Errox_CMD | T1EH’s Blog

T1EH's Blog

A blog covering my homelab, projects and hacking activities

View on GitHub
10 July 2026

Errox_CMD

by That1EthicalHacker

Ever look at a kiosk at a mall, fast food place, resturant or store and go “I wonder if I could access cmd on that”, well turns out you can if security is done incorrectly! This is due to how you can block the access to CMD on windows, where one will block everything and another will block some things.

Program Overview

Errox_CMD is a way to access a local shell on Windows (CMD). It works by attempting different methods of accessing a shell in ways that might bypass not only detection but blockage when an instance of CMD cannot be directly opened by the user.

Technical Dive

There are four main parts of this tool; the install creator, the shell installer, the shell, and the system information script. Each one is broken up into their own script or program and is created by the former.

Install Creator

The install creator is a python script, it works by taking an input from the user for the; installer language which can be C or Python and uses a premade code to create the needed file. After that is collected the shell language is selected, this can either be Python or Batch. Finally the reqesuted modules are added to the installer code. Once all of the code is within a single string variable, the installer is created with all of the needed code.

Now some of the more keen would have noticed how I mentioned modules, so what is a module for Errox_CMD? A module for Errox_CMD is a preset command to run inside of a CMD or Powershell instance. The main kinds of modules out there are below;

I will explain more about the modules and what they do within the “System Information Script” section.

Installer

The installer is quite self explanatory, the installer works by creating the local shell and system information scripts. Once both are created the installer script will run the information script before the local shell.

Local Shell

The local shell is arguably the most important piece of this program, as it is how the user can access an instance of CMD. In python it works by spawning an instance of CMD, which I know seems to be pointless, however if the block is somehow just blocking a user from creating an instance and not a program then this will bypass it.

The batch script works in a more unique way, as it abuses what a batch script even is. For those who may not know what a batch script is, as per Wikipedia “A batch file is a script file in DOS, OS/2 and Microsoft Windows. It consists of a series of commands to be executed by the command-line interpreter, stored in a plain text file.” okay, cool, what does any of that mean? In layman’s terms a batch script is nothing more than a text file that is designed to automate command execution locally on a DOS or Windows computer.

Think of the following echo command from my malware tutorial;

echo "This was downloaded via dropper!"

You can run that command inside of an instance of CMD, or you could make a batch script to automatically run that code when the script is ran.

@echo off
echo "This was downloaded via dropper!"

Neat, so we can execute commands within a batch file, how does any of that help us? After all we still can’t access an instance of CMD or something similar to send commands to a shell. Well, what if I told you there is a way to take user input within batch and then execute the input command? In batch you can use the “set” command to get user input, and due to batch being able to execute variables we can then execute said input as if it was within a CMD instance! Below is a looped version;

@echo off
:loop
set cdir=%CD%
set /p usr_cmd="%%cdir%%> "
%%usr_cmd%%
goto loop

Some people might be scratching their head thinking “Well if a batch script is nothing more than a way to execute CMD commands, then would that mean a batch file just runs within CMD?” and you are correct. That is why not only is the script going to maintain it’s current directory but also bypass a specific method of blocking CMD.

Within the Windows Registry under the path “HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows” within the System key there can be a key called “DisableCMD”. If this value is set to 2 it will only block direct instances of CMD, not a batch script, however it should be noted that if the value is set to 1 then it blocks both CMD and batch scripts meaning that this tool is useless. A similar result can also be achieved by using the group policy editor, however I have not worked much with it yet, so I will not discuss if the methods will block this tool.