InstaCMDr... How and Why?

A recent project of mine, InstaCMDr was deployed over here. I'm not smart enough to patch it myself, but I am willing to give you developers out there some idea of how it works. Hopefully someone out there can figure out how to patch this vulnerability.

The program starts an "abusive logic cycle" known internally as loopback within the code. It then takes user input and executes it within the abusive cycle.

@echo off
:: Set the "CD" Directory:
set cdir="C:\"
:: Init the cycle:

:loopback
:: CD into CDir:
cd %cdir%
:: Get user input:
set /p input="%cdir%> "
:: Run user input like a command:
%input%

:: Go to the cycle, and continue looping until interrupted.
goto loopback

When executed in batch format, this method simply initializes and uses the abusive cycle to execute commands. However, when executed in executable (.exe) format, the application inherits the same protocol level as regular Windows applications.

Hypothetically this can be used to gain administrator access when used correctly.

comments powered by Disqus