

[foo]
11,,test.dll, 1

I proceeded to collect my winning lottery ticket and… nothing happened.

Like a wounded offensive researcher so eager to release his pervert creations… I scowled. I have already created a web site (with a logo), a github repo, and a joke to piss off critics of offensive research. Could I be so shortsighted that I did all this without a foresight of failure? Gods of research must be very pleased seeing me struggling, I thought… and in an attempt to reconcile with them I put my hopes in a paradigm shift that I decided to empower my research with.

Like a dog that was thrown a ribeye steak, I scowled again… then I pushed that envelope and proceeded to unleash all the research powers at my disposal, plus one. I decided to actually read the second line of code that IDA presented to me in its wisdom:

SetupOpenAppendInfFileW

With a cautious candor I sniffed around this inferior piece of code and then I realized that my soul left my body… and I scowled again, because it dawned on me (didn’t read the RTFM) that… what led me to the garden of evil was a stupid cross-reference. It turns out, you see, that the API I listed above, one whose name should never be mentioned again has… expectations.

That entitled bratwurst of a code that happened to be used by instnm.exe requires that the .inf file you provide as a command line argument contains a reference to the LayoutFile so that it can, wait for it, make two .inf become one. I bet the guy who wrote that piece of code listened to Spice Girls for too long. The idiot almost costed me my reputation and caused this post to be that long.

Like a dog that became wolf and was thrown a piece of A5 wagyu I scowled again… In an unprecedented move that this blog has never witnessed I created 2 .inf files to save this LOLBIN almost-catastrophe:

layout.inf

[Version]
Signature=$CHICAGO$
[DefaultInstall]

instnm.inf

[Version]
Signature=$CHICAGO$
LayoutFile=layout.inf

[DefaultInstall]
RegisterDlls=foo

[foo]
11,,test.dll, 1

I proceeded to collect my winning lottery ticket and… again… nothing happened.

G-O-D D-A-M-N I-T!

Like a…

I went old-school. I Launched Procmon, found out this idiot coder wants my DLL in c:\windows\syswow64. But I don’t want to place it there. I drop it in c:\test. Bite me. I then make my new instnm.inf file:

[Version]
Signature=$CHICAGO$
LayoutFile=layout.inf
[DefaultInstall]
RegisterDlls=foo
[foo]
11,,..\..\..\..\..\test\test.dll, 1

Then this happens:

NetMeeting is back!