Shell-shocked by shell shock? I give you "CMD Caret" ^&

Security Published on 2 mins Last updated

There seems to have been so much hype over the recent bash bug, shell shock!

And there were all the people  in the Microsoft world thinking YES we are so cool we are NOT affected by it! Yea right I knew it, there had to be something much the same as the bash bug available in CMD.exe

It affects the Windows CMD.exe Shell and I will provide a working example of how it can be exploited. It does show the whole hype of the bash bug bearing in mind you need access to the machines shell in the first place. However before I continue I want you all to know that it does not affect Windows Power Shell as far as I have tested in the same way but I am sure there is something along the same lines in there as well.

In my example I am going to delete as many files from the c: drive of the 'infected' computer. It is as simple as this command below.

c:Windows>set foo=bar^& del /F /S /Q c:*.*^& echo "*** Thank you for giving me all your files to munch away ***"

Ok, so that is the payload set! now we need to execute the payload, Its really simple just type the next line!

c:Windows>echo %foo%

Now watch the echo munch its way through your file system and at the end of it it will just say   "*** Thank you for giving me all your files to munch away ***"

So yes it has deleted as many files as you have permissions, I could have been a little smart and changed the ATTRIB of all files before I launched the payload and it could have deleted more but this is a Proof of Concept much like the Bash Bug and just like the Bash Bug something that has existed for 20+ years!! The important part of the set is ^ before the & to keep the command within the variable.

I wonder if Microsoft will see the need to patch this! Oh and by the way. I did this on a Windows 10 preview release! Yes Windows 10. And everything before with the CMD.exe prompt will do the same!

I have not tried it in MS DOS but I am sure it will work there as well...

This is my personal blog post and first while working for Loadbalancer.org and it is not here to be malicious moreover to show that what one man calls a bug or exploit another man calls a good bit of coding...